System State Backups?

  • Last Post 14 March 2017
a-ko posted this 08 March 2017

With all of the DR options available today, are System State backups still the only officially supported AD backup/recovery mechanism from Microsoft?

Get Outlook for iOS

Order By: Standard | Newest | Votes
BrianB posted this 14 March 2017

I would also like to hear what others have to say on the subject.


Incidentally, we have been performing some validation tasks for AD recovery and found that in some cases, virtualized DC’s are difficult to recover and have had

problems trying to recover a system state.


I think that if the Virtualization team that deploys your VM does not have a standard procedure, then it can really mess things up. As well, if you deploy on

different Hypervisors. We ran into an issue recently where our Hyper-V DC’s were deployed by default with UEFI and GPT volumes, where our ESX was deployed with BIOS and MBR volumes. We tried to recover a DC backup from tape as part of the validation and it

failed. System OS recovered but lots of errors for the Domain Services. This was all done in an isolated environment in a test lab.


We have been successful using a process of taking a full backup, which includes a System state, then booting to recovery and repair and selecting the backup to

restore. It still presents the option for Authoritative or non-authoritative. We still need to make sure we restore a Hyper-V to a Hyper-V and an ESX to ESX image.


We were once told by the Manager of the Virt Team that we should not care which Hypervisor we run on and that all we need to do is run the Guest and let them

worry about which Hypervisor to deploy to.



Brian B.



a-ko posted this 14 March 2017

This is kind of the situation we're in. Similar problem. The VM platform team makes their decisions for how they handle VMs and we become "consumers" of their platform. But because of the needs of things like VSS writers, System State backups, and other

situations this is an argument I see come up often. 

Database teams tend to get leeway in regards to how they backup (many do a SQL backup to file and then let the platform team grab the VMDK/VHDX), but I'm wondering if I should make a similar push for AD.

Get Outlook for iOS


bdesmond posted this 14 March 2017

From a security perspective, your hypervisor support folks have the equivalent of physical access to your domain controllers so what they can do there is

pretty limitless.


In terms of backups, I generally recommend not having agents on DCs and instead using Windows Server Backup. Use WSB to back the DCs up to themselves or

a file server that you control, and then let the backup tool pickup the WSB files from the share. Keep in mind anyone who has or can get access to those backups has access to the DIT which means they have access to password hashes.



Brian Desmond


w – 312.625.1438 | c – 312.731.3132



a-ko posted this 14 March 2017

Yeah. In most organizations I've talked to that's not even a consideration yet, honestly. The general consensus seems to be finishing up VM migrations, begin to implement Cloud-style management, and generalizing the platform even more. 

Trying to say we need to go physical for authentication is like setting off a nuke, basically.

A battle that will need to be fought another day. So right now I'm more concerned over the operational aspect of DR of AD.

Get Outlook for iOS