monitor active directory backup

The Requirement

“Send me email if my AD was not backed up recently”

I was given a task for making sure that AD backups (system state) is working fine and to get alerts if it fails.

If you go to the internet, you will find many solutions for taking backup for the domain controller’s system state. If you are using Windows Built in Backup Software, then you can write a script to search for specific event IDs under the Backup Event Log category. This was my initial thought. You will find many scripts out there who look at that place. But those scripts will only work if you are using Windows Backup Built in software.

I wanted a more direct, more reliable, more abstracted way to check AD backups. I want to go to AD and ask it : When the last time you get backed up, and then get alerts if this exceeded my backup cycle Window.

How to solve it ?

Lucky me, i found this nice article talking about PowerShell and AD stuff. It is a smart way to get the backup status for each AD partition, and the script is written in a way that works in all environments and no hard coding is used.

They use those line of code to get the last backup stamp for each AD partition

Import-Module ActiveDirectory

[string]$dnsRoot = (Get-ADDomain).DNSRoot

[string[]]$Partitions = (Get-ADRootDSE).namingContexts
$contextType = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
$context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext($contextType,$dnsRoot)
$domainController = [System.DirectoryServices.ActiveDirectory.DomainController]::findOne($context)

ForEach($partition in $partitions)
$domainControllerMetadata = $domainController.GetReplicationMetadata($partition)
$dsaSignature = $domainControllerMetadata.Item(“dsaSignature”)
Write-Host “$partition was backed up $($dsaSignature.LastOriginatingChangeTime.DateTime)`n”

What we need to do is to use the same line of codes but instead of printing out the last backup stamp for each partition, we will configure the script to send us a nice email if the last backup stamp for any partition exceeded our backup window for AD. For example, if we are suppose to take AD backup everyday using our favorite backup solution, then an email will be sent if the last backup stamp on any AD partition is more than 1 day.

Download the script

My own and complete version of the script can be download  from here

The script does not need any special permissions. Any domain user can execute it. The script will take from you your AD backup frequency and will send email alert for you ONLY if the AD backup exceeded your backup frequency (i.e you have AD backup failure).



The script can be sc

