Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes how to back up and restore Active Directory ___domain controllers using Azure Backup, either running on Azure virtual machines (VMs) or on-premises servers. You can use the recommended procedures to protect your Active Directory environment and recover ___domain controllers during corruption, compromise, or disaster. For guidance on choosing the right restore scenario for your needs, see the Active Directory Forest Recovery Guide.
Note
This article doesn't discuss restoring items from Microsoft Entra ID. For information on restoring Microsoft Entra users, see this article.
Best practices
Before you start protection of Active Directory, check the following best practices:
Make sure at least one ___domain controller is backed up. If you back up more than one ___domain controller, make sure all the ones holding the FSMO (Flexible Single Master Operation) roles are backed up.
Back up Active Directory frequently. The backup age mustn't be older than the tombstone lifetime (TSL) because objects older than the TSL is tombstoned and no longer considered valid.
The default TSL, for domains built on Windows Server 2003 SP2 and later, is 180 days.
You can verify the configured TSL by using the following PowerShell script:
(Get-ADObject $('CN=Directory Service,CN=Windows NT,CN=Services,{0}' -f (Get-ADRootDSE).configurationNamingContext) -Properties tombstoneLifetime).tombstoneLifetime
Have a clear disaster recovery plan that includes instructions on how to restore your ___domain controllers. To prepare for restoring an Active Directory forest, read the Active Directory Forest Recovery Guide.
If you need to restore a ___domain controller, and have a remaining functioning ___domain controller in the ___domain, you can make a new server instead of restoring from backup. Add the Active Directory Domain Services server role to the new server to make it a ___domain controller in the existing ___domain. Then the Active Directory data replicates to the new server. To remove the previous ___domain controller from Active Directory, follow the steps in this article to perform metadata cleanup.
Note
Azure Backup doesn't include item level restore for Active Directory. If you wish to restore deleted objects, and you can access a ___domain controller, use the Active Directory Recycle Bin. If that method isn't available, you can use your ___domain controller backup to restore the deleted objects with the ntdsutil.exe tool as explained here.
For information about performing an authoritative restore of SYSVOL, see this article.
Back up ___domain controllers
You can back up ___domain controllers using Azure Backup. This operation allows you to protect your Active Directory environment and ensure that you can recover from any potential issues.
Choose a ___domain controller environment:
If the ___domain controller is an Azure VM, you can back up the server using Azure VM Backup.
Read about operational considerations for virtualized ___domain controllers to ensure successful backups (and future restores) of your Azure VM ___domain controllers.
Restore Active Directory
When restoring Active Directory data, you can choose one of the following modes:
- Authoritative restore: The restored data replaces the data on all other ___domain controllers in the forest. Use this mode if you need to recover deleted objects and ensure they're replicated across your environment.
- Nonauthoritative restore: The restored ___domain controller receives updates from other ___domain controllers after recovery. This is the recommended approach when rebuilding a ___domain controller in an existing ___domain.
For most scenarios, including rebuilding a ___domain controller, you should perform a nonauthoritative restore.
During the restore, the server is started in Directory Services Restore Mode (DSRM). You need to provide the Administrator password for Directory Services Restore Mode.
Note
If you forget the DSRM password, reset it.
Choose a ___domain controller environment for restore:
To restore an Azure VM ___domain controller, see Restore ___domain controller VMs.
If you're restoring a single ___domain controller VM or multiple ___domain controller VMs in a single ___domain, restore them like any other VM. Directory Services Restore Mode (DSRM) is also available, so all Active Directory recovery scenarios are viable.
If you need to restore a single ___domain controller VM in a multiple ___domain configuration, restore the disks and create a VM by using PowerShell.
If you're restoring the last remaining ___domain controller in the ___domain, or restoring multiple domains in one forest, we recommend a forest recovery.
Note
Virtualized ___domain controllers, from Windows 2012 onwards use virtualization based safeguards. With these safeguards, Active directory understands if the VM restored is a ___domain controller, and performs the necessary steps to restore the Active Directory data.