Discover a Domain Controller Backup Before it Goes Boom

Published:7 August 2019 - 3 min. read

Block over 3 billion compromised passwords & strengthen your Active Directory password policy. Try Specops Password Policy for free!

Everyone agrees that domain controller backups are important. Even multi-master services like Active Directory should be regularly backed up. Even though you’ve got copies of the Active Directory database and SYSVOL on various servers spread throughout the world doesn’t mean you should simply ignore backups. Depending on replication intervals one wrong change can spread across your entire Active Directory environment quickly!

Understanding how Domain Controller Backups Work

How do you determine if Active Directory is “backed up” anyway?

Since Active Directory technically exists on lots of servers (domain controllers) you can backup the Active Directory database on every domain controller. You can even get more granular and backup individual naming contexts or partitions as well.

Every time a partition is backed up on a domain controller, the event is recorded on the DC. Using the repadmin utility you can then query this date.

Repadmin is a utility built into Windows Server 2008 and higher on DCs and is used to perform lot of different management functions around Active Directory. One of the functions of repadmin is to find the last backup time of each partition in the Active Directory database.

repadmin /showbackup to see your domain controller backup
repadmin /showbackup to see your domain controller backup

You can see if you simply run repadmin.exe /showbackup it will query the backup times for each partition on the localhost. In this case, I ran it on a domain controller directly. However, you don’t have to do this. It would be more beneficial to get this information from all domain controllers in an entire forest to get a much bigger picture of the backup status of your domain controllers.

To do this, we’ll need some help from Windows PowerShell and its Active Directory
module. The Active Directory module has a handy cmdlet called Get-ADForest that will easily enumerate all domains that exist in the forest. One of the properties that Get-ADForest outputs is called Domains.

PS51> $domains = (Get-ADForest).Domains

We now have a list of domains in the forest. Next, we’ll need to find all domain controllers in each of those domains. To do this, we can use the Get-ADDomainController cmdlet.

$domainControllers = ($domains | foreach { Get-ADDomainController-Server $_ -Filter * }).HostName

Next, we’ll then pass each of these domain controllers to the repadmin utility to find the last backup times for each Active Directory partition on each of the domain controllers.

PS51> $backups = $domainControllers | foreach { repadmin.exe /server $_ }

This will get us a rough output of the domain controller backup dates of each partition on each domain controller in all of the domains in our current forest.

However, as you saw from the repadmin /showbackup output, the output isn’t that pretty and may be hard to read. For this, I’ll use PowerShell’s string parsing abilities and some regular expressions to get a much nicer-looking output.

## Loop through each domain controller
$domainControllers | foreach {
    $backups = repadmin.exe /showbackup $_
    ## Capture the output ofrepadmin
    $output = @{ 'DomainController' = $_ }
    ## Start collectingproperties for output
    for ($i = 0; $i -lt $backups.Count; $i++) { ## Begin looking atrepadmin output
        if ($backups[$i] -match '^(CN|DC)') { ## If the line has apartition.
            ## Assign the partition name and the date/time to the output hashtable
            ## and send $output with the DomainController, Partition and DateTime
            $output.Partition = $backups[$i]
            $output.DateTime = [regex]::Match($backups[$i +2],'(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})').Groups[1].Value

This will get you a much nicer-looking domain controller backup report.

Repadmin.exe output parsed into objects
Repadmin.exe output parsed into objects


Using the repadmin command-line utility and a little bit of PowerShell-fu, you can find the last time all of your domain controllers were backed up. This is all returned to you in a nicely-formatted, object-oriented design with PowerShell.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!