Backup / Restore - best practices for a single domain controller?

I would like to deepen my knowledge in backup and recovery strategies. Therefore I did some research and read some articles about backing up and recovering domain controllers, but there are some things I don't fully understand, because most articles assume, that there are at least two domain controllers.

Why does everyone recommend at least two domain controllers? What exactly are the risks of only having one domain controller in a small company, where the time for the restore process is not important compared to the costs of a second server? Will there be real additional risks for the data stored in the Active Directory or is the recommendation only based on the risk of a longer downtime?

Will the problems mentioned by Microsoft (, regarding “Restoration of a relative identifier (RID) master can result in corruption of the Active Directory database.” and “Restoration of the schema master (SID) can result in orphaned objects.” will affect a single domain controller or is this only a problem with more than one domain controller? What exactly will cause those problems?

If I want to restore a single domain controller, is there anything to do besides restoring a backup I did with backup software with an online-image-feature? As far as I understand an unauthoritative system state restore won’t provide any additional data and is only useful if the server is still in a working condition and something was damaged or deleted in the active directory. And an authoritative system state restore is not needed for a single domain controller (and should never be needed if you use recommended restore procedures).

Is there anything additional to consider regarding the backup and recovery of a domain controller, if Exchange 2010 is installed on the same server? I know about the Exchange database and logfiles, but will it affect the strategy for backup and recovery of the DC/AD part?
Who is Participating?
Krzysztof PytkoConnect With a Mentor Active Directory EngineerCommented:
Redundant services are required in a network where high-avability is necessary. In a company where you have only one DC and resources access is not crucial, you can have one DC and restore it each time when it crashes.


- during this restoration time no one can log on into domain and use resources/mail
- what if server (hardware) will crash and cannot be repaired? You cannot simply restore System State Backup to different type of hardware
- you have a lot of call that something is not working, "we cannot work!"

Having redundant DC with DNS services prevents this situation, your network functionality is only half affected and people can still work whereas you are restoring broken DC.

When your the only one DC is broken also Exchange server wouldn't work! It requires at least one Global Catalog DC to work properly. And it is highly not recommended to running Exchange on a DC.

So, doing regural System State Backups of DCs is good practice. If you have not SSB of DC and it fails that it's your bad luck :/

In Exchange the most important part of backup is System State Backup and Mailbox storage with Retention logs.

And remember, Microsoft suggests this solution for medium to large companies. They need redundant solutions and high-avability in their networks. They can have many locations (SItes) and more than one DC is required to improve network authentication

exexcAuthor Commented:
what if server (hardware) will crash and cannot be repaired? You cannot simply restore System State Backup to different type of hardware
As far as I know, I would have to restore a full image backup in case of a serious hardware defect. With a single domain controller this should be sufficient and there would be no need for an additional system state restore. Am I wrong?

during this restoration time no one can log on into domain and use resources/mail
With a single server they won't be able to use mail/files/resources anyway.

I was hoping to find some good reasons to convince customers to get a second domain controller, even if they don't care about some additional downtime in case of a hardware problem. The best reason I found so far is that it would be problematic if the same hardware isn't available anymore, but I'm not really sure how likely it is, that the image backup won't restore on a slightly changed hardware configuration.
Krzysztof PytkoActive Directory EngineerCommented:
Yes, you're wrong :) The only possible way of restoring AD database is to use System State Backup (and there are also other hardware related options which may cause BSOD on different server)

If client doesn't care about high-avability resources do not bother them to implement redundant devices. Just wait for the first serious crash then they will see how much time it's needed to bring environment to work :)

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

H-SinghConnect With a Mentor Commented:
if having only one DC or I would say hardware server with DC/Exchange all on one and rather discussing pro cons of two DC's etc.
Just use a good backup setup.

use active directory aware backup softs like symmantic or acronis. make sure backup archives are safe and you have options like restore to diffrent hardware.

I have exactly same setup for one of my offices where there is only one hardwre server serving as DC/Exchange/SQL/file data  etc . its quite good DELL server with symmantic backup.

yes i have had to restore in past to diffrent hardware and all worked well .  now downtime depends upon the size of data on server and backup media being used.

Good Hardware, Good Backup Software with Good Backup Media : i don't see any issues if company don't mind waiting for 4-5 hours to restore system in need arises for so in years,  but yea if cheap hardware used not proper backup software or media used you will end up losing everything.
exexcAuthor Commented:
Yes, you're wrong :) The only possible way of restoring AD database is to use System State Backup
I thought that the system state is only a subset of a full backup? What addiontal or more current information is stored in the system state backup, that is not included in an image of the system volume(s)?

I understand why the system state restore is important if there are other domain controllers for the same domain or if you want to recover deleted items without using a full backup, but I don't find a reason to use it after restoring a single domain controller from a full image backup. Aren't commercial backup products able to backup every important file while the server is Online?

Can you explain this in more detail?
Krzysztof PytkoActive Directory EngineerCommented:
Check what is backed up during System State backup

and yes, that's my fault, I wrongly understood Full Image Backup :) you told at the beginning
Yes, of course it's enough to restore server using that image

Sorry once again

exexcAuthor Commented:
Thanks for your answers.
Krzysztof PytkoActive Directory EngineerCommented:
You're welcome :)

All Courses

From novice to tech pro — start learning today.