Module 16: Backup & Recovery

Backups you can't restore are theater — types, System State, BMR, recovery testing.

What you'll learn

  • Backup types — full, incremental, differential
  • Windows Server Backup — install + schedule the built-in tool
  • System State ★ — smallest backup that restores AD + IIS + CA
  • BMR + VSS — bare-metal restore + Volume Shadow Copy
  • AD Recycle Bin — restoring deleted objects
Where this fits: Block #16 — DR. CTS1328C Objective #5. AZ-800 domain: Windows Servers (DR). System State (★) is the smallest backup that can restore AD, IIS, and cert authority intact.
Module 16 — your journey 1Backup Types 2WSB Install 3System State ★ 4BMR 5Schedule 6AD Recycle Bin 7VSS 8Network Targets 9Recovery Testing → next: M17 — Firewall/Security

Backup Types

Every backup strategy is built from three primitives, and the choice between them is a trade of backup speed and storage against restore complexity.

Full captures everything every time: simplest to restore (one set), but slowest to run and heaviest on storage. Incremental captures only what changed since the last backup of any kind: fastest and smallest, but a restore must replay the full plus every increment in order, so one missing link breaks the chain. Differential captures everything changed since the last full: a middle ground where a restore needs only the full plus the latest differential.

The 3-2-1 rule governs where copies live, independent of type: keep 3 copies of the data, on 2 different media, with 1 off-site. It is the single guideline that survives ransomware, hardware failure, and site loss.

Full, incremental, and differential trade backup speed against restore simplicity, and the 3-2-1 rule (3 copies, 2 media, 1 off-site) keeps them safe.
Backup TypesCTS1328C · AZ-800
Full, incremental, and differential trade backup speed against restore simplicity, and the 3-2-1 rule (3 copies, 2 media, 1 off-site) keeps them safe.

Windows Server Backup

Windows Server Backup (WSB) is the backup engine built into Windows Server. It is not a feature installed by default, so the first step on any new server is to add it.

What it does. WSB performs block-level backups coordinated through the Volume Shadow Copy Service, so it can back up open files and running applications consistently. It supports full-server, individual-volume, and file/folder backups, plus the two specialized jobs that matter for a domain: System State and Bare Metal Recovery. Targets can be a local disk, a dedicated USB drive, or a network share.

Why block-level matters. Backing up at the block level (rather than copying files) lets WSB capture only changed blocks and work with VSS to get an application-consistent point in time, which is what makes a live server backup actually restorable.

# Install the Windows Server Backup feature + tools PS C:\> Install-WindowsFeature -Name Windows-Server-Backup -IncludeManagementTools
Windows Server Backup is the built-in, block-level, VSS-based tool that backs up full server, volumes, files, System State, and BMR to local, USB, or network targets.
Windows Server BackupCTS1328C · AZ-800
Windows Server Backup is the built-in, block-level, VSS-based tool that backs up full server, volumes, files, System State, and BMR to local, USB, or network targets.

System State Backup

A System State backup captures the set of components that define the server's operating-system identity and configuration, as a single consistent unit. It is what you restore to recover the server's "brain" without imaging the whole disk.

What is always included. On any server: the registry, the COM+ class registration database, boot files, and the Windows File Protection store. What is added by role. On a domain controller it also captures the AD database (NTDS.dit) and SYSVOL; on a CA, the Certificate Services database; on a cluster node, the cluster configuration.

Why back it up separately. System State is the fastest path to recover a corrupted registry, a failed DC, or a broken boot configuration, and it is the prerequisite for an authoritative AD restore. It is small relative to a full backup, so it can run frequently.

# System State backup to the E: volume PS C:\> wbadmin start systemstatebackup -backupTarget:E:
System State captures the server's bootable identity, the registry, COM+, and boot files, plus AD's NTDS.dit and SYSVOL on a domain controller.
System StateCTS1328C · AZ-800
System State captures the server's bootable identity, the registry, COM+, and boot files, plus AD's NTDS.dit and SYSVOL on a domain controller.

Bare Metal Recovery (BMR)

Bare Metal Recovery restores an entire server, from nothing, onto blank or replacement hardware. It is the recovery you reach for when a machine is unbootable or physically dead, not just when a file is lost.

What it restores. A BMR image is atomic: the OS partition, all critical volumes, and System State together, plus the partition layout, so the rebuilt server is bootable and complete.

What it needs. You boot the target from Windows install or recovery media (because there is no OS to boot yet), the backup target must be reachable from that boot environment, and restoring to different hardware works but may require injecting storage or network drivers. The walkthrough is: boot media, Repair, Troubleshoot, System Image Recovery, pick the image, Finish.

Bare Metal Recovery rebuilds an entire dead server onto blank hardware from a backup image, booted from recovery media.
Bare Metal RecoveryCTS1328C · AZ-800
Bare Metal Recovery rebuilds an entire dead server onto blank hardware from a backup image, booted from recovery media.

BMR Includes

A BMR backup is deliberately more than a file copy: it is everything required to make blank hardware boot and run as the original server.

The contents. It bundles System State with the critical volumes (the OS and anything the OS depends on to start), and it records the partition layout so the recovery process can recreate the disk structure before laying the data back down.

Building it in PowerShell. You construct a backup policy, add the bare-metal-recovery component to it, point it at a target, and run it. The same policy object is what you later attach a schedule to.

# Build and run a BMR backup to the E: volume PS C:\> $policy = New-WBPolicy; Add-WBBareMetalRecovery -Policy $policy PS C:\> Add-WBBackupTarget -Policy $policy -Target (New-WBBackupTarget -VolumePath "E:") PS C:\> Start-WBBackup -Policy $policy
A BMR backup bundles System State, the critical volumes, and the partition layout, everything needed to make bare hardware boot.
What BMR CapturesCTS1328C · AZ-800
A BMR backup bundles System State, the critical volumes, and the partition layout, everything needed to make bare hardware boot.

Scheduling Backups

A backup you have to remember to run is a backup that eventually does not run. Scheduling turns the policy into an automatic, repeating job.

The options. Windows Server Backup can run once a day or several times a day, driven either through Task Scheduler or directly by setting a schedule on a WBPolicy object in PowerShell. Multiple daily runs tighten your recovery point at the cost of more backup windows.

Timing it well. Schedule backups for low-usage periods to minimize performance impact, but make sure they finish before business hours begin, an overrunning backup that collides with the workday is a classic self-inflicted slowdown.

# Schedule a BMR backup at 21:00 and 03:00 daily PS C:\> $policy = New-WBPolicy; Add-WBBareMetalRecovery -Policy $policy PS C:\> Set-WBSchedule -Policy $policy -Schedule 21:00,03:00; Set-WBPolicy -Policy $policy
Schedule backups to run unattended once or several times a day during low-usage hours, via Task Scheduler or a backup policy.
SchedulingCTS1328C · AZ-800
Schedule backups to run unattended once or several times a day during low-usage hours, via Task Scheduler or a backup policy.

Active Directory Recovery

Restoring Active Directory has two modes, and choosing the wrong one either fails to recover deleted objects or re-deletes them. The distinction is about which direction replication flows after the restore.

Non-authoritative is the default. You restore a DC from backup and then let its replication partners update it with everything that changed since the backup. Use it to rebuild a single failed DC, the rest of the domain is the source of truth.

Authoritative is for recovering deletions. You restore in Directory Services Restore Mode, then use ntdsutil to mark the recovered object with a higher version so it replicates out to every other DC instead of being overwritten by them. This is how you bring back an accidentally deleted OU or account before the Recycle Bin era.

# Restore System State (DSRM), then mark an object authoritative PS C:\> wbadmin start systemstaterecovery -version:01/31/2026-06:00 PS C:\> ntdsutil "activate instance ntds" "authoritative restore" "restore object ..." quit quit
Restore a failed DC non-authoritatively so it updates from its partners, or authoritatively with DSRM and ntdsutil to push a recovered object back out.
AD Recovery ModesCTS1328C · AZ-800
Restore a failed DC non-authoritatively so it updates from its partners, or authoritatively with DSRM and ntdsutil to push a recovered object back out.

Active Directory Recycle Bin

The AD Recycle Bin is the modern answer to accidental deletion. Instead of the painful DSRM authoritative-restore dance, you recover the deleted object directly, with all its attributes and group memberships preserved.

How it changes deletion. Without it, a deleted object becomes a stripped "tombstone" that loses most attributes. With it enabled, the object retains every attribute for the deleted-object lifetime (180 days by default), so a restore brings it back whole.

The catch. Enabling it is a per-forest, one-way operation (it cannot be turned off) and requires a forest functional level of 2008 R2 or higher, so it is a deliberate rollout decision, not a casual toggle.

# Enable the feature, then list and restore deleted objects PS C:\> Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target hexworth.local PS C:\> Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects | Restore-ADObject
The AD Recycle Bin restores deleted objects with all attributes intact for 180 days, with no authoritative restore, once enabled per forest.
AD Recycle BinCTS1328C · AZ-800
The AD Recycle Bin restores deleted objects with all attributes intact for 180 days, with no authoritative restore, once enabled per forest.

Benefits

The practical payoff of the AD Recycle Bin is that object recovery stops being an outage. Compared with the old authoritative-restore process, the difference is dramatic.

The four wins. Deleted objects come back with all attributes intact; no domain controller has to be taken offline into DSRM; objects remain recoverable for 180 days by default; and there is no authoritative restore and no forced replication to orchestrate. What used to be a maintenance-window project becomes a one-line restore.

The one-time cost. Enabling it is irreversible, needs Enterprise Admin rights, and raises the forest functional level, so you plan it once, then it quietly protects you from then on.

# Enable the AD Recycle Bin for the entire forest (one-time) PS C:\> Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "hexworth.local"
The Recycle Bin recovers deleted objects whole, with no downtime and no authoritative restore, for 180 days after a one-time forest-wide enable.
Recycle Bin BenefitsCTS1328C · AZ-800
The Recycle Bin recovers deleted objects whole, with no downtime and no authoritative restore, for 180 days after a one-time forest-wide enable.

Benefits (cont.)

Once the Recycle Bin is enabled, recovery is a two-step query-and-restore pattern you can run on demand, no reboot, no special mode.

See what is recoverable. You query for objects whose isDeleted flag is true, including deleted objects in the search scope, to list everything currently sitting in the bin within its 180-day window.

Restore precisely. Filter that list down to the specific object (by display name, for example) and pipe it to Restore-ADObject. If the object's parent OU was also deleted, restore the OU first or pass an explicit target path so the object has a home to return to.

# List deleted objects, then find and restore "John Doe" PS C:\> Get-ADObject -Filter {isDeleted -eq $true} -IncludeDeletedObjects PS C:\> Get-ADObject -Filter {displayName -eq "John Doe"} -IncludeDeletedObjects | Restore-ADObject
Recover a deletion by querying for isDeleted objects and piping the one you want to Restore-ADObject, restoring its parent OU first if it was removed too.
Find + RestoreCTS1328C · AZ-800
Recover a deletion by querying for isDeleted objects and piping the one you want to Restore-ADObject, restoring its parent OU first if it was removed too.

Volume Shadow Copy Service (VSS)

The Volume Shadow Copy Service is the Windows mechanism that lets you back up data that is in use. It creates a frozen, point-in-time snapshot of a volume so a backup reads a stable image even while applications keep writing.

Consistency levels. If an application provides a VSS Writer (SQL Server, Exchange, Active Directory do), VSS coordinates with it to flush and quiesce so the snapshot is application-consistent (safe to restore directly). Without a Writer, the snapshot is only crash-consistent, equivalent to pulling the power, recoverable but not guaranteed clean.

How it stays fast. VSS uses copy-on-write: taking the snapshot is near-instant, and the shadow storage area only grows as blocks are subsequently changed, so the cost is paid gradually rather than up front.

# Diagnose VSS health (run as Administrator) PS C:\> vssadmin list writers PS C:\> vssadmin list shadows ; vssadmin list shadowstorage
VSS takes point-in-time snapshots so live data backs up consistently, application-consistent when a Writer exists, using fast copy-on-write.
VSSCTS1328C · AZ-800
VSS takes point-in-time snapshots so live data backs up consistently, application-consistent when a Writer exists, using fast copy-on-write.

VSS Components

A VSS snapshot is a collaboration between three distinct roles, and knowing which is which is how you read a failed-backup error.

The Requestor is the backup application (Windows Server Backup or a third-party tool) that asks VSS for a snapshot. The Provider is the component that actually creates and maintains the shadow copy, either the built-in system provider or a hardware/SAN provider. The Writer is supplied by each application (SQL, Exchange, AD) to flush its data to a consistent state before the snapshot is taken.

Why it matters. When a backup fails, the writer status usually tells you which application failed to quiesce, pointing you straight at the culprit rather than the backup tool itself.

# List writers and existing shadow copies PS C:\> vssadmin list writers ; vssadmin list shadows
A VSS snapshot is a collaboration of three roles: the Requestor (backup app), the Provider (makes the copy), and the Writer (per-application consistency).
VSS ComponentsCTS1328C · AZ-800
A VSS snapshot is a collaboration of three roles: the Requestor (backup app), the Provider (makes the copy), and the Writer (per-application consistency).

VSS Components (cont.)

Beyond scheduled backups, VSS lets you grab an immediate recovery point by hand, which is the smart move right before a risky change like a software update or a configuration overhaul.

Create one now. A single command snapshots a volume on demand, giving you a known-good point to roll back to if the change goes wrong. You can also count or enumerate existing shadow copies through WMI.

When backups fail, check the writers. The first diagnostic is always the writer list: a writer in a failed or unstable state almost always points at an application problem rather than the backup software, so fix the writer and the backup follows.

# Create a C: snapshot now, then count shadow copies PS C:\> vssadmin create shadow /for=C: PS C:\> (Get-WmiObject Win32_ShadowCopy).Count
Create a shadow copy on demand for an instant recovery point before risky changes, and check writer status first whenever a backup fails.
Manual SnapshotCTS1328C · AZ-800
Create a shadow copy on demand for an instant recovery point before risky changes, and check writer status first whenever a backup fails.

Network Backup Targets

Keeping backups on the same machine they protect satisfies no part of the 3-2-1 rule, so production backups target storage somewhere else on the network.

Supported targets. Windows Server Backup can write to SMB file shares, dedicated backup servers, and NAS appliances; cloud destinations are reached through third-party tools layered on top. A network share is the most common off-box target for a single server.

The trade-off to know. When WSB backs up to a network share it keeps only the latest backup at that destination (each run overwrites the prior one), so if you need multiple recovery points over time you either rotate shares or use a dedicated backup volume that retains a history.

# Back up C: to a network share with credentials PS C:\> wbadmin start backup -backupTarget:\\backup-server\backups -include:C: -user:DOMAIN\backupuser -password:*
Back up off the server to an SMB share, NAS, or backup server (cloud via third-party); a plain network share keeps only the latest backup.
Network TargetsCTS1328C · AZ-800
Back up off the server to an SMB share, NAS, or backup server (cloud via third-party); a plain network share keeps only the latest backup.

Recovery Testing

The only proof a backup works is a successful restore. Backups that have never been restored are assumptions, and the worst time to discover a corrupt or incomplete backup is during a real outage.

The discipline. Run recovery drills on a schedule (quarterly is a common baseline) in an isolated environment so a test restore cannot collide with production, document the actual recovery time, and verify the restored data's integrity rather than just that the job finished.

The three metrics that frame every recovery plan: RTO (Recovery Time Objective), the maximum acceptable downtime; RPO (Recovery Point Objective), the maximum acceptable data loss, which dictates how often you back up; and MTTR (Mean Time To Recovery), how long restores actually take in practice. Drills are how you confirm your RTO and RPO are real and not aspirational.

An untested backup is a guess, so run quarterly restore drills in isolation and measure RTO (downtime), RPO (data loss), and MTTR (recovery time).
Recovery TestingCTS1328C · AZ-800
An untested backup is a guess, so run quarterly restore drills in isolation and measure RTO (downtime), RPO (data loss), and MTTR (recovery time).

Lab Preview: Backup & Recovery

The labs take backup and recovery from concept to muscle memory. You will configure protection, schedule it, and then actually recover, the full lifecycle rather than just the backup half.

In the GUI lab you configure Windows Server Backup, set a schedule, run a System State backup, and browse and restore from it.

In the PowerShell lab you build WBAdmin policies, schedule them, point them at targets, check status, and drive a recovery, the scripted equivalent that scales to many servers.

Goal: by the end you can protect a server with the right backup type, automate it, and prove you can bring it back, including an Active Directory object restore.
In the labs you configure and schedule Windows Server Backup, then prove recovery by restoring System State and an Active Directory object.
Lab PreviewCTS1328C · AZ-800
In the labs you configure and schedule Windows Server Backup, then prove recovery by restoring System State and an Active Directory object.