Directory Services

Considerations for Active Directory Services Backup

Directory service information can be replicated. A recovery plan must be formulated prior to restoration. One option is to restore a replica of the directory and then propagate changes that occurred since the backup from other replicas in the domain.

In some cases you may want the restored replica to take precedence over the other replicas in the domain. For example, if an object is accidentally deleted and the deletion is replicated to all domain controllers, you could undelete the object by restoring one replica from a backup that was made before the object was deleted. Then you'd use the NTDSUtil utility to mark the undeleted object as authoritatively restored. The undeleted object will then be replicated to the other DCs, and the replica that was restored will receive the updates for all other objects that occurred since the time the backup was made. The end result for all the replicas is the same as that prior to the restore, except that the authoritatively restored object has been undeleted.

All changes occurring during backup are stored in a temporary log and added to the end of the backup set when the backup is complete.

Any recovery plan should ensure that the age of the backup should not exceed the Active Directory Tombstone Lifetime (default is 60 days). Restoration of a backup older than the tombstone lifetime may cause the restored domain controller to have objects that will not be replicated on other DCs. This occurs if an object is deleted after the backup is made and the restore occurs after the tombstone for the deleted object has been permanently removed. The restored DC would have the object as it existed before the deletion, and the other DCs would have no record that the object ever existed. In this case, an administrator will have to manually delete each unreplicated object on the restored domain controller.

Incremental backups of Active Directory are not supported; a full backup is required.