Backup / Restore - best practices for a single domain controller?

Posted on 2011-09-26
Last Modified: 2012-05-12
I would like to deepen my knowledge in backup and recovery strategies. Therefore I did some research and read some articles about backing up and recovering domain controllers, but there are some things I don't fully understand, because most articles assume, that there are at least two domain controllers.

Why does everyone recommend at least two domain controllers? What exactly are the risks of only having one domain controller in a small company, where the time for the restore process is not important compared to the costs of a second server? Will there be real additional risks for the data stored in the Active Directory or is the recommendation only based on the risk of a longer downtime?

Will the problems mentioned by Microsoft (, regarding “Restoration of a relative identifier (RID) master can result in corruption of the Active Directory database.” and “Restoration of the schema master (SID) can result in orphaned objects.” will affect a single domain controller or is this only a problem with more than one domain controller? What exactly will cause those problems?

If I want to restore a single domain controller, is there anything to do besides restoring a backup I did with backup software with an online-image-feature? As far as I understand an unauthoritative system state restore won’t provide any additional data and is only useful if the server is still in a working condition and something was damaged or deleted in the active directory. And an authoritative system state restore is not needed for a single domain controller (and should never be needed if you use recommended restore procedures).

Is there anything additional to consider regarding the backup and recovery of a domain controller, if Exchange 2010 is installed on the same server? I know about the Exchange database and logfiles, but will it affect the strategy for backup and recovery of the DC/AD part?
Question by:exexc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 39

Accepted Solution

Krzysztof Pytko earned 350 total points
ID: 36598636
Redundant services are required in a network where high-avability is necessary. In a company where you have only one DC and resources access is not crucial, you can have one DC and restore it each time when it crashes.


- during this restoration time no one can log on into domain and use resources/mail
- what if server (hardware) will crash and cannot be repaired? You cannot simply restore System State Backup to different type of hardware
- you have a lot of call that something is not working, "we cannot work!"

Having redundant DC with DNS services prevents this situation, your network functionality is only half affected and people can still work whereas you are restoring broken DC.

When your the only one DC is broken also Exchange server wouldn't work! It requires at least one Global Catalog DC to work properly. And it is highly not recommended to running Exchange on a DC.

So, doing regural System State Backups of DCs is good practice. If you have not SSB of DC and it fails that it's your bad luck :/

In Exchange the most important part of backup is System State Backup and Mailbox storage with Retention logs.

And remember, Microsoft suggests this solution for medium to large companies. They need redundant solutions and high-avability in their networks. They can have many locations (SItes) and more than one DC is required to improve network authentication


Author Comment

ID: 36709077
what if server (hardware) will crash and cannot be repaired? You cannot simply restore System State Backup to different type of hardware
As far as I know, I would have to restore a full image backup in case of a serious hardware defect. With a single domain controller this should be sufficient and there would be no need for an additional system state restore. Am I wrong?

during this restoration time no one can log on into domain and use resources/mail
With a single server they won't be able to use mail/files/resources anyway.

I was hoping to find some good reasons to convince customers to get a second domain controller, even if they don't care about some additional downtime in case of a hardware problem. The best reason I found so far is that it would be problematic if the same hardware isn't available anymore, but I'm not really sure how likely it is, that the image backup won't restore on a slightly changed hardware configuration.
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36709487
Yes, you're wrong :) The only possible way of restoring AD database is to use System State Backup (and there are also other hardware related options which may cause BSOD on different server)

If client doesn't care about high-avability resources do not bother them to implement redundant devices. Just wait for the first serious crash then they will see how much time it's needed to bring environment to work :)

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Assisted Solution

H-Singh earned 150 total points
ID: 36709690
if having only one DC or I would say hardware server with DC/Exchange all on one and rather discussing pro cons of two DC's etc.
Just use a good backup setup.

use active directory aware backup softs like symmantic or acronis. make sure backup archives are safe and you have options like restore to diffrent hardware.

I have exactly same setup for one of my offices where there is only one hardwre server serving as DC/Exchange/SQL/file data  etc . its quite good DELL server with symmantic backup.

yes i have had to restore in past to diffrent hardware and all worked well .  now downtime depends upon the size of data on server and backup media being used.

Good Hardware, Good Backup Software with Good Backup Media : i don't see any issues if company don't mind waiting for 4-5 hours to restore system in need arises for so in years,  but yea if cheap hardware used not proper backup software or media used you will end up losing everything.

Author Comment

ID: 36709970
Yes, you're wrong :) The only possible way of restoring AD database is to use System State Backup
I thought that the system state is only a subset of a full backup? What addiontal or more current information is stored in the system state backup, that is not included in an image of the system volume(s)?

I understand why the system state restore is important if there are other domain controllers for the same domain or if you want to recover deleted items without using a full backup, but I don't find a reason to use it after restoring a single domain controller from a full image backup. Aren't commercial backup products able to backup every important file while the server is Online?

Can you explain this in more detail?
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36710063
Check what is backed up during System State backup

and yes, that's my fault, I wrongly understood Full Image Backup :) you told at the beginning
Yes, of course it's enough to restore server using that image

Sorry once again


Author Closing Comment

ID: 36716296
Thanks for your answers.
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716337
You're welcome :)


Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question