How to Set Up Active Directory Backup and Recovery on Windows Server 2019

Introduction to Active Directory Backup and Recovery

Active Directory is the identity foundation of your Windows environment. Domain controllers store the AD database (NTDS.DIT), SYSVOL folder, and the Registry System State. A comprehensive backup and recovery strategy must account for all three components. Windows Server 2019 includes Windows Server Backup (wbadmin) as a built-in tool for system state backups. This tutorial covers performing system state backups, full server backups, authoritative and non-authoritative restores, and using the Active Directory Recycle Bin as a first line of recovery.

Understanding System State Backup Components

A System State backup of a domain controller captures: the NTDS.DIT Active Directory database and log files, the SYSVOL folder (Group Policy templates, scripts), the Registry, COM+ Class Registration Database, and Boot Files. For a domain controller, system state is the minimum backup required to restore Active Directory. A full server backup is preferable as it allows bare-metal recovery.

Installing Windows Server Backup

Windows Server Backup is not installed by default. Install it using PowerShell or Server Manager. It includes the wbadmin command-line utility and the Windows Server Backup MMC snap-in.

Install-WindowsFeature Windows-Server-Backup -IncludeManagementTools

Verify the installation completed successfully:

Get-WindowsFeature Windows-Server-Backup

Performing a System State Backup

Run wbadmin start systemstatebackup to capture the system state. Specify a local or UNC path for the backup destination. System state backups cannot be saved to the volume being backed up. A dedicated backup volume or a UNC share on a separate server are appropriate destinations.

wbadmin start systemstatebackup -backupTarget:E: -quiet

To backup to a network share:

wbadmin start systemstatebackup -backupTarget:\backupserverDCBackups -quiet

The -quiet flag suppresses confirmation prompts. Remove it for interactive use. System state backups typically take 15-45 minutes depending on SYSVOL size and AD database size.

Performing a Full Server Backup

A full server backup captures everything needed for bare-metal recovery. Use wbadmin start backup with -allCritical to include all volumes containing critical OS components. This produces a larger backup but enables complete recovery from hardware failure.

wbadmin start backup -backupTarget:E: -allCritical -systemState -vssFull -quiet

Scheduling Automated Backups

Use the Windows Server Backup GUI (wbadmin.msc) to create a scheduled backup, or use wbadmin enable backup with a schedule. The following command schedules a daily system state backup at 2:00 AM.

wbadmin enable backup `
    -addtarget:\backupserverDCBackups `
    -schedule:02:00 `
    -systemState `
    -vssFull `
    -quiet

Alternatively, create a scheduled task using PowerShell to run wbadmin with desired parameters:

$action = New-ScheduledTaskAction -Execute "wbadmin.exe" `
    -Argument "start systemstatebackup -backupTarget:\backupserverDCBackups -quiet"
$trigger = New-ScheduledTaskTrigger -Daily -At "02:00AM"
$settings = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Hours 4)
Register-ScheduledTask -TaskName "DC-SystemState-Backup" `
    -Action $action -Trigger $trigger -Settings $settings `
    -RunLevel Highest -User "SYSTEM"

Listing Available Backup Versions

Before restoring, list available backup versions to identify the correct backup to use. The wbadmin get versions command shows all available backups along with their date, location, and what components they contain.

wbadmin get versions -backupTarget:\backupserverDCBackups

Note the Version identifier in the output (format: MM/DD/YYYY-HH:MM)—you will need it for the restore command.

Non-Authoritative Restore of Active Directory

A non-authoritative restore recovers the AD database from backup and then allows normal replication to update it with changes from other domain controllers. This is the correct procedure when you are recovering a single DC that failed while other DCs remained operational. The recovered DC starts with an older copy of AD that gets updated via replication. To perform a non-authoritative restore, boot the DC into Directory Services Restore Mode (DSRM).

Restart the server and press F8 before the Windows logo appears, or run bcdedit to set DSRM as the next boot option:

bcdedit /set safeboot dsrepair

After booting into DSRM, log in using the local DSRM administrator account (not the domain account). Then run the system state restore:

wbadmin start systemstaterecovery -version:05/17/2026-02:00 -backupTarget:\backupserverDCBackups -quiet

After the restore completes, remove the DSRM boot flag and reboot normally:

bcdedit /deletevalue safeboot

Authoritative Restore for Recovering Deleted Objects

An authoritative restore marks specific restored objects with a version number higher than on any other DC, causing those objects to replicate outward and overwrite the deleted state on all other DCs. This is used when objects were deleted and the Active Directory Recycle Bin is not enabled. Perform a non-authoritative restore first, then before rebooting normally, run ntdsutil to mark objects as authoritative.

ntdsutil
activate instance ntds
authoritative restore
restore subtree "OU=Marketing,DC=yourdomain,DC=com"
quit
quit

To restore a single user object authoritatively:

ntdsutil
activate instance ntds
authoritative restore
restore object "CN=John Smith,OU=Users,DC=yourdomain,DC=com"
quit
quit

After the authoritative restore, remove the DSRM boot flag and restart. The restored objects replicate to all other DCs.

Resetting the DSRM Password

The Directory Services Restore Mode password is set when AD DS is installed and is often forgotten. If you need to reset it, run ntdsutil from a normal boot while the DC is a functioning domain member.

ntdsutil
set dsrm password
reset password on server DC01


quit
quit

Verifying Backup Integrity

Regularly test your backups by performing restore drills in an isolated lab environment. Also verify backup catalogs are intact and backup jobs are completing successfully. Check Windows Server Backup job history with:

Get-WBJob -Previous 10

wbadmin get status

Conclusion

Active Directory backup and recovery planning is critical to business continuity. A Windows Server 2019 domain controller running Windows Server Backup with daily system state backups provides the foundation for both non-authoritative recovery from DC failure and authoritative recovery from accidental deletions. Combine this with the Active Directory Recycle Bin for fast object-level recovery and maintain at least two DC backups per domain. Test your recovery procedures at least quarterly to ensure you can meet your Recovery Time Objective when an incident occurs.