Is my Active Directory Backed Up?

There are a ton of methods to backup Active Directory.  I’m not going to get into each method with this post.  What I am going to do is share another little command that can be run to check to see if your Active Directory was backed up and when.

Before I discuss that command one point I would like to make is to be very careful about who you let backup and restore your Active Directory DB.  From a security standpoint this could be a major violation of your company’s security policy.  Think it about for a minute.  Let’s say I work in a support group in your company that provides backup and restore services for all systems, including Domain Controllers.  I could take that backup of Active Directory and restore it to a private system that I have.  Now I could use a number of tools to help try to crack into it.  Sure it may take a bit of time but I”ve got plenty of time.

If you have a group that is responsible for backups and restores on Domain Controllers then I believe you need to put some really good policies and guidelines in place to protect your most important asset…Active Directory.  I actually don’t like anyone backing up Active Directory that isn’t an Administrator and I always select the option that only and Administrator can restore the backup.  I understand that a rouge admin could do harm but at least there was some mitigation put in place.

Now, finally to the point.  Is my Active Directory backed up?  For this one we are going to run another Repadmin command.

repadmin /showbackup

This will show you when your last backup of Active Directory ran.  You don’t need to run it against a specific DC because Active Directory doesn’t care.  If you have child domains in your environment and want to run this against them all just put a  * at the end of the command and it will check all the domains.

Now go out there and make sure your Active Directory is backed up!!!

Leave a comment