{"id":4589,"date":"2025-09-29T20:03:00","date_gmt":"2025-09-30T00:03:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4589"},"modified":"2025-10-07T11:30:09","modified_gmt":"2025-10-07T15:30:09","slug":"active-directory-security-tip-9-active-directory-backups","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4589","title":{"rendered":"Active Directory Security Tip #9: Active Directory Backups"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Microsoft supported backups of Active Directory are very important to have. For backing up Domain Controllers, this is typically a System State backup. <br><br>Why a Microsoft supported backup? If you are using a backup solution that isn&#8217;t fully AD aware, performing a restore may involve getting Microsoft involved and that costs $$. <br><br>I know companies that have used ####### (redacted) to backup their AD and there was no System State and the backup wasn&#8217;t a full AD aware backup so they ended up paying ###### $$$ and Microsoft $$$. Just get a System State backup of the DCs that host your FSMO roles about every month and be prepared for a scenario where you may have to restore AD. <br><br>Determining if a recent supported backup has been performed is easy since these backups update a bit in each partition. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"674\" height=\"103\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/image-2.png\" alt=\"\" class=\"wp-image-4778\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/image-2.png 674w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/image-2-300x46.png 300w\" sizes=\"auto, (max-width: 674px) 100vw, 674px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><br><strong>PowerShell code to check the current domain for the last Microsoft supported AD backup: <\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ContextType = &#91;System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain\n$Context = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($ContextType,(Get-ADDomain).DNSRoot)\n$DomainController = &#91;System.DirectoryServices.ActiveDirectory.DomainController]::findOne($Context)\n    \n&#91;string&#91;]]$Partitions = (Get-ADRootDSE).namingContexts\n foreach ($Partition in $Partitions) \n  {\n    $dsaSignature = $DomainController.GetReplicationMetadata($Partition).Item(\"dsaSignature\")\n    Write-Host \"$Partition was backed up $($dsaSignature.LastOriginatingChangeTime.DateTime)\" \n   }\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft supported backups of Active Directory are very important to have. For backing up Domain Controllers, this is typically a System State backup. Why a Microsoft supported backup? If you are using a backup solution that isn&#8217;t fully AD aware, performing a restore may involve getting Microsoft involved and that costs $$. I know companies &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=4589\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,7,2],"tags":[1479,1469],"class_list":["post-4589","post","type-post","status-publish","format-standard","hentry","category-activedirectorysecurity","category-powershell","category-technical-reference","tag-activedirectorybackups","tag-activedirectorysecuritytip","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4589"}],"version-history":[{"count":5,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4589\/revisions"}],"predecessor-version":[{"id":4779,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4589\/revisions\/4779"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}