Introduction to Administering Active Directory Backup and Restore
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Active Directory backup must be incorporated into your operations schedule for a set of domain controllers that you identify and on which you perform routine backup operations.
Active Directory restore is not performed routinely as an operations task; it is performed only when indicated by a failure or other condition from which a domain controller can recover only by restoring the directory to a previous state.
System State Components
Active Directory is backed up as part of system state, a collection of system components that depend on each other. All system state components must be backed up and restored together.
The system state components on a domain controller include the following:
System startup (boot) files. These files are required for Windows Server 2003 to start.
System registry
Class registration database of component services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment.
System volume (SYSVOL). SYSVOL provides a default location for files that must be shared for common access throughout a domain. The SYSVOL folder on a domain controller contains the following:
Net Logon shared folders. These folders usually host user logon scripts and policy settings for network clients that are running pre–Windows 2000 operating systems.
User logon scripts for Active Directory–enabled clients
System policies
Group Policy settings
File system junctions
File Replication service (FRS) staging directories and files that are required to be available and synchronized between domain controllers
Active Directory, including the following:
The Active Directory database (Ntds.dit)
The checkpoint file (Edb.chk)
The transaction logs, each 10 megabytes (MB) in size (Edb*.log)
Reserved transaction logs (Res1.log and Res2.log)
If you installed Windows Clustering or Certificate Services on your domain controller, they are also backed up as part of system state. Details of these components are not discussed in this guide.
Purpose of Performing Regular Backups
You need a current, verified, and reliable backup to:
Restore Active Directory data that becomes lost. By using an authoritative restore process, you can restore individual objects or sets of objects (containers or directory partitions) from their deleted state.
Recover a domain controller that cannot start up or operate normally because of software failure or hardware failure.
Install Active Directory from backup media (using the dcpromo /adv command). You can use this installation option of Dcpromo to install Active Directory on a server running Windows Server 2003 to make that server an additional domain controller. Use this method to quickly add a domain controller to a domain that has a large database or that is located in sites that are separated by slow network links.
Perform a forest recovery if forest-wide failure occurs.
Restore Requirements and Recommendations
The tombstone lifetime value in an Active Directory forest defines the default number of days that a domain controller preserves knowledge of deleted objects. This value also defines the useful life of a system state backup that is used for disaster recovery or installation from backup media. Active Directory protects itself from restoring data that is older than the tombstone lifetime by disallowing the restore.
The tombstone lifetime is stored in the tombstoneLifetime attribute of the object CN=Directory Service,CN=Windows NT,CN=Services,CN-Configuration,DC=ForestRootDomain. In a forest that is created on a domain controller that is running Windows Server 2003 without Service Pack 1 (SP1), the default tombstone lifetime is 60 days. In a forest that is created on a domain controller that is running Windows Server 2003 with SP1, Windows Server 2003 with Service Pack 2 (SP2), or Windows Server 2003 R2, the default tombstone lifetime is 180 days. Because the tombstone lifetime can be changed administratively, do not assume the default value. Be sure that you are aware of the tombstone lifetime that is in effect in your forest.
Important
You should not modify system clocks in an attempt to improperly extend the useful life of a system state backup.
System state restore should be undertaken as a last resort, not as primary method of recovering from an error or failure condition.
Backup Guidelines
The following guidelines for backup include the performance of appropriate backups to ensure redundancy of Active Directory data:
Perform normal backup. Normal backup is the only type of backup that is available and supported for Active Directory. The Backup tool in Windows Server 2003 supports multiple types of backup: normal, copy, incremental, differential, and daily. You must use normal backup because Active Directory is backed up as part of system state.
Perform daily backups of each unique partition on at least two unique domain controllers, with special emphasis on single-domain controller forests, single-domain controller domains, and empty root domains.
Where partitions exist in only one site, you can ship backup files offsite to a secure location so that no backup file of a unique directory partition exists in only one physical site at any point in time. This provides an extra level of redundancy.
Make sure your backups are stored in a secure location at all times.
Back up Domain Name System (DNS) zones. You must be aware of the location of DNS zones and back up DNS servers accordingly. If you use Active Directory-integrated DNS, DNS zone data is captured as part of system state on domain controllers that are also DNS servers.
If you do not use Active Directory-integrated DNS, you must back up the zone file directories on a representative set of DNS servers for each DNS zone to ensure fault tolerance for the zone.
Note
The DNS server stores settings in the registry, so system state backup is required for DNS regardless of whether the zone data is Active Directory-integrated or stored in the file system.
If you have application partitions in your forest, make sure that you take a backup of the domain controllers that hold those application partitions.
Create additional backups in every geographic location where:
Mission-critical work is performed.
A wide area network (WAN) outage would disrupt business.
The elapsed time that it takes to perform either of the following tasks would be cost-prohibitive because of slow link speeds, the size of the directory database, or both:
To create a domain controller in its intended domain over the network.
Or
To copy or transport a system state backup from a site where a backup exists to a site that has no backup, for the purpose of performing an installation from backup media.
Note
A backup can be used to restore only the domain controller on which the backup was generated or to create a new additional domain controller in the same domain by installing from backup media. A backup cannot be used to restore a different domain controller or to restore a domain controller onto different hardware. Likewise, a backup that is made on a domain controller running Windows 2000 Server cannot be used to restore a domain controller running Windows Server 2003.
Backup Frequency
Backup frequency depends on criteria that vary for individual environments. In most Active Directory environments, users, computers, and administrators make daily changes to directory objects. For example, computer accounts, including domain controller accounts, change their passwords every 30 days by default. Therefore, every day a percentage of computer passwords changes for domain controllers. Rolling the computer password of a domain controller back to a former state affects authentication and replication. A percentage of user passwords might also expire on a daily basis, and if they are lost as a result of domain controller failure, they must be reset manually. Generally, no record of these changes exists except in Active Directory. Therefore, the more frequently you back up domain controllers, the fewer problems you will encounter if you need to restore.
The more Active Directory objects and domain controllers you have, the more frequent your backups should be. For example, in a large organization, to recover from the inadvertent deletion of a large organizational unit (OU) by restoring the domain from a backup that is days or weeks old, you might have to re-create hundreds of accounts that were created in that OU since the backup was taken. To avoid re-creating accounts and potentially performing large numbers of manual password resets, ensure that recent system state backups are always available to recover recent Create, Modify, and Delete operations.
Frequency Criteria
Use the following criteria to assess backup frequency:
Small environments with a single domain controller in the forest, or domains that exist in a single physical location (that is, that have a single point of failure): create backups at least daily.
Medium (10 to 49 domain controllers) and large environments (50 to 1,000 or more domain controllers): Create backups of each unique directory partition in the forest on two different computers at least daily with an emphasis on backing up application directory partitions, empty root domains, domain partitions in a single geographic site, and sites that have large populations of users or that host mission-critical work.
Make backups with increasing frequency until you are confident that if you were to lose the objects that were created or modified since the last backup, the loss would not create an operational disruption. For this reason, major changes to the environment should always be immediately followed by a new system state backup.
Note
It is always recommended that you have at least two domain controllers in each domain of your Active Directory forest
Immediate Backup
In addition to regularly scheduled backups, perform an immediate backup when:
You have moved the Active Directory database, log files, or both to a different location on a disk.
A domain controller is upgraded from Windows 2000 Server to Windows Server 2003 or there are any other operating system upgrades.
A Service Pack is installed.
A hotfix is installed that makes changes to the Active Directory database.
A current backup is required for installing from backup media for a new domain controller.
The tombstone lifetime is changed administratively.
Backup Latency Interval
On domain controllers running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), or Windows Server 2003 R2, event ID 2089 provides the backup status of each directory partition that a domain controller stores, including application directory partitions. Specifically, event ID 2089 is logged in the Directory Service event log when partitions in the Active Directory forest are not backed up within a backup latency interval. The value for the backup latency interval is stored as a REG_DWORD value in the Backup Latency Threshold (days) entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
Note
An initial backup must be performed before event ID 2089 will be logged. If no backup is ever performed on a domain controller, this event does not provide warnings of backup latency.
By default, the value of Backup Latency Threshold (days) is half the value of the tombstone lifetime of the forest. In a forest that is created on a domain controller that is running Windows Server 2003 without Service Pack 1 (SP1), half the default tombstone lifetime is 30 days. In a forest that is created on a domain controller that is running Windows Server 2003 with SP1, Windows Server 2003 with Service Pack 2 (SP2), or Windows Server 2003 R2, half the default tombstone lifetime is 90 days. However, we recommend that you make backups at a much higher frequency than half the tombstone lifetime. By setting a minimum backup frequency, changing Backup Latency Threshold (days) to reflect that frequency, and monitoring Event ID 2089, you ensure the backup frequency that is established in your organization.
To set a different Backup Latency Threshold (days) value, use Registry Editor (Regedit.exe) to create the entry as a REG_DWORD and provide the appropriate number of days.
See Also
Concepts
Installing a Domain Controller in an Existing Domain Using Restored Backup Media