For simply protecting AD as opposed to real DR, you could just back up the system state, but a full server backup isn’t much bigger if it’s a DC that does nothing else, so why not do that? In any case, back up every single DC at staggered times so that you have a version of AD that is as recent as possible. For one DC failure (as opposed to an authoritative restore), you are probably better off just bringing up a new DC with a new name and seizing roles, cleaning up metadata, etc.
If you are truly speaking of DR, such as if your data center is gone, then it takes much more. We have 4 DCs in our main data center and one in a very small data center almost a mile away. If our entire campus was gone that wouldn’t do much good. For that we would restore one DC from backup tapes at a very remote location. Our backup tapes are at an Iron Mountain facility and would be shipped to the remote site. In a scenario such as that, we would have at least a full day to get AD up and running. Once the restore is done, I would need to seize roles to this one DC (that is either the one a mile away or the one 250 miles away restored from tape, depending on the type of disaster). The next step would be to quickly add a second DC, which should be quick and easy once the first one is stable, then additional ones if two weren’t enough. I have tested this recovery (both ways) at least twice a year for the last 5 years or so. We are about to put a couple of DCs at AWS, which will be a better solution, but we would keep the DC that is a mile away, so that it would continue to be used if available, due to the site design. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *CSSU NetAdmin *Sent:* Tuesday, November 18, 2014 8:05 AM *To:* [email protected] *Subject:* [NTSysADM] Backing up Active Directory We are trying to figure out what we need to back up for Active Directory as part of our disaster recovery plan. Is backing up just the System State on a domain controller enough or do we need the entire server? Should all domain controllers be backed up or is one per domain OK?
