Backing up Domain Controller: Best practices for AD protection (Part 1) (2023)

Read the full series:

Ch.1 —Backing up Domain Controller
Ch.2 — How to recover a Domain Controller
Ch.3 — Reanimating Active Directory tombstone objects
Ch.4 — Leveraging Active Directory Recycle Bin

Microsoft Active Directory is a standard in corporate environments where authentication and central user-management are required. It’s almost impossible to imagine how system administrators would be able to do their jobs effectively if this technology didn’t exist. Not only is Active Directory a great power, but it’s also a great responsibility — and it requires spending a lot of time with it in order to maximize its capabilities.

The purpose of this series is intended to aid you with the successful backup and recovery of Active Directory Domain Services with Veeam, giving you all the keys to painless AD protection. Before reading this, you might want to take a look at theBest practices for AD administrationseries we posted a while ago.

The actual series is going to discuss how Veeam can protect Active Directory data — preserve Domain Controllers (DCs) or individual AD objects and recover either of them when required.

Today, I’m going to talk about the backup options Veeam offers for both physical and virtualized Domain Controllers, and backup considerations to keep in mind while you do that.

Backup Domain Controller considerations

As Active Directory Domain Services designed with a sort of redundancy, so the common backup rules and tactics can be mitigated and adapted to this level. It wouldn’t be right to apply the same backup policy you have for SQL or Exchange server here. Below are some considerations I believe might be helpful for creating your own Active Directory policies:

  • Learn what domain controllers hold Flexible Single Master Operations (FSMO) roles in your environment. Hint: a simple command to check this via command line: >netdom query fsmo
  • When performing a full domain recovery, you might want to start from the DC with most FSMO roles, usually one with PDC emulator role. Otherwise, you will have to transfer roles manually after the restore withntdsutil seizecommand. Be aware of that, when planning backup and prioritize Domain Controllers accordingly. Refer toActive Directory basicswhite paperto learn more about FSMO roles.
  • If you have multiple Domain Controllers for the site and you’re looking for individual objects protection, there’s no need to backup all DCs, as for item-level recovery, one copy of Active Directory database (ntds.dit) would be sufficient
  • There are things that can always mitigate the risk of accidental/intentional deletion/change of AD objects. Consider administration operations’ delegation, setting up the restricted access to elevated groups and maintaining a “lag” site
  • It’s usually recommended to perform backup of one Domain Controller per time, not to interfere with DFS Replication — even if the modern backup applications (ex. Veeam Backup & Replication v7 with Patch 3 and onwards) know how to deal with this
  • If you have a VMware virtual environment and it is not possible to connect to your Domain Controller over the network, as for example, it can be in DMZ. In this case Veeam will fail over to the VIX and should be able to process your DC.

How to back up a virtual Domain Controller

Microsoft’s Active Directory Services organize and keep information about individual objects within the forest and store it to a relational database (ntds.dit), hosted by a domain controller. Backup of a Domain Controller has previously been a tiresome process, involving backing up the server’s system state. It’s a well-known fact, that Active Directory services don’t consume a lot of resources of the system, so Domain Controllers are appearing to be the first servers that are always virtualized in the environment. If you happen to share the old belief of “physical DCs only”, please refer tothis post.

(Video) Veeam Advance Training | 24 - Active Directory or Domain Controller Backup Physical by Veeam Backup

Once virtualized, they are pretty easy to be managed by a domain/system administrator and can be easily backed up with Veeam Backup & Replication. As for details, you should have Veeam Backup & Replication installed and configured. The system requirements (of version 9.0) are as following:

Virtual platform:VMware vSphere 4.1 and newer; Microsoft Hyper-V 2008 R2 SP1 and newer

Veeam server:Windows Server 2008 SP2 and newer; Windows 7 SP1 and newer, 64-bit OS

Domain controller virtual machine (VM):Windows Server 2003 SP1 and newer, the minimum supported forest functional level of Windows 2003

Permissions:Administrative rights for target Active Directory. Account of an enterprise administrator or domain administrator.

This article doesn’t intendto cover a process of Veeam Backup & Replication installation and configuration, as it’s already been defined a few times. But, if you need help with that, please refer to the followingvideorecorded by a Veeam system engineer.

I’m going to assume that you have everything running fine. Now you’d like to configure a backup task for your virtual Domain Controller. The process of configuration is rather simple (see figure 1 below):

(Video) Veeam Advance Training | 25 - Active Directory or Domain Controller Backup (VM) by Veeam Backup

  1. Launch a Backup Job creation wizard
  2. Add a desired Domain Controller to the task
  3. Specify theretention policyfor the backup chain
  4. Make sure youenable application-aware image processing (AAIP)to ensuretransactional consistency of OS and applications running on the VM, including the Active Directory database and SYSVOL catalog


AAIP is a Veeam technology that allows software to backup VMs in an application-aware way. This involves detecting applications of a guest OS system and collecting their metadata, quiescing them using corresponding Microsoft VSS writers, preparing application-specific VSS restore procedure to take place upon first boot up of the restored VM, and truncating application’s transaction logs if the backup task is successful. Please refer to theAAIP documentationfor details.

Not enabling AAIP will not trigger Domain Controller guest OS to realize it was backed up and protected. So, a while later, you might notice an internal warning in server logs —event 2089,stating that there was no backup for “backup latency interval” days.

Backing up Domain Controller: Best practices for AD protection (Part 1) (1)
  1. Schedule a jobor run it manually
  2. Ensure the jobcompleted successfully with no errors or warnings
Backing up Domain Controller: Best practices for AD protection (Part 1) (2)
  1. Find the newly created backup file in the backup repository — that’s it!

Additionally, you can store a backup in the cloud with Veeam Cloud Connect (VCC) service provider or another backup repository using Veeam Backup Copy jobs or archive it to tape with Backup to Tape job.The most important thing is that backup is now safe and can be restored as soon as you need it.

(Video) Virtualizing Active Directory: Six best practices for domain controllers - Veeam webinar

How to back up a physical Domain Controller

Frankly speaking, I hope that you’ve been updatingAD services in your company and that your Domain Controllers have been virtualized for a long time. If not, I hope that you’ve at least been updating your Domain Controllers, and that they’re running relatively modern Windows Server OS versions, Windows Server 2008 R2 or newer. (If managing older systems, skip the below and go to the third article right away)

So, you have a physical Domain Controller — or a set of them — running at Windows Server 2008 R2 or newer, and you want to protect your AD? Meet Veeam Endpoint Backup, the utility aimed to ensure that data on your remaining physical endpoints and servers is safe and secure. Veeam Endpoint Backup catches the desired data of the physical machine and stores it in a backup file. Then, in case of a disaster, you are able to do a bare-metal or volume-level restore — while having full control of recovery procedures. Plus, item-level recovery with Veeam Explorer for Microsoft Active Directory.

In order to back up your physical Domain Controller with this tool you should:

  • Download Veeam Endpoint Backup FREE fromthis pageand copyit to your DC
  • Launch the installation wizard, accept the license agreement and install the program
    Note:readthese instructionsfor installing in Unattended Mode.
  • Configure a backup job by selecting appropriate backup mode. Backing up the entire computer is the simplest and recommended approach. When using file-level backup mode, be sure to selectOperating systemas an object to backup (see Figure 3). This ensures that the program captures all files required for bare-metal restore, Active Directory database and SYSVOL catalog will be also saved. Refer toa product user guidefor details
Backing up Domain Controller: Best practices for AD protection (Part 1) (3)


If you have Veeam Backup & Replication instance in your infrastructure and you’d like to use a configured Veeam Backup Repository to accept endpoint backups, please reconfigure it right from Veeam Backup & Replication (Ctrl-right click on a desired repository, allow access to the repository and enable backups encryption if needed, see Figure 4).

(Video) Learn Microsoft Active Directory (ADDS) in 30mins

Backing up Domain Controller: Best practices for AD protection (Part 1) (4)
  • Run the backup, and make sure it’s done with no errors
Backing up Domain Controller: Best practices for AD protection (Part 1) (5)
  • Voila! The backup is done, and your Domain Controller is protected from now on. Go to the backup destination and find the backup or the backup chain
Backing up Domain Controller: Best practices for AD protection (Part 1) (6)


If you configured a Veeam Backup & Replication repository as a target for DC backup, to find the newly created backup in the Backups > Disk node, placed to Endpoint Backups node.

Backing up Domain Controller: Best practices for AD protection (Part 1) (7)


Is Domain Controller backup that simple? Yes and no. Successful backup is great for starters, but that’s not all you need. Like we say at Veeam, “Backup is not worth a penny if you can’t restore from it.”

(Video) Best Practices for Using Microsoft Active Directory (AD) and Apps on Google Cloud (Cloud Next '19)

The following articles in this series are dedicated to different Active Directory recovery scenarios, including the restore of a particular Domain Controller, as well as the recovery of individual deleted and changed objects using native Microsoft utilities and Veeam Explorerfor Active Directory.

See also

  • White paperGranular Recovery of Active Directory Objects
  • Veeam Community Forums:Backing up Domain Controller in another AD domain issue


Should domain controllers be backed up? ›

You should absolutely still be doing a backup of Active directory. All domain controllers can fail, database corruption can occur, viruses, ransomware or some other disaster could wipe out all domain controllers. In this situation, you would need to restore it from a backup.

Which backup restoration method is used if domain controller completely failed? ›

Restore from backup

Restoring a failed domain controller using this method has two approaches known as nonauthoritative restore and authoritative restore. Nonauthoritative restore does not require you to remove any objects from Active Directory.

How do I add Active Directory to Veeam backup? ›

To launch Veeam Explorer for Microsoft Active Directory from Veeam Backup & Replication:
  1. Open the Home view.
  2. In the inventory pane, select the Backups or Replicas node.
  3. In the working area, select the necessary machine in the backup or VM replica and click Application Items > Microsoft Active Directory on the ribbon.
Mar 17, 2022

How often should a domain controller be backed up? ›

The only time you should use domain controller backup images is when the failure has resulted in loss of all the domain controllers in the infrastructure or if one or more objects have been deleted from Active Directory by accident and need to be authoritatively restored.

What are the types of backup? ›

There are mainly three types of backup: full, differential, and incremental.

How do I setup a backup domain controller? ›

To configure a backup domain controller:
  1. Log on to the SAP system that functions as the transport domain controller.
  2. Call transaction STMS.
  3. Choose. ...
  4. Position the cursor on the domain controller.
  5. Choose. ...
  6. In the field Backup, enter the SAP System to be used as the backup controller of your transport domain.

What is AD recovery procedure? ›

The following is a list of procedures that are used in backing up and restoring domain controllers and Active Directory. Backing up a full server. Backing up the System State data. Performing a full server recovery. Performing an authoritative synch of DFSR-replicated SYSVOL.

What is system State backup in Active Directory? ›

System state backup: Backs up operating system files, enabling you to recover when a machine starts but you've lost system files and registry. A system state backup includes: Domain member: Boot files, COM+ class registration database, registry.

What is authoritative and Nonauthoritative restore in AD? ›

Authoritative restore will update existing DCs with the restored data which will eventually replicated to all other DCs in multi DC environment. But Non-authoritative restore will replicate the existing data from another DC to the one on which you performed restore.

What is USN rollback? ›

A USN rollback occurs when an older version of an Active Directory database is incorrectly restored or pasted into place. When a USN rollback occurs, modifications to objects and attributes that occur on one domain controller do not replicate to other domain controllers in the forest.

How do I recover a failed domain controller? ›

Performing a restore of a Domain Controller in non-authoritative mode
  1. Select a Restore wizard in GUI.
  2. Find a desired DC.
  3. Choose the Restore Entire VM option from the recovery menu.
  4. Then, select the recovery point.
  5. Choose if the restore should happen to the original location or a new one.
  6. Complete the procedure.
May 16, 2016

How do I backup an Active Directory database? ›

Backup the Active Directory database
  1. Now go to the Server Manager and click on Tools >> Windows Server Backup, in order to open it. ...
  2. Once the server backup opens, click on Backup Once to initiate a manual AD database backup.
Jun 6, 2022

What is application-aware backup? ›

By using application-aware backup, you ensure that: The applications are backed up in a consistent state and thus will be available immediately after the machine is recovered. You can recover the SQL and Exchange databases, mailboxes, and mailbox items without recovering the entire machine.

What is Fsmo in Active Directory? ›

The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. The Infrastructure Master (IM) role should be held by a DC that is not a Global Catalog server(GC).

When backing up AD DS data you Cannot backup data that is older than? ›

Any backup older than 60/180 days is not a good backup and cannot be used to restore any DC. You do not need to backup all your DCs' System States, usually backing up the first DC in the Forest + the first DCs in each domain is enough for most scenarios.

Where is AD database stored? ›

The AD database is stored in the NTDS. DIT file located in the NTDS folder of the system root, usually C:\Windows. AD uses a concept known as multimaster replication to ensure that the data store is consistent on all DCs. This process is known as replication.

What will happen if the domain controller is unresponsive How can the user gain access to the system? ›

If the Domain Controller (DC) goes offline, Authentication Services will automatically failover to another available DC.

What are 4 types of backups? ›

Each backup program has its own approach in executing the backup, but there are four common backup types implemented and generally used in most of these programs: full backup, differential backup, incremental backup and mirror backup.

What is the 3 2 1 backup rule? ›

Here's what the 3-2-1 backup rule involves: 3: Create one primary backup and two copies of your data. 2: Save your backups to two different types of media. 1: Keep at least one backup file offsite.

Which backup is best? ›

The best cloud backup service you can get today
  1. IDrive Personal. The best cloud backup service overall. ...
  2. Backblaze. The best value in cloud backup services. ...
  3. Acronis Cyber Protect Home Office. The best cloud backup service for power users. ...
  4. CrashPlan for Small Business. ...
  5. SpiderOak One. ...
  6. Carbonite Safe.
Jun 3, 2022

What is backup domain controller in SAP? ›

The backup domain controller is activated as the transport domain controller. The configuration change is distributed to all SAP Systems in the transport domain. The status bar indicates the SAP System in which the configuration is being adjusted.

What is Ntdsutil command? ›

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

How do I change primary domain controller backup in SAP? ›

To activate the backup domain controller:
  1. Log on to the SAP System functioning as the backup domain controller.
  2. Call transaction STMS.
  3. Choose. Overview. Systems. . The system overview appears.
  4. Choose. Extras. Activate Backup Controller. .
  5. Confirm the prompt.

How do I backup and restore Active Directory? ›

How to Restore Active Directory from Windows Server Backup - YouTube

Can you restore a domain controller from a snapshot? ›

Since Windows Server 2012 domain controllers can also be restored via snapshot using an appropriate hypervisor. Among other things Microsoft introduced the Generation ID with Windows Server 2012. This makes a restore from of a virtual domain controller snapshot possible.

What are the Active Directory Restore types? ›

Three types of Active Directory restores exist: Authoritative, Non-Authoritative, and Primary.

What is difference between system state backup and full backup? ›

A Windows SystemState backup generally includes a copy of any installed device drivers and related files, the Windows Registry, the Active Directory configuration (where applicable) and some system files. It is not a full backup of the operating system.

What is the difference between full backup and copy option in full backup? ›

The difference between copy-only and a full backup is that a copy-only backup doesn't become a base for the next differential backup. A full backup works on all database recovery models. Copy-only backup, on the other hand, is applicable only to a full or bulk-logged recovery models.

Should I backup system State? ›

We recommended that you always have a recent backup of your System State and that you should perform System State backups on a regular basis, even daily, to increase your level of protection. We also recommended that you perform System State backups before and after any major change is made to your server.

What is the difference between authoritative and Nonauthoritative DNS? ›

An authoritative answer comes from a nameserver that is considered authoritative for the domain which it's returning a record for (one of the nameservers in the list for the domain you did a lookup on), and a non-authoritative answer comes from anywhere else (a nameserver not in the list for the domain you did a lookup ...

What does an authoritative restore do? ›

Authoritative restore allows you to mark the OU as authoritative and force the replication process to restore it to all the other domain controllers in the domain.

How does authoritative restore Active Directory? ›

To perform an authoritative restoration, you must first recover AD from a backup by performing the following steps:
  1. Restart the domain controller (DC) of interest.
  2. When you see the menu to select the OS, press F8.
  3. From the Windows Advanced Options Menu, select Directory Services Restore Mode, then press Enter.

What is high water mark in Active Directory? ›


This is a value that the destination domain controller maintains to keep track of the most recent change that it has received from a specific source domain controller for an object in a specific directory partition.

How do I find my USN number Active Directory? ›

One way to detect a USN rollback is to use the Windows Server version of Repadmin.exe to run the repadmin /showutdvec command. This version of Repadmin.exe displays the up-to-dateness vector USN for all domain controllers that replicate a common naming context.

How do I move Fsmo roles? ›

Seize or transfer FSMO roles
  1. Sign in to a member computer that has the AD RSAT tools installed, or a DC that is located in the forest where FSMO roles are being transferred. ...
  2. Select Start > Run, type ntdsutil in the Open box, and then select OK.
  3. Type roles, and then press Enter. ...
  4. Type connections, and then press Enter.
Mar 23, 2022

How can I fix a corrupt Active Directory database? ›

How can I fix a corrupt active directory database?
  1. Check Microsoft Active Directory database problems. Reboot the server and press the F8 key and choose Directory Services Restore Mode. ...
  2. Check the integrity of your database. Reboot into Directory Service Restore mode again.
Jun 8, 2022

What happens when domain controller goes down? ›

DNS. You and/or your service desk would begin to receive "no internet" calls. They'd still have connectivity, but they won't be able to resolve things, inside or out. This could also have the effect of people calling you and/or your service desk to tell you your various servers are down.

How do you fix a trust relationship from a domain controller? ›

Fixing Trust Relationship by Domain Rejoin
  1. Reset local Admin password on the computer;
  2. Unjoin your computer from Domain to Workgroup (use the System Properties dialog box — sysdm.cpl);
  3. Reboot;
  4. Reset Computer account in the domain using the ADUC console;
  5. Rejoin computer to the domain;
  6. Reboot again.

What is type of backup used for Active Directory backup? ›

The system state backup is best used for recovering Active Directory only on the same server. It cannot be used to recover a corrupt server operating system. Microsoft does not support restoring a system state backup from one computer to a second computer of a different make, model, or hardware configuration.

How many types of backup are there in Active Directory? ›

There are mainly three types of backup are there: Full backup, differential backup, and incremental backup.

What needs to be backed up on a domain controller? ›

What Data Must Be Backed Up?
  1. Active Directory Domain Services.
  2. Domain Controller System Registry.
  3. Sysvol directory.
  4. COM+ class registration database.
  5. DNS zone information integrated with Active Directory.
  6. System files and boot files.
  7. Cluster service information.
Mar 25, 2019

What is SureBackup? ›

SureBackup is the Veeam technology that allows you to test VM backups and check if you can recover data from them. You can verify any restore point of a backed-up VM.

What does crash consistent mean? ›

Crash consistency - A backup or snapshot is crash consistent if all of the interrelated data components are as they were (write-order consistent) at the instant of the crash. To better understand this type of consistency, imagine the status of the data on your PC's hard drive after a power outage or similar event.

What is application-aware processing? ›

Application-aware processing is Veeam's proprietary technology based on Microsoft VSS. Microsoft VSS is responsible for quiescing applications and creating a consistent view of application data on the OS of the Veeam Agent computer.

Which are the 3 master roles available in additional domain controller? ›

In Windows, the 5 FSMO roles are:

Domain Naming Master – one per forest. Relative ID (RID) Master – one per domain. Primary Domain Controller (PDC) Emulator – one per domain. Infrastructure Master – one per domain.

Which FSMO role is the most important and why? ›

The PDC Emulator (Primary Domain Controller) - This role is the most used of all FSMO roles and has the widest range of functions. The domain controller that holds the PDC Emulator role is crucial in a mixed environment where Windows NT 4.0 BDCs are still present.

How long can FSMO roles be offline? ›

Answers. You can bring the FSMO role holder server down and move it to another rack as you have mentioned that it will be down not more then 90 mins.In this case that should be OK. In case if something goes wrong you can seize the FSMO role on other DC.


1. Active Directory Disaster Recovery Best Practices: Step Up Your Game
4. Windows Server best practice you’ll want to implement today
(Microsoft Azure)
5. Physical Server Backup Part2 In Veeam Backup & Replication
(Nomad Musafir)
6. AZ 104 Microsoft Azure Administrator Practice Questions 2022 - Part 1
(Up Degree)
Top Articles
Latest Posts
Article information

Author: Fredrick Kertzmann

Last Updated: 01/09/2023

Views: 5928

Rating: 4.6 / 5 (46 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.