Backing Up Microsoft Active Directory

January 24, 2021 0 Comments

Once you sit down and think about it, if you operate a “Microsoft Shop” just about everything in your network environment likely relies on AD a few level. Whether it is the user accounts on their own and their associated mailbox properties for Exchange, the service balances used by your applications, Group Plan Objects controlling workstation behavior, or even your infrastructure components due to DHCP, DNS, or even IAS. While Dynamic Directory fully supports replication of all relevant fields and materials, there is still a need to get an offline backup of these vital materials. While no one truly wants to contemplate the scenario that would lead to such a regain, I have needed to assist at least two customers through this process; both due to virus infection. Lucky for me, they both had current backups of their AD environment using the process beneath due to prior consulting engagements. Gladly, getting a backup of your AD environment is an easy task and all of the tools needed have already been included with the operating-system itself. Believe it or not, lowly NTBackup includes a real purpose even in an enterprise environment and that purpose is snapshotting your AD environment. While many high end backup systems do have plug-ins in order to backup AD, using them in an actual DR scenario often adds a lot of time to the recovery effort as much of them need an AD account just to run. The first question is how to make the backup from. Ideally, you need to have backups of 2 domain controllers in each domain of your woodland. One of which should be made from a server holding an operations master function other than the RID Master, that ought to never be restored. The 2ndquestion is where to write the backups to. You should choose a media that doesn’t rely on a ton of other software or providers in order to be read. Given the size of many AD backups and the fact that its not necessary “point in time” restores of AD, flash drives have established very effective at storing AD backups. If you are worried about the potential of your AD backup being used as a means of gaining access to your organization, feel free to use an encrypted flash drive such as those created by IronKey. For Windows 2003 domain name controllers, all you need to do is operate the following command from the appropriate site controller to make the actual backup,:

Ntbackup backup systemstate /f “Path towards the backup file” For Windows 08 domain controllers, NTBackup has been changed by Windows Server Backup. Windows Server Backup is not installed by default on Windows 2008 systems. To set up Windows Server Backup, go to Begin -> Administrative Tools -> Server Manager. From there, click Features, then Add a Feature. You want to add the Windows Server Backup feature. Once installed, the following running the following command from the appropriate domain controller will make the actual backup: wbadmin start systemstatebackup -backuptarget: “path to backup folder” This command line can be written to a BAT/CMD file for working from a scheduled task or regular process. It is important that the backup document get moved to media that can simply be transferred offsite in the event of a tragedy. Making the backup is only about half the battle. One needs to be able to actually restore from it in the event of a disaster. To restore AD from this backup, one needs to follow these high-level steps for each site in the forest, starting with the top many domain.

For Windows 2003 Area Controllers:

Build up a stand-alone machine using the same OS version as the backup was taken from
Install Windows Server Backup using the steps over
Place a copy of the Backup document somewhere on the new server’s filesystem
Reboot the server and press F8 at the splash screen
Select Directory Restore Mode Option
Execute the restore from the Backup document
Seize all FSMO roles kept by nonexistent servers
Cleanup the particular AD records for the DCs that no longer exist using NTDSUTIL
For Windows 2008 Domain Controllers:
Build up a stand-alone server using the exact same OS version as the backup had been taken from
Place a copy of the Backup file somewhere on the new server’s file system
Run bcdedit /set safeboot dsrepair to instruct the system to boot into recovery mode
Reboot the particular server
At the login screen, select “other user”. Enter “. administrator” and enter the DSRM password for your server and press enter.
Click Start, right-click Command Prompt, and click Run as Administrator
Work wbadmin get versions -backuptarget: “path to backup folder” -machine: “new dc name”
Identify the version you want to restore.
If you beloved this article and you also would like to receive more info regarding Office activator nicely visit our own internet site.
You will need to identify this exactly in the next step.
Run wbadmin start systemstaterecovery -version: “version to become restored” -backuptarget: “path to back-up folder” -machine: “new dc name” -authsysvol -quiet
Run bcdedit /deletevalue safeboot to instruct the system to boot usually
Reboot the server
Seize all FSMO roles held by nonexistent servers
Cleanup the AD information for the DCs that no longer can be found using NTDSUTIL
Hopefully these steps are never needed, but it is good to know where to find them if they are ever needed.

Leave a Reply

Your email address will not be published. Required fields are marked *