Windows Server 2008: Creating and Maintaining System State Backups on Your Domain Controller
I was very excited when I started to play around with the first beta versions of Windows Server 2008 and experiment with the latest security improvements. At first, I wanted to start with one of the more basics and important things on this new server: Active Directory.
Several improvements were made on security matters that we can find it related to Active Directory: Read-Only DCs, more group policies, auditing enhancements, etc. After installing a small lab to check all these features, I finally arrive to another important Active Directory matter: Backing up and Restoring Data from a Domain Controller.
I was pretty disappointed at first when I realized that there was no easy way to backup a system state from a Domain Controller. Even more disappointed when I couldn’t find out the way to schedule a system state backup! Well on this post I want to review the way to simply schedule a system state backup on a Domain Controller and maintain those backups by removing the old ones from the backup catalog.
a. A secondary hard drive on the domain controller. It cannot be a network drive.
The only storage point possible for backing up your server is using a secondary hard drive that can only be attached locally.
b. Having the Windows Server Backup feature installed.
The first thing that you must know to start backing up data from Windows Server 2008 is that the backup tool is not installed by default, like it was on Windows Server 2003 with ntbackup. To install it:
a. Open Windows Server Manager snap-in
b. Access Features section and click on Add a New Feature
c. Select Windows Server Backup including the sub-item “Command Line Tools”
i. This will also need Powershell
d. Click on Install.
Scheduling System State Backup
If you check the GUI of the Windows Server Backup you’ll see that there’s no way to backup the system state from there:
The only way to backup the system state using this tool is using the command line. So, to use this backup feature as a scheduled task, we are going to create a .bat file and schedule this batch file to run on our desired time (actually you can skip creating the .bat file, and just use task scheduler with the right parameters).
1. Open notepad and insert:
WBADMIN START SYSTEMSTATEBACKUP –backuptarget:e: -quiet
“e:” is your local hard drive where the backup catalog will be stored.
“-quiet”: is the parameter used to not ask for confirmation
2. Save it as a batch file. Like: systemstatebackup.bat
3. Open Task Scheduler and create a “New Task”. The task properties window will open.
4. On the “General” tab select:
a. “Run whether the user is logged or not”
b. “Run with the highest privileges”
5. On the “Triggers” tab, click on “New”:
Here is where you select how often the backup task will run. This is an example of a task running weekly:
6. On “Actions” click on “New” and select to “Start a Program” and browse the batch file you just created.
7. Click on “OK” and the schedule task is ready.
You can manually run this task on demand by right-clicking it and selecting “Run”.
This task to complete takes between 40 minutes to 1 hour (or even more), depending on the system state data (Active Directory, DNS, registry, certificates, etc).
This is the process running
I have the backup… but what a hell is this??
Probably your first impression on the backup won’t be the best:
You don’t have permissions to see the backup files at first
You don’t see a simple .bkf file as it was when you used ntbackup
The size of every backup (that means every time you run the task) is as much as the size of the system drive
After all that, maintaining those backups sounds a little bit hard to do, the backup hard drive will significantly increase in a few weeks and for sure, you won’t be feeling much comfortable if you just try to delete.
Keeping It Simple… and smaller
But not of these annoying things are here to just making our work a little bit hard and awkward. Besides from adding a new layer of security to our backups, it also the maintenance of the old backups will actually get simpler.
You can create a new scheduled task that will keep every week (if that’s your case) only the newer backups on your catalog:
WBADMIN DELETE SYSTEMSTATEBACKUP –backuptarget:e: -deleteOldest –quiet
This way you will prevent from the backup hard drive to easily increase enormously. A good thing to keep in mind if you are working with virtual machines, you’ll probably know that it’s REALLY annoying having a big size virtual disk, and not being able to decrease their size (not an easy way anyhow).
This is the cmd running and deleting an old backup from system state (without the -quiet parameter).
To restore an Active Directory using these backups is not very much different from backing it up, we can see that procedure on a next post.
Hope it helps!