Planning an Active Directory backup and restoration

Backing-up and restoring Active Directory can be a painful task, and it's not easy to know where to start. This goal of this article is to provide a brief overview of the Active Directory backup and restoration process. 

Active Directory plays an important role in authenticating users and computers to your Windows Server environment. Additionally, AD enforces a number of security procedures such as prompting administrators about important software updates. Since AD is the foundation of your Windows Server environment, it is crucial that you are able to backup and restore your system in a fast, efficient, and reliable manner.   

What is the best method for backing up and restoring your AD environment? 

Windows Server includes a backup tool that caters for a number of different approaches. While AD imposes the "normal" backup type by default, there are also copy, incremental, differential and daily backup options available. AD is not a simple directory of files and folders, but a collection of interrelated data objects that are specific to the Active Directory server. 

For example, the "system state" is comprised of boot files, system registry files, the Component Object Model (COM) database, system volume (SYSVOL) data, and incorporates group policy and various scripts. Later versions of Windows Server allow you to backup entire volumes of data, as well as a full server backup, including the system-state files mentioned above.  

There are several types of AD restoration. A full restoration is used to restore the system (domain controller) from a full server backup. Alternatively, you can perform a system-state backup which can be used to restore AD from an earlier system state. There are other restoration options such as nonauthoritative or authoritative. A nonauthoritative restoration is where the restored domain controller automatically synchronizes itself with the other domain controllers on the network. 

An authoritative restoration, on the other hand, is where the restored domain controller is recognised to the be the authoritative DC, with the most up-to-date version of the system-state. Therefore, instead of synchronising itself with the other DCs, it will replicate the system-state to all other DCs on the network. 

The restoration process typically requires restarting the server in Directory Service Restore Mode. Doing so will put the server into safe mode. When in safe mode, you will be required to select the type of restoration you require. Here you can choose the correct backup version, and select whether it is an authoritative or nonauthoritative restoration. The restoration tools available to you will depend on your version of Windows Server, and the problem that lead to the restoration. As such, it is important that you carefully review the options presented to you in order to ensure that the restoration goes smoothly. 

Later versions of Windows also provide an Active Directory Recycle Bin (ADRB), which allows you to quickly restore deleted data without the need for a full restore. 

What other options are available to assist with the restoration process? 

There are commercial solutions available that allow admins to rollback and restore changes to Active Directory. For example, LepideAuditor provides a solution which allows you to quickly identify specific changes, including details about who, what, where and when those changed were made. Once you have identified the "offending" change, you can roll-back to a system state before those changes were made. All object attributes and properties will be restored exactly as they were.