Active Directory Backup & Restore
Active Directory (AD) is a network service developed by Microsoft. AD is used as a distributed database that contains all the information regarding a company and its employees. It is also used as a network administration tool that allows network administrators to manage resources (like printers) and users on the network (computer accounts and groups), assign group policies, organize software across the network and apply updates to all the network computers from the server.
Being able to update and configure all the computers from a central server eliminates the effort required to configure computers individually. To prevent data loss and corruption, Active Directory uses domain controllers that duplicate and distribute data automatically among the servers across the network.
The replication feature of AD cannot be relied upon as an effective and reliable backup tool. Natural disasters like flood, earthquake, etc. can destroy the server(s) an organization possesses which can result in great losses. Some companies have data that takes years of effort to collect. The performance of the server (network) can also deteriorate because of human error. An inexperienced network administrator may replicate erroneous group policies which will lower the network efficiency.
Having a backup for AD is critical to maintain an active directory database. One can use GUI (Graphic User Interface) and other command line tools for taking backup of AD database. A good backup must include the system state data and the contents of the system disk. A system disk backup ensures that all the system files are present in the backup which is crucial for a successful restore. A backup older than the tombstone lifetime is not a good backup. By default, the tombstone life is 60 days. So, to be safe, perform at least two backups within the tombstone period. AD incorporates the tombstone lifetime into the backup as a means to prevent incompatible data. To plan an authoritative restore, backup at least two domain controllers in each domain.
The components of a system state controller, on a domain, are:
- The system state contains the active directory only if the server, on which the backup is made, is a domain controller.
- SYSVOL shared folder. This folder is only present on domain controllers and contains log on details and group policy templates.
- Registry. This contains the information regarding the computer’s configuration.
- System startup files required by the server during the first startup stage. These files are used by windows to load, configure and run the operating system.
- COM+ class registration database this has information about component services applications.
- Certificate services database contains certificates used to authenticate users.
An Active Directory can be restored by either using the server backup utility or any other supported utility. It is advisable to select a restore method by considering:
- The characteristics of network failure. That can result from active directory data corruption and hardware breakdown.
- The roles performed by the failed server.
The three major methods of restore are:
- Primary restore: Performed when no other functioning domain controller exists in the domain. This method is used when there is no other way to rebuild the domain.
- Normal restores: Performed when a single domain controller is to be restored to a previous known good state.
- Authoritative restore: Prevents the overwriting of data. When such restore is performed, all changes to the restore object are performed after the backup are lost.