Administrators should have a regular backup schedule and be sure to remove outdated backups to avoid storage issues.

There are some tips that can help ensure good Active Directory (AD) backups for domain controllers.

First, administrators should always have a clear picture of which domain controllers to back up. At a minimum, the master and one other domain controller should be backed up in each domain. If there are more than two domain controllers in each domain, ensure each is backed up properly; AD and other system state data is server-hardware dependent, so a backup made on one server cannot be used to restore another AD server.

Next, implement a regular backup schedule for all domain controllers. The typical schedule is to back up AD at least twice within the "tombstone lifetime," which is how long deleted objects are kept in the AD database before being purged. The default tombstone lifetime inWindows Server 2008 and later is 90 days. This allows ample time for changes, such as deletions, to replicate across other domain controllers, so the average backup schedule is roughly a month. However, the actual backup schedule will probably be much higher depending on the tombstone lifetime as well as the complexity and frequency of change in the environment. It's common practice to make daily backups of unique data or critical volumes.

Backups should be marked clearly so administrators can readily distinguish the latest backups for each specific server. AD backup retention should also be a major consideration. AD won't allow restoration of directory objects older than the tombstone lifetime; this is by design to prevent corruption in the AD database. But it also means that backups quickly become obsolete. Since each AD backup can be large, it doesn't take long for backups to take up significant amounts of storage. Organizations can ease storage commitments and costs by removing unnecessary AD backups.

Perform system state backups as a minimum. System state backups include AD content, boot files, system registry, Common Object Model database, and system volume data and other domain controller components. Full server backups can be implemented to perform bare-metal restorations of the domain controllers.

Never save AD backups to the same disk used to store AD components in production. Instead, save backups to a different disk which may be located in the same server, storage array or even an external disk attached to the backup server. The actual choice of backup storage depends on storage options supported by the backup software, but it's critical to avoid a potential single point of failure by saving to a different disk or other media. Although backup copies in off-site locations are always recommended, it's best practice to keep domain controller backups on-site to ensure availability and avoid potential restoration delays.

Courtesy: Stephen J. Bigelow