Active Directory backup has been an important topic for a long time. Today however, with identity-based attacks on the rise and AI empowering a broader base of threat actors, several aspects of the process have taken on new urgency.
This blog post explains what you need to know to ensure you have the Active Directory backups you need to recover effectively from an incident, whether an adversary has modified a security group to elevate their permissions or an AI-powered ransomware infection has taken down your entire AD forest. In particular, I’ll cover what types of AD backups there are, what options you have for storing them, and how to ensure they are safe and effective to use for recovery.
What is an Active Directory backup?
An Active Directory backup is a record of Microsoft Active Directory (AD) data from a specific point in time. Its purpose is to enable the organization to restore critical data and operations in case of an adverse event.
Those events fall into two broad categories. One is the accidental or malicious modification of Active Directory objects, such as user accounts, security groups, and Group Policy objects (GPOs). The other is a full-on disaster that requires recovering your entire AD domain or forest. It’s important to understand that Active Directory disaster recovery involves far more than simply restoring the AD database — it requires getting your domain controllers (DCs) working again so they can resume providing essential services like authentication and authorization. Without at least one operational DC, your on-premises or hybrid Microsoft ecosystem cannot function.
Accordingly, at a minimum, an Active Directory backup should include the following:
The Active Directory database file (ntds.dit)
The full contents of SYSVOL — a directory with critical files that must be replicated throughout a domain, such as GPOs, startup and shutdown scripts, and logon and logoff scripts
Any AD-integrated DNS zones and services
Why is Active Directory backup important?
Let’s review exactly why Active Directory backup is essential in each of the two corescenarios: disaster recovery and granular restore.
Disaster recovery
Remember the infamous NotPetya attack in 2017? Within hours, this malware brought operations to a standstill at companies around the world, including shipping giant Maersk. Although Maersk had backups of much of its data, nobody could locate a single Active Directory backup. As a result, they were unable to restore IT operations: No one could log on, let alone process orders, send email, or monitor shipments. In the end, Maersk was saved only by a stroke of luck: One DC at a remote office had been offline during the attack and therefore remained uninfected and undamaged. The company painstakingly shuttled that precious machine to its headquarters to serve as an Active Directory backup and enable the disaster recovery process.
The lesson of this story is simple: As long as your Active Directory is down, your business is dead in the water. It doesn’t matter that you can have good backups of your databases, mailboxes and file shares — without an Active Directory backup, you cannot restore AD to working order, so there will be no authentication and authorization services to enable anyone to access that content. The cost of this downtime can be staggering. Indeed, a study by Forrester Consulting pegs it at $730,000 per hour. So it’s not surprising that while Maersk estimated that the NotPetya attack cost the company over $250 million, staffers privately suggested the total was actually much higher.
Moreover, it doesn’t require a state-sponsored global attack to take down your Active Directory. Today, ransomware-as-a-service providers on the dark web enable cybercriminals with limited technical skills to cause an AD disaster. In fact, even a mistake or equipment failure can be enough. For example, schema upgrades are not reversible with Microsoft’s normal tools, so if an admin makes an unintentional error during the process, you have to do a full domain or forest restore. Similarly, if your domain has only one DC and the machine dies, you need an Active Directory backup to get the business back on its feet.
Conclusion
Having a solid Active Directory backup strategy remains essential for most organizations today, including those with a hybrid Microsoft IT ecosystem. AD backups are vital for the granular recovery of AD objects and attributes that IT teams need to perform frequently, and they provide a critical insurance policy for restoring operations quickly in case of a disaster.
Hanlon, D. (2025, July 14). Active directory backup strategies you need today. https://blog.quest.com/active-directory-backup-strategies-you-need-today/?utm_campaign=Oktopost-MPM+BLOGS+&utm_content=Oktopost-facebook&utm_medium=social&utm_source=facebook
