Directory Services

Backing Up Active Directory

A backup of Active Directory requires backup of the database and backup of the transaction logs. This topic provides a walkthrough of how a backup application backs up Active Directory.

The caller of these backup functions must have the SE_BACKUP_NAME privilege. You can use the DsSetAuthIdentity function to set the security context under which the directory backup/restore functions are called.

To backup Active Directory, perform the following steps

  1. Call the DsIsNTDSOnline function to determine if Active Directory is running.
  2. If Active Directory is running, call the DsBackupPrepare function to initialize a backup context handle. If Active Directory is not running, it cannot be backed up and the backup application must fail the backup operation.
  3. Call the DsBackupGetDatabaseNames function to get a list of files to back up. To release the memory returned by this function, call the DsBackupFree function.
  4. For each name in the returned list of files, call the DsBackupOpenFile function followed by repeated calls to the DsBackupRead function until the entire file has been read. When you have finished reading the file, call the DsBackupClose function to close it.
  5. After all database files are backed up, call the DsBackupGetBackupLogs function to get a list of transaction logs. This list is handled just like the list of database files.
  6. When you have finished backing up the transaction log, call the DsBackupTruncateLogs function to delete all committed transaction logs that were backed up.
  7. Save the contents of the expiry token provided by the DsBackupPrepare function. This can be saved in a file or some other persistent memory. This token must be passed to the DsRestorePrepare function to initiate a restore operation.
  8. Free the memory for the expiry token by passing the token pointer to the DsBackupFree function.
  9. Finally, call the DsBackupEnd function to release all resources associated with the backup context handle.