During my daily work I encounter a lot of confusion about this topic.
Let’s first discuss couple of basic things about the backup of Active Directory and why it is so important to use a Microsoft supported solution.
When we are in a Disaster Recovery scenario and we need to restore our Active Directory forest we want to know that we can rely on Microsoft for help. In order to be able to do this we need to use a supported solution which is Windows Server backup.
What is the first step in our Disaster Recovery process?
Document your infrastructure! Document your topology!
What should we document?
- The forest name
- All domain names (root and child domain names, including NETBIOS name)
- Domain Controller names, IP addresses, gateway, DNS settings, VLAN
- What Site my domain controller is in?
- The sites topology, site links, replication schedules, connection objects (aka replication topology)
- Owner of the FSMO roles
- What kind of backup we are taking from that Domain Controller? (Full Server Backup, System state, Bare metal ?)
- What hardware I am running on ?
- What virtualization platform I am using?
The next step is to take a proper backup. Modern Windows Server backup operating systems are not coming with Windows Server Backup installed by default, so the first thing would be to install it. To do that you need to go to Server Manager, Manage, add Roles and Features, go to features and select Windows Server backup, then install it.
After you install it go to Server Manager, Tools and Windows Server Backup
After Windows Server Backup has started, clock on Local Backup then go on the right side to Backup Schedule.
After the wizard starts click on Next, then you have two options: Full Server (recommended) or Custom.
If we select Full Server then all the needed data will be backed up, including Bare Metal recovery, System State, Recovery partition, and the content of the disk drives.
If we select Custom then we need to go click on Add items
Then the selection part opens
What should we backup from here? The answer is: it depends. If we want to be able to perform a full forest recovery then we should backup everything (at least Bare Metal recovery, System State, recovery partition and the C: Drive). If we want to perform a non-authoritative restore of Active Directory we can backup the System State.
After we decide what to backup we need to decide where we will point the backup – dedicated disk, a volume or a network share. Microsoft’s recommendation is to backup to a dedicated disk.
I will backup the full server to a disk.
After clicking Finish the disk will be formatted and will be used for the backup.
The backup will run as scheduled.
To answer the question: How long can I use my Active Directory backup? The answer is for: the duration of your Tombstone Lifetime setting. If your forest was started back in the 2003 days or older the default setting will be 60 days, starting with Windows Server 2008 is 180 days.
So the answer will be: for 60 or 180 days from the moment you took your backup, depending on your tombstone lifetime!
I will discuss about the tombstone lifetime in a different article.