M16: Backup & Disaster Recovery

Protecting your Windows Server environment requires comprehensive backup strategies and well-tested disaster recovery procedures to ensure business continuity.

What You'll Learn

Windows Server Backup fundamentals
Backup types and strategies
System State vs Bare Metal backups
Active Directory recovery modes
PowerShell backup automation

Prerequisites

Windows Server administration
Active Directory fundamentals (M02)
Storage concepts
Basic PowerShell knowledge

Critical Reminder: Backups are only as good as your ability to restore from them. Always test your recovery procedures regularly!

Backup Types

Understanding different backup types helps you design an efficient backup strategy.

Type	Description	Speed	Storage
Full Backup	Complete copy of all data	Slowest	Most
Incremental	Changes since last backup (any type)	Fastest	Least
Differential	Changes since last full backup	Medium	Medium

Common Backup Strategy: 3-2-1 Rule

3
Copies of data

+

2
Different media types

+

1
Offsite copy

Windows Server Backup

Windows Server Backup is the built-in backup solution included with Windows Server.

Key Features

Block-level backup technology (VSS-based)
Full server, volume, or file/folder backups
System State and Bare Metal Recovery
Backup to local disk, external drive, or network share
Scheduled or on-demand backups

The Windows Server Backup feature must be installed before you can create or schedule any backups on the server.

# Install the Windows Server Backup feature and management tools
PS C:\> Install-WindowsFeature -Name Windows-Server-Backup -IncludeManagementTools
            

# Expected output:
Success   Restart Needed   Exit Code   Feature Result
-------   --------------   ---------   --------------
True      No               Success     {Windows Server Backup}
            

After installation, verify the feature is available and ready to use.

# Confirm the backup feature is installed and available
PS C:\> Get-WindowsFeature -Name Windows-Server-Backup
            

# Expected output:
Display Name                    Name                       Install State
------------                    ----                       -------------
[X] Windows Server Backup       Windows-Server-Backup      Installed
            

Limitation: Windows Server Backup doesn't support tape drives directly. For tape backup, consider third-party solutions or use disk-to-disk-to-tape workflows.

System State Backup

System State contains critical system components needed to restore a server's configuration.

System State Components

All Servers

Registry
COM+ Class Registration database
Boot files (including system files)
System files under WFP

Role-Specific

AD DS database (NTDS.dit)
SYSVOL folder
Certificate Services database
Cluster service information

The wbadmin command-line tool performs a System State backup directly. This captures the registry, boot files, and on DCs, the AD database.

# Run a System State backup to the E: drive using wbadmin
PS C:\> wbadmin start systemstatebackup -backupTarget:E:
            

# Expected output:
Starting System State Backup [01/31/2026 06:00]...
Creating a shadow copy of the volumes...
Creating a shadow copy of the volumes...
System State Backup completed successfully [01/31/2026 06:23].
            

In PowerShell, you build a backup policy object and add System State to it. This approach is better for scripting and automation.

# Create a backup policy and add System State to it
PS C:\> $policy = New-WBPolicy
Add-WBSystemState -Policy $policy
            

For Domain Controllers: System State backup automatically includes AD database, SYSVOL, and all AD-related components.

Bare Metal Recovery (BMR)

Bare Metal Recovery allows you to restore a complete server to new hardware without pre-installing Windows.

BMR Includes

All System State components
All critical volumes (system, boot, applications)
Partition layout information
Everything needed to restore to bare hardware

A BMR backup chains multiple cmdlets together: create a policy, add BMR capability, set the target volume, then start the job.

# Build and execute a Bare Metal Recovery backup to E: drive
PS C:\> $policy = New-WBPolicy
Add-WBBareMetalRecovery -Policy $policy
$target = New-WBBackupTarget -VolumePath "E:"
Add-WBBackupTarget -Policy $policy -Target $target
Start-WBBackup -Policy $policy
            

# Expected output:
Initializing Backup...
Preparing volumes for backup...
Overall progress: 100%
Backup of volume Local Disk (C:) completed successfully.
Backup of System State completed successfully.
The backup operation completed. [01/31/2026 07:15]
            

BMR Recovery Process

Boot WinRE
From install media

→

Select BMR
System Image Recovery

→

Choose Backup
Local/Network

→

Restore
Full system

Scheduling Backups

Automated backup schedules ensure consistent protection without manual intervention.

Scheduling Options

Once daily (specify time)
Multiple times per day
Use Task Scheduler for custom schedules
PowerShell for advanced automation

Building a scheduled backup policy is a multi-step process: create the policy, set the target, add BMR, define the schedule, then apply.

# Create a scheduled BMR backup running at 9 PM and 3 AM daily
PS C:\> $policy = New-WBPolicy
$target = New-WBBackupTarget -VolumePath "E:"
Add-WBBackupTarget -Policy $policy -Target $target
Add-WBBareMetalRecovery -Policy $policy
Set-WBSchedule -Policy $policy -Schedule 21:00,03:00
Set-WBPolicy -Policy $policy
            

# Expected output:
The policy is set successfully.

Schedule       : {9:00 PM, 3:00 AM}
BackupTargets  : {E:}
BMR            : True
SystemState    : True
            

Best Practice: Schedule backups during low-usage periods to minimize performance impact, but ensure they complete before business hours begin.

Active Directory Recovery

AD recovery requires special procedures depending on the failure scenario.

Non-Authoritative Restore

Default restore mode
Restored DC receives updates from partners
Used for DC failures
Replication brings DC current

Authoritative Restore

Restored objects replicate TO other DCs
Used to recover deleted objects
Requires DSRM boot
Uses ntdsutil command

Step one of an authoritative restore is booting into DSRM and restoring the System State from backup. This replaces the AD database with the backup version.

# Restore System State from backup (run in DSRM mode)
PS C:\> wbadmin start systemstaterecovery -version:01/31/2026-06:00
            

# Expected output:
Starting System State Recovery...
System State Recovery completed successfully [01/31/2026 08:30].
Please restart the server to complete the recovery.
            

Before rebooting, use ntdsutil to mark the specific deleted objects as authoritative. This bumps their version numbers so they replicate outward to all other DCs.

# Mark the deleted object as authoritative so it replicates to all DCs
PS C:\> ntdsutil "activate instance ntds" "authoritative restore" "restore object \"CN=John Doe,OU=Users,DC=hexworth,DC=local\"" quit quit
            

# Expected output:
Opening DIT database... Done.

Successfully restored object
CN=John Doe,OU=Users,DC=hexworth,DC=local
Current USN: 12345
Authoritative Restore completed successfully.
            

Active Directory Recycle Bin

The AD Recycle Bin allows recovery of deleted objects without restoring from backup.

Benefits

Recover deleted objects with all attributes intact
No downtime required for recovery
Objects recoverable for 180 days (default)
No authoritative restore needed

Enabling the Recycle Bin is a one-time, irreversible operation that requires Enterprise Admin privileges and raises the forest functional level.

# Enable the AD Recycle Bin feature for the entire forest
PS C:\> Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "hexworth.local"
            

# Expected output:
WARNING: Enabling 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,
DC=hexworth,DC=local' is an irreversible action!
Recycle Bin Feature has been enabled successfully.
            

Benefits (cont.)

Once enabled, you can query for all recently deleted objects in the directory to see what is available for recovery.

# List all deleted objects currently in the AD Recycle Bin
PS C:\> Get-ADObject -Filter {isDeleted -eq $true} -IncludeDeletedObjects
            

# Expected output:
Deleted           DistinguishedName                                 Name          ObjectClass
-------           -----------------                                 ----          -----------
True              CN=John Doe\0ADEL:...,CN=Deleted Objects,...       John Doe      user
True              CN=TestOU\0ADEL:...,CN=Deleted Objects,...         TestOU        organizationalUnit
            

Restoring a deleted object is as simple as piping the search results to Restore-ADObject. All attributes are preserved including group memberships.

# Find and restore the deleted user "John Doe" from the Recycle Bin
PS C:\> Get-ADObject -Filter {displayName -eq "John Doe"} -IncludeDeletedObjects | Restore-ADObject
            

Requirement: Forest functional level must be Windows Server 2008 R2 or higher to enable AD Recycle Bin.

Volume Shadow Copy Service (VSS)

VSS enables consistent backups of data, even while it's in use by applications.

VSS Components

VSS Requestor: The backup application (e.g., Windows Server Backup)
VSS Provider: Creates and maintains shadow copies
VSS Writer: Application-specific component ensuring data consistency

Checking VSS writer status reveals whether application-level components are ready for consistent backups. Failed writers often cause backup failures.

# List all VSS writers and their current state
PS C:\> vssadmin list writers
            

# Expected output:
Writer name: 'System Writer'
   Writer Id: {e8132975-6f93-4464-a53e-1050253ae220}
   State: [1] Stable
   Last error: No error

Writer name: 'Registry Writer'
   Writer Id: {afbab4a2-367d-4d15-a586-71dbb18f8485}
   State: [1] Stable
   Last error: No error
            

Shadow copies are point-in-time snapshots. Listing existing copies shows what recovery points are currently available on the volume.

# Display all existing shadow copies on the system
PS C:\> vssadmin list shadows
            

# Expected output:
Contents of shadow copy set ID: {abc12345-...}
   Contained 1 shadow copies at creation time: 1/31/2026 3:00:00 AM
      Shadow Copy ID: {def67890-...}
         Original Volume: (C:)\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
            

VSS Components (cont.)

Creating a manual shadow copy gives you an immediate recovery point before making risky changes like software updates.

# Create a new shadow copy of the C: drive right now
PS C:\> vssadmin create shadow /for=C:
            

# Expected output:
Successfully created shadow copy for 'C:\'
    Shadow Copy ID: {abc12345-def6-7890-abcd-ef1234567890}
    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
            

In PowerShell, you can query the count of existing shadow copies to monitor how many recovery points are stored.

# Count the total number of shadow copies via PowerShell
PS C:\> (Get-WmiObject Win32_ShadowCopy).Count
            

# Expected output:
3
            

Troubleshooting Tip: If backups fail, check VSS writer status with "vssadmin list writers". Failed writers often indicate application issues.

Network Backup Targets

Backing up to network locations provides offsite protection and centralized management.

Supported Targets

Network shared folders (SMB)
Dedicated backup servers
NAS devices
Cloud storage (with third-party tools)

PowerShell lets you build a backup policy that targets a network share. The credential object authenticates to the remote file server.

# Create a backup policy targeting a network share with credentials
PS C:\> $cred = Get-Credential
$policy = New-WBPolicy
$target = New-WBBackupTarget -NetworkPath "\\backup-server\backups" -Credential $cred
Add-WBBackupTarget -Policy $policy -Target $target
            

The wbadmin command-line tool can also back up to network shares, useful when scripting from batch files or non-PowerShell environments.

# Back up the C: volume to a network share using wbadmin
PS C:\> wbadmin start backup -backupTarget:\\backup-server\backups -include:C: -user:DOMAIN\backupuser -password:*
            

# Expected output:
Starting backup of volume Local Disk (C:) to \\backup-server\backups...
Creating a shadow copy of the volumes...
Overall progress: 100%
The backup operation completed successfully [01/31/2026 22:45].
            

Security Note: Use a dedicated service account with minimal permissions for backup operations. Store credentials securely.

Recovery Testing

Regular testing of your recovery procedures is essential to ensure they work when needed.

Testing Best Practices

Schedule quarterly recovery drills
Test in isolated environment when possible
Document recovery times (RTO)
Verify data integrity post-recovery
Update procedures based on lessons learned

Metric	Definition	Example
RTO	Recovery Time Objective - max acceptable downtime	4 hours
RPO	Recovery Point Objective - max acceptable data loss	1 hour
MTTR	Mean Time To Recover - average recovery duration	2 hours

Never Assume: A backup that has never been tested is essentially an untested hypothesis. Validate your backups regularly!

Lab Preview: Backup & Recovery

Practice configuring backups and performing recovery operations.

GUI Lab Tasks

Configure Windows Server Backup
Create a backup schedule
Perform System State backup
Browse and restore files
View backup history

PowerShell Lab Tasks

Create backup policies with WBAdmin
Schedule automated backups
Manage backup targets
Query backup status
Perform recovery operations

Scenario: Configure a comprehensive backup strategy for Hexworth's domain controller, including both System State and BMR backups with verified recovery procedures.

Start GUI Lab Start PowerShell Lab