Backing up Domain Controller: Best practices for AD protection (Part 1)

Read the full series:

Ch.1 — Backing up Domain Controller
Ch.2 — How to recover a Domain Controller
Ch.3 — Reanimating Active Directory tombstone objects
Ch.4 — Leveraging Active Directory Recycle Bin


 Microsoft Active Directory is a standard in corporate environments where authentication and central user-management are required. It’s almost impossible to imagine how system administrators would be able to do their jobs effectively if this technology didn’t exist. Not only is Active Directory a great power, but it’s also a great responsibility — and it requires spending a lot of time with it in order to maximize its capabilities.

The purpose of this series is intended to aid you with the successful backup and recovery of Active Directory Domain Services with Veeam, giving you all the keys to painless AD protection. Before reading this, you might want to take a look at the Best practices for AD administration series we posted a while ago.

The actual series is going to discuss how Veeam can protect Active Directory data — preserve Domain Controllers (DCs) or individual AD objects and recover either of them when required.

Today, I’m going to talk about the backup options Veeam offers for both physical and virtualized Domain Controllers, and backup considerations to keep in mind while you do that.

Backup Domain Controller considerations

As Active Directory Domain Services designed with a sort of redundancy, so the common backup rules and tactics can be mitigated and adapted to this level. It wouldn’t be right to apply the same backup policy you have for SQL or Exchange server here. Below are some considerations I believe might be helpful for creating your own Active Directory policies:

  • Learn what domain controllers hold Flexible Single Master Operations (FSMO) roles in your environment. Hint: a simple command to check this via command line: >netdom query fsmo
  • When performing a full domain recovery, you might want to start from the DC with most FSMO roles, usually one with PDC emulator role. Otherwise, you will have to transfer roles manually after the restore with ntdsutil seize command. Be aware of that, when planning backup and prioritize Domain Controllers accordingly. Refer to Active Directory basics white paper to learn more about FSMO roles.
  • If you have multiple Domain Controllers for the site and you’re looking for individual objects protection, there’s no need to backup all DCs, as for item-level recovery, one copy of Active Directory database (ntds.dit) would be sufficient
  • There are things that can always mitigate the risk of accidental/intentional deletion/change of AD objects. Consider administration operations’ delegation, setting up the restricted access to elevated groups and maintaining a “lag” site
  • It’s usually recommended to perform backup of one Domain Controller per time, not to interfere with DFS Replication — even if the modern backup applications (ex. Veeam Backup & Replication v7 with Patch 3 and onwards) know how to deal with this
  • If you have a VMware virtual environment and it is not possible to connect to your Domain Controller over the network, as for example, it can be in DMZ. In this case Veeam will fail over to the VIX and should be able to process your DC.

How to back up a virtual Domain Controller

Microsoft’s Active Directory Services organize and keep information about individual objects within the forest and store it to a relational database (ntds.dit), hosted by a domain controller. Backup of a Domain Controller has previously been a tiresome process, involving backing up the server’s system state. It’s a well-known fact, that Active Directory services don’t consume a lot of resources of the system, so Domain Controllers are appearing to be the first servers that are always virtualized in the environment. If you happen to share the old belief of “physical DCs only”, please refer to this post.

Once virtualized, they are pretty easy to be managed by a domain/system administrator and can be easily backed up with Veeam Backup & Replication. As for details, you should have Veeam Backup & Replication installed and configured. The system requirements (of version 9.0) are as following:

Virtual platform: VMware vSphere 4.1 and newer; Microsoft Hyper-V 2008 R2 SP1 and newer

Veeam server: Windows Server 2008 SP2 and newer; Windows 7 SP1 and newer, 64-bit OS

Domain controller virtual machine (VM): Windows Server 2003 SP1 and newer, the minimum supported forest functional level of Windows 2003

Permissions: Administrative rights for target Active Directory. Account of an enterprise administrator or domain administrator.

This article doesn’t intend to cover a process of Veeam Backup & Replication installation and configuration, as it’s already been defined a few times. But, if you need help with that, please refer to the following video recorded by a Veeam system engineer.

I’m going to assume that you have everything running fine. Now you’d like to configure a backup task for your virtual Domain Controller. The process of configuration is rather simple (see figure 1 below):

  1. Launch a Backup Job creation wizard
  2. Add a desired Domain Controller to the task
  3. Specify the retention policyfor the backup chain
  4. Make sure you enable application-aware image processing (AAIP) to ensure transactional consistency of OS and applications running on the VM, including the Active Directory database and SYSVOL catalog
AAIP is a Veeam technology that allows software to backup VMs in an application-aware way. This involves detecting applications of a guest OS system and collecting their metadata, quiescing them using corresponding Microsoft VSS writers, preparing application-specific VSS restore procedure to take place upon first boot up of the restored VM, and truncating application’s transaction logs if the backup task is successful. Please refer to the AAIP documentation for details.

Not enabling AAIP will not trigger Domain Controller guest OS to realize it was backed up and protected. So, a while later, you might notice an internal warning in server logs — event 2089, stating that there was no backup for “backup latency interval” days.

Edit Backup Job: Guest processing
Figure 1. Edit Backup Job: Guest processing 
  1. Schedule a job or run it manually
  2. Ensure the job completed successfully with no errors or warnings
Performing incremental backup of a Domain Controller
Figure 2. Performing incremental backup of a DC 
  1. Find the newly created backup file in the backup repository — that’s it!

Additionally, you can store a backup in the cloud with Veeam Cloud Connect (VCC) service provider or another backup repository using Veeam Backup Copy jobs or archive it to tape with Backup to Tape job. The most important thing is that backup is now safe and can be restored as soon as you need it.

How to back up a physical Domain Controller

Frankly speaking, I hope that you’ve been updating AD services in your company and that your Domain Controllers have been virtualized for a long time. If not, I hope that you’ve at least been updating your Domain Controllers, and that they’re running relatively modern Windows Server OS versions, Windows Server 2008 R2 or newer. (If managing older systems, skip the below and go to the third article right away)

So, you have a physical Domain Controller — or a set of them — running at Windows Server 2008 R2 or newer, and you want to protect your AD? Meet Veeam Endpoint Backup, the utility aimed to ensure that data on your remaining physical endpoints and servers is safe and secure. Veeam Endpoint Backup catches the desired data of the physical machine and stores it in a backup file. Then, in case of a disaster, you are able to do a bare-metal or volume-level restore — while having full control of recovery procedures. Plus, item-level recovery with Veeam Explorer for Microsoft Active Directory.

In order to back up your physical Domain Controller with this tool you should:

  • Download Veeam Endpoint Backup FREE from this page and copy it to your DC
  • Launch the installation wizard, accept the license agreement and install the program
    Note: read these instructions for installing in Unattended Mode.
  • Configure a backup job by selecting appropriate backup mode. Backing up the entire computer is the simplest and recommended approach. When using file-level backup mode, be sure to select Operating system as an object to backup (see Figure 3). This ensures that the program captures all files required for bare-metal restore, Active Directory database and SYSVOL catalog will be also saved. Refer to a product user guide for details
Selecting objects to backup in Veeam Endpoint Backup
Figure 3. Selecting objects to backup in Veeam Endpoint Backup 
If you have Veeam Backup & Replication instance in your infrastructure and you’d like to use a configured Veeam Backup Repository to accept endpoint backups, please reconfigure it right from Veeam Backup & Replication (Ctrl-right click on a desired repository, allow access to the repository and enable backups encryption if needed, see Figure 4).
VBR: Endpoint Backup permissions
Figure 4. Setting Endpoint Backup Permission for backup repository
  • Run the backup, and make sure it’s done with no errors
Veeam Endpoint Backup FREE: Backup job statistics
Figure 5. Veeam Endpoint Backup FREE: Backup job statistics
  • Voila! The backup is done, and your Domain Controller is protected from now on. Go to the backup destination and find the backup or the backup chain
Incremental backup chain
Figure 6. Incremental backup chain
If you configured a Veeam Backup & Replication repository as a target for DC backup, to find the newly created backup in the Backups > Disk node, placed to Endpoint Backups node.
Veeam Backup & Replication: Backups-disk
Figure 7. Veeam Backup & Replication: Backups-disk 


Is Domain Controller backup that simple? Yes and no. Successful backup is great for starters, but that’s not all you need. Like we say at Veeam, “Backup is not worth a penny if you can’t restore from it.”

The following articles in this series are dedicated to different Active Directory recovery scenarios, including the restore of a particular Domain Controller, as well as the recovery of individual deleted and changed objects using native Microsoft utilities and Veeam Explorer for Active Directory.

See also

Article language
Similar Blog Posts
Business | March 5, 2024
Technical | February 5, 2024
Business | December 7, 2023
Stay up to date on the latest tips and news
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
You're all set!
Watch your inbox for our weekly blog updates.
Veeam Data Platform
Free trial
Veeam Data Platform
We Keep Your Business Running