Active Directory is a database with a unique purpose. It is implemented in Windows domain networks and handles read and search operations. The main purpose of an Active Directory Domain Controller is to authorize and authenticate the users and computers in a domain environment.
Imagine you have a small business with a single AD domain controller and it goes down. Or a particular OU is accidently deleted which had many users in it. The users won’t be able to logon to the domain and do their day to day activities. This is when the backups become the critical part of any administrator’s daily routine. The most common backup utility used on Microsoft networks is Windows Backup / NTBackup. There are many third party backup software available in the market that serves the same purpose and maybe more than the native backup however Windows Backup is an inbuilt component when you install any Server Operating System. While selecting a third party solution, make sure it is AD-Aware.
We will be talking about two major tasks in this article:
- How to take a backup on a Windows Server using native tools.
- How to restore the same when needed.
There are different ways of backing up Active Directory using Microsoft tools. Back in the old days, we used to use ntbackup utility. We would be focusing on wbadmin in this article. To be able to use this command you must be a member of the Backup Operators group or the Administrators group, or you must have been delegated the appropriate permissions. In addition to the permissions, you must use WBAdmin from an elevated command prompt.
An elevated command prompt will look like this
Taking a Backup
Make sure that the Windows Server Backup features are enabled from the Server Manager. It should look like this:
Once that is confirmed, you can run the command-line below to start a system state backup:
The command above will save the backup of the system state at F drive under backup folder. If something goes wrong, you can refer to the latest log located under the following folder: C:WindowsLogsWindowsServerBackup folder
There are various subcommands that you can use along with WBAdmin, for its detail you can visit the link below:
You can also you Powershell cmdlet Start-WBBackup to get the same functionality. For more on this cmdlet, visit:
Restoring a Backup
Now that you have a System State backup of your server, let’s talk about restoring a deleted object from that backup. In order to restore an object such as user or an OU, you have to login to the Directory Services Restore Mode (DSRM). It is password protected.
Once you are in DSRM, open a command prompt and to get different copies of backups available, you can run the following command:
WBAdmin get versions or wbadmin get versions –backuptarget:C:
It would look something like this:
Once you have the correct version, you need to plan if you are going to perform an Authoritative or Non-Authoritative restore.
For an Authoritative restore you can run this command line:
wbadmin start systemstaterecovery -version:02/20/2013-23:29
For a Non-Authoritative Restore, use the below command line:
wbadmin start systemstaterecovery -version:02/20/2013-23:29 –authsysvol
For more detail on different switches available while performing a recovery, refer to the following link:
There can be a scenario where you would want to restore just an object from the backup such as a user or an OU, you can use ntdsutil in such situations. Let’s say user A was deleted and we want to recover the same. We need to know the Distinguished Name (DN) for that user to be able to recover the same, it would look like this:
The commands to restore the user A would look like this:
activate instance ntds
restore object “cn=A,cn=Users,dc=testing,dc=local”
For more on ntdsutil, refer to the following link: