In this article, we’ll cover how to back up Active Directory domain controllers and enable automatic AD backups using PowerShell and the built-in Windows Server Backup feature.
Do I Need to Backup Active Directory?
One way to improve fault tolerance and load balancing in Active Directory is to deploy additional domain controllers. In such an environment, the AD database is replicated between all DCs. If one of the DCs fails, the entire directory service will not fail. Domain clients can easily switch to the domain controllers that are still alive. The administrator can quickly deploy a new DC, replicate the AD database from the remaining DCs, and then remove the failed domain controller.
However, additional domain controllers will not help in cases where all DCs are broken. For example, if all domain controllers are infected or encrypted (for instance, after the domain administrator’s credentials have been intercepted by using the Mimikatz tool), if the logical structure of the NTDS.DIT database (replicated to all DCs) is corrupted or in other catastrophic scenarios.
In general, backing up to AD is absolutely necessary. At a minimum, you should regularly back up DCs that hold Flexible Single-Master Operations (FSMO) roles. List the domain controllers running the FSMO roles using the command:
netdom query fsmo
Get the Last Backup Time of Active Directory Domain Controller
Use the repadmin command to see when the current AD domain controller was last backed up:
repadmin /showbackup
In this example, the last time the DC and AD partitions were backed up was in 2021 (most likely, it hasn’t been done since the domain controller was deployed.).
Get the last backup time for each DC in the domain:
repadmin /showbackup *
Use the following command to find out how many times AD has been backed up on a specific DC:
(Get-ADReplicationAttributeMetadata -Object "CN=Configuration,DC=WOSHUB,DC=LOC" -Properties dSASignature -Server M-DC01).Version
How to Backup AD Domain Controller with Windows Server Backup
If you don’t have special backup software, use the built-in Windows Server Backup (WSB) feature (which replaces the NTBackup tool) to backup Active Directory.
To back up a domain controller, create a System State backup of Windows Server on the DC. The System State backup includes the Active Directory database (NTDS.DIT), the contents of the SYSVOL directory including the Group Policy (GPO) files, integrated DNS zones, the registry, IIS metadata, the AD CS database, the Windows bootloader configuration, and other system files and resources. The backup is created through the Volume Shadow Copy Service (VSS).
Use the Get-WindowsFeature PowerShell cmdlet to verify that the Windows Server Backup feature is installed:
Get-WindowsFeature Windows-Server-Backup
If WSB is not installed, add it with PowerShell:
Add-Windowsfeature Windows-Server-Backup –Includeallsubfeature
Or install the Windows Server Backup via Server Manager -> Features.
I want to back up this AD domain controller to a shared network folder on a remote file server. For example, a path to the backup directory might look like this: \\mun-back1\backup\dc01. Change the NTFS permissions on this share so that only SYSTEM, Domain Admins, and Domain Controllers can read/write to the directory. 
An administrator can use the Windows Server Backup graphical MMC snap-in (wbadmin.msc) to configure and enable an automatic AD backup task. The main disadvantage of this method is that a new AD backup always overwrites a previous one in the WindowsImageBackup directory. Use the wbadmin.exe command-line tool to automate backup creation if you want to have AD backups from different dates.
Backup Active Directory with a PowerShell Script
Let’s use a PowerShell script to automate the domain controller backup. To have multiple copies of AD backups, we will put each backup in a separate folder. The name of the folder will be the date on which the copy was created.
A basic version of a PowerShell script to backup DC might look like this
$path="\\mun-back1\backup\dc1\"
Import-Module ServerManager
[string]$date = get-date -f 'yyyy-MM-dd'
$TargetUNC=$path+$date
$TestTargetUNC= Test-Path -Path $TargetUNC
if (!($TestTargetUNC)){
New-Item -Path $TargetUNC -ItemType directory
}
$WBadmin_cmd = "wbadmin.exe START BACKUP -backupTarget:$TargetUNC -systemState -noverify -vssCopy -quiet"
Invoke-Expression $WBadmin_cmd
Add the following code to have the PowerShell script delete old backup versions (for example, older than 90 days):
$Period = "-90" # Number of days
# Calculate the date after which you want to delete the old backups
$CurrentDay = Get-Date
$ChDaysDel = $CurrentDay.AddDays($Period)
# Delete files created more than a specified number of days ago
GCI -Path $TargetUNC -Recurse | Where-Object {$_.CreationTime -LT $ChDaysDel} | RI -Recurse -Force
# Deleting empty folders
GCI -Path $TargetUNC -Recurse | Where-Object {$_.PSIsContainer -and @(Get-ChildItem -Path $_.Fullname -Recurse | Where { -not $_.PSIsContainer }).Count -eq 0 } | RI -Recurse
$KeepVersion=10
$WBadmin_cmd = " wbadmin delete backup -keepVersions:$KeepVersion -quiet"
Invoke-Expression $WBadmin_cmdIn this case, wbadmin will only keep the 10 most recent backups. More older backups will be deleted.
Run this script. Information about creating a shadow copy of the hard disk should appear in the wbadmin console.
If the backup is successful, the following messages will appear in the log:
The backup of volume (C:) completed successfully. The backup of the system state successfully completed.
The full Windows Server Backup log is available in the directory C:\Windows\Logs\WindowsServerBackup\.
Now check that the DC’s last backup date is updated:
repadmin /showbackup
Now it says that the last domain controller backup was performed today.
The size of the DC backup on the shared share in this example is approximately 12 GB. The result will be a VHDX image file with a DC backup that can be used for OS recovery via WSB, or you can manually mount the VHDX file and extract the required files or folders from it.
$WBadmin_cmd = "wbadmin start backup -backuptarget:$path -include:C:\Windows\NTDS\ntds.dit -quiet"
Invoke-Expression $WBadmin_cmd
Depending on the size of the AD database, the size of such a backup will be only 50-500 MB.
To perform an automatic AD backup, create c:\ps\backup_ad.ps1 script on your DC. This PowerShell script must be run through the Task Scheduler. You can create a scheduled task from the taskschd.msc GUI or with PowerShell. This task must be run on behalf of S the NT AUTHORITY\SYSTEM with the Run with highest privileges option enabled. Create the following scheduled task to back up the AD domain controller three times a week:
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Tuesday,Friday -At "01:00AM"
$User= "NT AUTHORITY\SYSTEM"
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "c:\ps\backup_ad.ps1"
Register-ScheduledTask -TaskName "BackupADScript_PS" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force
Thus, we have configured the AD domain controller automatic backup. In the next post, we will look at ways to restore Active Directory from an existing system state backup.
4 comments
Brilliant article, just found your site and it’s great!
Thank you!
will this work with a linux samba ad
Hi there,
Excellent overview of the steps involved. Any particular advandage of using PS in place of the GUI Windows Backup utility to schedule the backups?
Also, has anyone got advice on why would the backup time in repadmin /showbackup * comeup with a recent date even though I am 100% we have not done any scheduled or manual backup in recent months… the network share for the backup is also like half a year behind.
Thank you
Alex