Active Directory Backup
Home > Windows > Windows Server Roles and Features > Active Directory Backup
Active Directory Backup
Overview
Backing up Active Directory (AD) is a critical part of disaster recovery and domain controller maintenance. A reliable AD backup strategy ensures you can recover from hardware failure, corruption, or accidental deletions.
---
Key Recommendations
1. Restoring AD from backup should be a last resort — always try recovery options like Recycle Bin first. 2. Maintain multiple domain controllers to ensure redundancy and failover capability. 3. Still perform regular backups, even with multiple controllers. Disasters like corruption, ransomware, or total DC loss require backups. 4. Enable Active Directory Recycle Bin to recover deleted objects without restoring from backup. 5. Perform daily backups (or twice daily in large environments with frequent changes). 6. Keep an offsite backup copy for disaster recovery. 7. Back up at least two domain controllers in each domain — one should hold FSMO (Operations Master) roles.
---
Full Backup vs System State Backup
Full Backup
Backs up the entire server, including OS, applications, and data. Includes the System State automatically. Allows bare-metal recovery (restore to same or similar hardware). Best for restoring the whole server in case of total system loss.
System State Backup
Backs up only the components required for AD recovery, including: Sysvol (Group Policy data) Active Directory database DNS zones (if integrated) Registry, COM+ database, and boot files Best used when restoring Active Directory only on the same server. Cannot be used across different hardware or OS configurations.
---
Install Windows Server Backup
The built-in Windows Server Backup utility is recommended for AD backup. It is lightweight, reliable, and free — ideal for domain controller protection.
Steps
1. Open Server Manager → Add Roles and Features. 2. Choose Features and select Windows Server Backup. 3. Click Next → Install. 4. Once installation completes, click Close.
---
Configure Active Directory Backup
This example uses a Full Server Backup schedule.
Step 1: Prepare Backup Volume
Use a dedicated local disk or volume for backups. Ensure the target disk is equal to or smaller than the source disk. Avoid network shared folders (no incremental backups supported).
Step 2: Create Backup Schedule
1. Open Windows Server Backup → Select Backup Schedule. 2. Choose Full Server → Next.
(Select Custom if you want to back up only System State.)
3. Under Advanced Settings, open VSS Settings → choose VSS Full Backup. 4. Configure daily backups (example: 7:00 PM). 5. Select Backup to a Volume, choose your prepared disk, and click Finish.
---
Task Scheduler Configuration
After backup scheduling, review and adjust task settings.
1. Open Task Scheduler → navigate to
Task Scheduler Library → Microsoft → Windows → Backup.
2. Double-click the created task and configure:
Run as SYSTEM account. Select Run whether user is logged on or not. Set to stop if running more than 2 hours. Allow manual run on demand.
3. Save and optionally run the task manually to verify backup execution.
---
Backup Frequency and Type
The first backup is a Full Backup, followed by incremental backups. After 14 incremental backups, a new full backup is automatically created. Monitor backup status and disk usage in the Windows Server Backup console.
---
Automate Backup Monitoring (Email Alerts)
You can configure email alerts using PowerShell and Task Scheduler.
Step 1: PowerShell Script
Save the following as AD-Backup-Success.ps1 and update your mail details:
$From = "dc1@yourdomain.com"
$To = "admin@yourdomain.com"
$Subject = "DC1 AD Backup SUCCESSFUL"
$Body = "DC1 daily backup completed successfully."
$SMTPServer = "mail.yourdomain.com"
$SMTPPort = "25"
Send-MailMessage -From $From -To $To -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Port $SMTPPort
Step 2: Scheduled Task for Alerts
1. Open Task Scheduler → Create Task. 2. General Tab:
Name: AD Backup Success Notification Run as SYSTEM with highest privileges.
3. Trigger Tab:
Begin task: On an Event Log: Microsoft-Windows-Backup/Operational Source: Backup Event ID: 4
4. Actions Tab:
Start a program → Program/script: powershell.exe Add arguments: C:\Scripts\AD-Backup-Success.ps1
5. Click OK to finish.
You will now receive an email when backups complete successfully.
---
Summary
Active Directory should be backed up daily. Prefer Full Server Backup for flexibility. Use Windows Server Backup for reliability and simplicity. Enable email alerts for automatic monitoring. Keep offsite copies for disaster recovery readiness.
Home > Windows > Windows Server Roles and Features > Active Directory Backup
