Securing Windows 2000 Active Directory (Part 3) – Backup and Restoration

In this article I will focus on the active directory process.  As part of securing your active directory you need to ensure that as a contingency plan you are able to restore your active directory in event of disaster. (For those that missed the first two articles in this series may click here to be taken to Part 1 and here to be taken to Part 2). 

When backing up active directory Microsoft only supports one type of backup, you can only perform a full backup on active directory.  Incremental and differential backups tend not to work correctly on active directory it is recommended that these options are not used.  AD uses an advanced Jet database that exports a backup interface similar to Exchange 5.5. The reason for dropping support for incremental and differential backups is that most backup applications bind to the local client-side DLL that have entry points defined in ntdsbcli.h.

What will you be backing up?

When backing up active directory you need to note that active directory will be treated part of the system state data.

The contents of the system state are as follows.

  1. Boot files, including the system files, and all files protected by Windows File Protection (WFP).
  2. Active Directory (on a domain controller only).
  3. Sysvol (on a domain controller only).
  4. Certificate Services (on certification authority only).
  5. Cluster database (on a cluster node only).
  6. The registry.
  7. Performance counters configuration information.
  8. Component Services Class registration database.

System state backups facts

  1. Login in as Administrator or Backup Operator.
  2. Only domain controllers contain AD in the system state.
  3. System state backups can be incorporated into typical backup jobs.
  4. System state backups are online.
  5. Third party tools should be used when remotely backing up and restoring system state. Windows backup will only work on the local machine!

Limitations of system state backup.

  1. The backup and restore of the system store can not be set to backup or restore individual components due to dependencies among the system state components.
  2. System state data restores can be redirected alternate locations in which only the registry files, Sysvol directory files, and system boot files are restored (the remote redirection is not complete restore).
  3. The Active Directory database, Certificate Services database, and Component Services Class Registration database are not restored to the alternate location.  This means that if you need to test restore you will run into issues when restoring in a lab environment.

Where is the Active Directory?

Active directory does not reside on any one domain controller, but rather collectively across the domain controllers. It is a good idea to backup the system state of the entire team of domain controllers concerned when backing up active directory, but excludes the relative ID (RID) master domain controller.  Missing one of the domain controllers can result in you being unable to restore the active directory.  It is vital that no one else is able to add domain controllers to your domain controller work team.

The diagram above represents a computer that has been selected to be backed up using a popular backup package.  Note the system state is available for backing up.

Backing up the Active Directory

It is important that you backup the whole of active directory as well the underlying services and dependencies.  Active directory relies heavily on DNS.  If you are using active directory- integrated DNS then you will not need to explicitly backup the zone files.

It is recommended that you backup the system disk as well as the system state as backing up the system disk will incorporate the DNS zone data. Backing up active directory will prove to be very spread spectrum as good practice dictated that database files and log files be placed on separate disks.  Note: you will not have to specify where these files are even if they are on separate disks as backing up the system state automatically consolidates the files into one location for backup purposes.

If the last backup you have is older than the tombstone lifetime set in Active Directory, your backup is considered to be ineffective. It is recommended that you perform at least two backups within the tombstone lifetime; this means that every 29 days a backup should be made as the tombstone life time is 60 days. If this method is not followed you will find inconsistency within your active directory I strongly recommend that a weekly backup should be the absolute minimum backup horizon considered.

Below are the files that complete the Active Directory.

  1. ntds.dit (The database file.)
  2. edb.chk (Checkpoint file.)
  3. edb*.log (Transaction log files.)
  4. res1.log and res2.log (Reserved transaction log files.)

to start the backup of your active directory…

    1.   click on start then click on run then type in ntbackup and click ok.

    2.   You should be presented with the ntbackup utility; click on tools, then click on backup wizard, then click next.

    3.   Select only back up the system state.

    4.   Select the location of where you would like to backup your system state to.  If you backup to a hard disk ensure that the disk is formatted with NTFS.

    5.   Check you settings and then click Finish.   If you would like to configure scheduling, hardware compression, media labels, data verification, or append it to a different job you can do this by clicking on the advanced button on this screen.  Data verification can be viewed in the event viewer.

Directory service

The directory service is the mechanism that AD uses to trace and classify users and resources existing in a distributed system. The directory service should be considered within your overall AD backup and restore strategy. Directory service information can be replicated to other domain controllers in the same domain environment. It is vital that a recovery plan is in place before attempting a restore. All changes encountered during backup are stored in a temporary log and appended to the end of the backup set when the backup is complete.


Windows 2000 stores all its security information is stored in the Active Directory. This article has described the process that needs to take place in order to backup the active directory, ensuring that it remains secure.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top