Windows Server Backup wbadmin’s use on Domain Controllers

Why bother with Windows Server backup in large environments?

Even in big companies, having a backup of your Active Directory forest can be challenging:

  • do you know what you must backup?
  • do you know if the backup infrastructure and software allows you to backup what you need
  • do you know if the restore really contain what you need and not what the software publisher advertises it contain?
  • did you test a full restore of your forest aka Active Directory recovery (not speaking?
  • if so, did you test it under time and stress constraints?

Many Windows Administrators have discovered that their so-called ‘enterprise-grade’ solution was not able to fulfill one or more of these requirements.

Windows Server backup built-in program to the rescue

Therefore the current Microsoft recommendation is to perform a bare metal backup with Windows Server backup. Not only you’ll get the state of your forest backed up but you’ll also have the ability to restore it from scratch only having to boot with a Windows DVD. Let’s see how to do it in a unattended fashion.

The command-line utility related to the WIndows Server Backup tool is wbadmin.

The general syntax is:


You may wonder what is the difference between a wbadmin start backup and a wbadmin start systemstatebackup command.

The second one is only used for a systemstatebackup which contains the backups related to the data which does not belong to a specific drive, e.g. on a Domain Controller you’ll find the Active Directory Database and Sysvol share contents. However for some mysterious reasons known only to the developers of wbadmin, you are not able to create a bare metal backup set.

In order to do a bare metal backup you have to use the following command as abase

However you can make this command better by adding two flags:

You may easily deduct that -quiet will avoid messages which are pretty useless for our automated tasks.

SystemState could be seen as not needed because it is included in the “AllCritical” switch.

However adding it allows you to select at restore time a simple ‘systemstate’ restore from within the machine or use your backup a as bare metal restore DVD.

Should you have no other backup taken by another product (IBM TSM, Symantec NetBackup, …), you can also add the -vssfull flag. If this flag is set, the log are cleared. If it isn’t set, the system does not record that a backup has been taken, so the other products aren’t confused. This is the equivalent of not using COPY_ONLY is SQL Server backups for example.

To finish this setup, you may want to use the following task to recreate a recurring task. You just need to change the drive letter (E:) and the time the backup occur between your different Domain Controllers.


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.