Go Premium for a chance to win a PS4. Enter to Win


How often do you really need to backup AD, and what part of AD is dynamic?

Posted on 2007-11-19
Medium Priority
Last Modified: 2010-04-21
I am curious as to how often I really need to backup Active Directory server. If I am a small company of 10-15 people, and I never touch the AD server except when I need to add a new user, is DATA on AD changing? Is there a reason to make a backup of AD on a weekly/monthly/daily basis?

Or am I safe by just making a backup after the occasional employee leaves or/and joins on and I have to modify the AD server?

Question by:nichiaiinc
  • 2
  • 2
LVL 70

Assisted Solution

KCTS earned 200 total points
ID: 20312426
You need to back it up as often as it changes - in any case you need to back it up at least twice within the tombstone period (60 days) otherwise restores from the backup will not work.

Remember that AD chnages all the time - not just when you add a user or change a password. Computers for example on a domain will change their password (yes the computers just like users have passwords), every 30 days or so - but they won't all do it on the same day.

In your situation then I would go for a full (normal) dialy backup - you can set it to run overnight without intervention so its not going to be that demanding - at the very outside go for once a week.
LVL 22

Expert Comment

ID: 20312488
As pointed out, things are changing on a regular basis behind the scenes.
You need to decide how important the changes that YOU make are and how much work is accepatable after a restore in comparison to doing the amount of time and tape space it takes to do the backups.

KCTS recommended daily ... this is probably the best and safest ... BUT ...
If it is a small network and things do not change very often and you hae a lot of data to backup on a nightly basis then you might want to weight the work involved in fixing some out-of-date account info against the time saved by just running a weekly full backup on the weekend or something when it won't affect the users and you can still get your full data backup.

Author Comment

ID: 20316997
Thank you for your responses, but I'm still unclear as to what exactly changes. Could you give me some examples such as the computer password thing KCTS mentioned. What would happen if the computer password changed and I restored the backup. Or if there is a list of things that change or a resource I can view that would be helpful.

LVL 22

Accepted Solution

cj_1969 earned 800 total points
ID: 20322031
A lot of things are dynamic but account information people, services, passwords and last updated times, such as DNS renewals are stored in AD and change on a regaular basis.

Most DNS issues would show up as an IP address already in use message on the client workstations ... just do an ipconfig /release then ipconfig /renew and it should obtain a new address and clear up the problem.

For the account information ... a user might change their password ... they will end up locking their account and you will have to unlock it, change the password and let them reset it.

If you created any new accounts they will have to be recreated.  If you used them anywhere, such as for a service on another machine, you will have to reset the logon information as the underlying identifier will have changed and despite the same display name the "account" that the service is configured with will not exist.

For machine accounts/passwords ... these problems will manifest themselves as machine not being able to log into the domain or not able to connect to network resources.  The fix for this will most lilely be just going to the machine, removing it from the domain in the local settings and then adding it back in .... you might want to remove it from the domain from the server side before doing this just to prevent any possible problems with the account already existing.


Author Closing Comment

ID: 31409928
Great job and very informative. Thank you! I now have confidence in knowing when and how many backups I should make. Thank you once again!

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question