How often do you really need to backup AD, and what part of AD is dynamic?

Posted on 2007-11-19
Last Modified: 2010-04-21
I am curious as to how often I really need to backup Active Directory server. If I am a small company of 10-15 people, and I never touch the AD server except when I need to add a new user, is DATA on AD changing? Is there a reason to make a backup of AD on a weekly/monthly/daily basis?

Or am I safe by just making a backup after the occasional employee leaves or/and joins on and I have to modify the AD server?

Question by:nichiaiinc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 70

Assisted Solution

KCTS earned 50 total points
ID: 20312426
You need to back it up as often as it changes - in any case you need to back it up at least twice within the tombstone period (60 days) otherwise restores from the backup will not work.

Remember that AD chnages all the time - not just when you add a user or change a password. Computers for example on a domain will change their password (yes the computers just like users have passwords), every 30 days or so - but they won't all do it on the same day.

In your situation then I would go for a full (normal) dialy backup - you can set it to run overnight without intervention so its not going to be that demanding - at the very outside go for once a week.
LVL 22

Expert Comment

ID: 20312488
As pointed out, things are changing on a regular basis behind the scenes.
You need to decide how important the changes that YOU make are and how much work is accepatable after a restore in comparison to doing the amount of time and tape space it takes to do the backups.

KCTS recommended daily ... this is probably the best and safest ... BUT ...
If it is a small network and things do not change very often and you hae a lot of data to backup on a nightly basis then you might want to weight the work involved in fixing some out-of-date account info against the time saved by just running a weekly full backup on the weekend or something when it won't affect the users and you can still get your full data backup.

Author Comment

ID: 20316997
Thank you for your responses, but I'm still unclear as to what exactly changes. Could you give me some examples such as the computer password thing KCTS mentioned. What would happen if the computer password changed and I restored the backup. Or if there is a list of things that change or a resource I can view that would be helpful.

LVL 22

Accepted Solution

cj_1969 earned 200 total points
ID: 20322031
A lot of things are dynamic but account information people, services, passwords and last updated times, such as DNS renewals are stored in AD and change on a regaular basis.

Most DNS issues would show up as an IP address already in use message on the client workstations ... just do an ipconfig /release then ipconfig /renew and it should obtain a new address and clear up the problem.

For the account information ... a user might change their password ... they will end up locking their account and you will have to unlock it, change the password and let them reset it.

If you created any new accounts they will have to be recreated.  If you used them anywhere, such as for a service on another machine, you will have to reset the logon information as the underlying identifier will have changed and despite the same display name the "account" that the service is configured with will not exist.

For machine accounts/passwords ... these problems will manifest themselves as machine not being able to log into the domain or not able to connect to network resources.  The fix for this will most lilely be just going to the machine, removing it from the domain in the local settings and then adding it back in .... you might want to remove it from the domain from the server side before doing this just to prevent any possible problems with the account already existing.


Author Closing Comment

ID: 31409928
Great job and very informative. Thank you! I now have confidence in knowing when and how many backups I should make. Thank you once again!

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question