So Microsoft claims that "you cannot use a network shared folder as a backup target for a system state backup", but I've seen plenty of posts where people indicate that they are able to do this from a command prompt using wbadmin.
My end goal:
I am not concerned about backing up any of our domain controllers, because if one dies, I'll just spin up a new domain controller and let the remaining DCs replicate to it. I am concerned however about at least making sure that I have a backup of AD, in case our entire AD infrastructure were to get hosed and needed to be restored from a backup.
Here’s what I’ve done so far to accomplish the goal:
From my PDCe, I ran a successful backup to a network share using the following command:
wbadmin start systemstatebackup -backuptarget:\srv-backup\b$\srv-dc1
I then created a scheduled backup like this:
wbadmin enable backup -addtarget:\srv-backup\b$\srv-dc1 -systemstate -schedule:03:00
I verified the following day that the scheduled backup completed successfully.
So here are new questions:
How do I properly backup AD? Is my current method correct?
If my current backup method will only yield ONE backup at any given time (because it’s backing up to a network share and it will overwrite the previous backup each night), should I look into getting local storage to push the backups to (so I can have multiple backups), or should I just do backups of my other two DCs in the same manner; to a network share (staggering the schedules of course - then I’ll at least have one or more daily backups that I can depend on)?
I've read in another thread in the community where someone said to "backup the NTDS folder from C:\Windows", but I'm assuming that is unnecessary since it gets backed up during the systemstate backup - is that correct?
That is (or was) a restriction on the original version of Windows Backup, that came on older OSes (Vista RTM and Server 2008 RTM - this may or may not have been addressed in service packs or updates to those OSes). Windows 7+/Server 2008 R2+ handle system state backups to network folders fine.
No. Backing up one Domain Controller is not the same as backing up Active Directory. IF everything goes well, then sure, you might be able to get away with it. Of course, backups only exist for when everything doesn't go well, so you should always consider what could go wrong when you're coming up with a backup strategy. In this case, I see two major issues.
You're only backing up one domain controller. If/when replication breaks to/from that domain controller, or that one domain controller is the source of corruption that's forcing you to restore from backups, you don't have backups of your actual Active Directory anymore.
Your retention period of one backup is pretty useless. By the time you realize you have a problem, you've probably overwritten your backup with a copy that contains your problem. So, that needs fixed, and fortunately, it's not hard - store your backups in folders named with the date taken. You may also want to consider doing incremental backups to save space. Weekly fulls, daily incrementals is a pretty common strategy that strikes a nice balance between disk space and speed/ease of backup restore.
As stated/implied above, you should backup all your domain controllers daily. As mentioned above, put the backups in a folder that's named by the date taken to prevent backups from being overwritten, and consider incremental and/or differential backups to save space.
You are correct. The NTDS (NT Directory Service) folder contains the databases that essentially are your Active Directory Domain. A system state backup should get that folder and the databases in it. (Wouldn't hurt to verify that on your backups, of course.) As the saying goes, backups that aren't restore-tested aren't really backups.
You will frequently find advice about backing up and restoring domain controllers that boils down to "don't backup your DC". This is unfortunately bad advice. You should be backing up all of your domain controllers, because you never know which one will be corrupt.
The problem isn't so much the backing up of domain controllers, it's restoring them that is the tricky part. Make sure you do your homework before restoring!
The answer to all of your problems is to invest in a "real" centralized backup solution like Veam, Acronis, Unitends, etc. These tools are AD aware, support retention periods, get the data backed up to an external disk array (or tape), and provide a single pane of glass for monitoring the backup status of all your servers.