Maintaining business continuity during and after a cyberattack has become a chief strategic objective, not just for enterprise cybersecurity, but for IT and business leadership as well. Effective Identity Threat Detection & Response (ITDR), including a documented Active Directory backup and recovery plan, is crucial to strong operational resilience.
Identity infrastructure—Active Directory for most organizations, often in combination with Entra ID, Okta, or another cloud-based directory service—plays a fundamental role in access and authentication. In short: If Active Directory is down, so is your business. Learn why an Active Directory backup and recovery plan is vital to both cyber and business resilience and how to get the most out of your Active Directory backup.
See the impact of an effective Active Directory backup and recovery solution
Why do you need an Active Directory backup?
More than two decades after its creation, Active Directory remains a fundamental part of enterprise IT infrastructure. An Active Directory implementation consists of:
- Domains: A collection of objects, which represent resources such as users and devices on the network
- Trees: A set of domains connected by trust relationships
- Forests: A group of trees
- Domain controllers: A server that runs Active Directory Domain Services (AD DS), which stores information about objects such as names and passwords and allows authorized users to access this information.
If Active Directory is compromised, organizations must recover quickly. Given the number of applications integrated with AD in the typical enterprise, the inability to recover Active Directory can be a catastrophic event. Downtime costs money and damages reputations.
In years past, the main threats to Active Directory were natural disasters and operational errors. Today, however, enterprises must contend with a threat landscape that includes ransomware gangs and other attackers targeting Active Directory to:
- Escalate privileges
- Maintain persistence
- Steal or compromise data
Fast recovery from a cyberattack relies on a malware-free Active Directory backup. But many organizations lack a specific plan for backing up and restoring AD apart from their other systems.
Active Directory backup challenges
Microsoft APIs support two kinds of backup:
- A system state backup copies operating system files and any roles that are installed on the server.
- A bare metal recovery (BMR) includes a system state recovery and any other volumes attached to the server.
A system state or BMR backup of Active Directory needs to be installed on the same hardware configuration the service ran on before the offending cyber event. Both backup types contain an essential operating system component known as the hardware abstraction layer (HAL). The HAL is the interface between the operating system and the unique hardware drivers required to work with the server’s specific hardware platform.
For example, an attempt to restore a system state backup of a VMware virtual machine to a Hyper-V virtual machine will fail. The restored VMware drivers won’t work on a Hyper-V hypervisor infrastructure.
Organizations can also choose between incremental and full backups. Incremental backups back up only changes made since the last full backup.
This approach has the benefit of using less storage, as it focuses only on the changes that have been made to objects. However, incremental backups can mean more work during recovery. Therefore, we recommend that organizations always perform full Active Directory backups.
The single biggest file in an Active Directory backup is the NTDS.DIT database file, which is marked as changed for each backup. Using incremental backups slows recovery because you must mount each incremental instead of just mounting the most recent backup. In addition, if any incremental backups are lost, the changes are also be lost.
For example, suppose you need to recover Active Directory on Thursday. If you perform full backups on Sundays and incremental backups every other day, you will need to perform a full recovery of the Sunday environment and then mount each incremental.
Many organizations choose the simplest way to proceed: using Windows Server Backup. Once installed, it can be configured to perform backup automatically, according to a schedule that you set. Some third-party products also have a scheduling feature. But this approach backs up Active Directory as part of the server backup.
Active Directory backup best practices
The ability to restore Active Directory begins with following best practices for Active Directory backup. Here are a few tips for handling the process.
Best practice #1: Decouple your Active Directory backup from OS and data backups
If your domain controller backups include the system state, the odds are very good that these backups will have malware on them because the useful lifetime of AD backups is short and malware dwell time is long. This is also a potential issue with BMR backups that contain boot or OS files.
Data protection solutions might back the files and data on your domain controllers. However, successfully recovering an Active Directory forest requires much more than that.
Best practice #2: Back up at least two domain controllers per domain
Backing up two domain controllers per domain in your Active Directory forest provides redundancy. Store Active Directory backups securely and offline, or copy backup images to Azure or AWS blob storage.
Best practice #3: Do not use checkpoints to back up Active Directory on a virtual machine
There is nothing wrong with putting Active Directory on virtual machines in a VMware or Hyper-V environment. However, avoid the temptation to rely on snapshots of the domain controller for Active Directory recovery, for multiple reasons:
- A forest recovered from snapshots will likely cause issues with data consistency.
- If malware is present on a domain controller when the snapshot is taken, the malware will be restored along with the domain controller. (This is true of any backup.)
Best practice #4: Back up Active Directory regularly
How often should you back up Active Directory? The answer depends on your organization’s recovery point objective (RPO). Your RPO represents the amount of time that can pass before the organization has lost an unacceptable amount of information.
For example, suppose your RPO is 30 days. In that case, your backup data should never be more than 30 days old. Most organizations create an Active Directory backup every 24 hours.
Best practice #5: Test your Active Directory backup
Don’t leave Active Directory recovery to chance. Make sure your disaster recovery plan includes regular testing of your AD backup and recovery process. (This is especially important if you plan on recovering AD manually, which is a complicated, time-consuming process.)
How Semperis can help secure AD backups
The ITDR experts at Semperis developed Active Directory Forest Recovery (ADFR) to enable fast, malware-free Active Directory backup and recovery. ADFR uses a patented process to back up your Active Directory forest while removing the threat of malware reinfection. Forrester analysts report that ADFR also reduces backup and recovery timelines by 90%.
Together, the reduction in time needed to backup and recovery Active Directory and the elimination of malware persistence can save an organization nearly $4 million in attack-related labor and revenue losses. And for hybrid identity environments that maintain both Active Directory and Entra ID, Semperis offers Disaster Recovery for Entra ID. DRET backs up Entra ID conditional access policies and user, group, and role objects to SOC 2 (Type II) certified secure managed storage, enabling faster recovery of a hybrid Active Directory environment.