Backup your AD Configuration

When you sit down and think about it, if you run a "Microsoft Shop" just about everything in your network environment likely relies on AD at some level. Whether it is the user accounts themselves and their associated mailbox properties for Exchange, the service accounts used by your applications, Group Policy Objects controlling workstation behavior, or possibly your infrastructure components due to DHCP, DNS, or even IAS. While Active Directory fully supports replication of all relevant fields and materials, there is still a need to get an offline backup of these vital materials. While no one truly wants to contemplate the scenario that would lead to such a restore, I have needed to assist at least 2 customers through this process; both due to virus infection. Lucky for me, they both had current backups of their AD environment using the process below due to prior consulting engagements.
Happily, getting a backup of your AD environment is an easy task and all of the tools needed have already been included with the operating system itself. Believe it or not, lowly NTBackup has a real purpose even in an enterprise environment and that purpose is snapshotting your AD environment. While many high-end backup systems do have plug-ins to backup AD, using them in a real DR scenario often adds a substantial amount of time to the recovery effort as many of them need an AD account just to run.
The first question is where to make the backup from. Ideally, you should have backups of 2 domain controllers in each domain of your forest. One of which should be made from a server holding an operations master role other than the RID Master, which should never be restored.
The 2^nd question is where to write the backups to. You should choose a media that doesn't rely on a ton of other software or services in order to be read. Given the size of most AD backups and the fact that you don't need "point in time" restores of AD, flash drives have proven very effective at storing AD backups. If you are worried about the potential of your AD backup being used as a means of gaining access to your organization, feel free to use an encrypted flash drive such as those produced by IronKey.
For Windows 2003 domain controllers, all you need to do is run the following command from the appropriate domain controller to make the actual backup,:
Ntbackup backup systemstate /f "Path to the backup file"
For Windows 2008 domain controllers, NTBackup has been replaced by Windows Server Backup. Windows Server Backup is not installed by default on Windows 2008 systems. To install Windows Server Backup, go to Start -> Administrative Tools -> Server Manager. From there, click on Features, then Add a Feature. You want to add the Windows Server Backup feature. Once installed, the following running the following command from the appropriate domain controller will make the actual backup:
wbadmin start systemstatebackup –backuptarget:"path to backup folder"
This command line can be written to a BAT/CMD file for running from a scheduled task or manual process. It is important that the backup file get moved to media that can easily be transferred offsite in the event of a disaster.
Making the backup is only half the battle. One needs to be able to actually restore from it in the event of a disaster. To restore AD from this backup, one needs to follow these high-level steps for each domain in the forest, starting with the top most domain.

For Windows 2003 Domain Controllers:

1. Build up a stand-alone server using the same OS version as the backup was taken from
2. Place a copy of the backup file somewhere on the new server's filesystem
3. Reboot the server and press F8 at the splash screen
4. Select Directory Restore Mode Option
5. Perform the restore from the Backup file
6. Seize all FSMO roles held by nonexistent servers
7. Cleanup the AD records for the DCs that no longer exist using NTDSUTIL

For Windows 2008 Domain Controllers:

1. Build up a stand-alone server using the same OS version as the backup was taken from
2. Install Windows Server Backup using the steps above
3. Place a copy of the Backup file somewhere on the new server's file system
4. Run bcdedit /set safeboot dsrepair to instruct the system to boot into recovery mode
5. Reboot the server
6. At the login screen, select "other user". Enter ".\administrator" and enter the DSRM password for the server and press enter.
7. Click Start, right-click Command Prompt, and then click Run as Administrator
8. Run wbadmin get versions -backuptarget:"path to backup folder" -machine:"new dc name"
9. Identify the version you want to restore. You will need to identify it exactly in the next step.
10. Run wbadmin start systemstaterecovery -version:"version to be restored" -backuptarget:"path to backup folder" -machine:"new dc name" –authsysvol –quiet
11. Run bcdedit /deletevalue safeboot to instruct the system to boot normally
12. Reboot the server
13. Seize all FSMO roles held by nonexistent servers
14. Cleanup the AD records for the DCs that no longer exist using NTDSUTIL

Hopefully these steps are never needed, but it is good to know where to find them if they are ever needed.