AD Backup – PowerShell Script

Mission :

I do not want to use third party software to backup my Active Directory (Domain Controller’s system state) because usually those third party requires high privileges and rights on domain controllers.

Instead, i will have a protected file share server, i will use a script on the domain controller to backup its system state to that protected file share. Then i will use my favorite third party solution to backup the protected file share server.


Prepare the File Server

Now as the file share will host your AD backup, it is important to protect and restrict access on that file server. I would recommend to install a VM with C drive for the O.S and D drive to host the system state backup.

Also, make sure that the administrators group on that file share is restricted to only domain admins. Do not install any other server roles on the server and do not host any other shares on it.

Now on the D drive, create a hidden share with Full permissions given to (Domain Controllers) group on both sharing and NTFS permissions. (Domain Controllers) is a built in security group that exist on your AD by default.

Prepare the Domain Controller

Nothing to prepare really here. You need to schedule the below script on one of your domain controllers. That’s it.

Script Breakdown

The script should be scheduled to run on any domain controller and it should run using the built in (System) scrutiny context. This will give it the right to take backups to your AD without any additional rights 🙂

The script starts by importing the (Server Manager) module using the Import-Module ServerManager

Then we will get the current date [string]$date = get-date -f ‘yyyy-MM-dd’.

Following that we will define the folder on the remote file share $TargetUNC = “\\FileServer\ADBackup$\AD-$date”. 

This assumes that the remote file share name is (FileServer) and the hidden share we created is called ADBackups$

Notice that we are assuming that backups will be taken in a folder structure where the name of the folder contains the date on which the backup is taken.

So we will check first to see if a folder is already there that contains today’s date, and if it exists, we will delete it. This means that we will not maintain two backups taken in the same date. This is only my own way. You can do yours.

Because the script will try to create folders on the remote share, (Domain Controllers) group will need access on that remote file share

If ( Test-Path $TargetUNC) { Remove-Item -Path $TargetUNC -Recurse -Force }

New-Item -ItemType Directory -Force -Path $TargetUNC

Finally, we will start taking backup using WEBADMIN command. This command requires that in order to do backups to remote file share, a user name and password should be supplied. So create a username (i.e ServiceADBackup) and give it share and NTFS permissions to write to the remote file share.

$WBadmin_cmd =    “wbadmin.exe START BACKUP     -backupTarget:$TargetUNC   -systemState      -noverify     -vssCopy     -quiet     -user:MyUser     -password:MyPassword “

Invoke-Expression   $WBadmin_cmd

Schedule Script

In order to schedule the script on your DC, open Task scheduler , create basic task with your own schedule preference, and when you reach the Action window, make sure to put (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) on the Program/script field, and the full path of your script in the (Add arguments (optional)) filed.


When you are done, open the task again, and change the scrutiny context that the script is using, and replace it with (System) and check the (Run with highest privileges)


Download Script

You can download the script from here

Final Note

When taking backups this way, logs for this backup are stored on that DC here (C:\Windows\Logs\WindowsServerBackup). Usually with time, those logs will consume big space, so i would run a script to delete log files from this directory using another script

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s