微软支持Active Directory备份非常重要,特别是Domain Controllers的系统状态备份。使用非AD感知的工具可能导致恢复困难并产生高昂费用。建议每月备份FSMO角色所在的DC,并检查最近支持的备份情况。PowerShell脚本可用于查看各分区的最后备份时间。 2025-9-30 00:3:0 Author: adsecurity.org(查看原文) 阅读量:22 收藏
Sep 29 2025
Microsoft supported backups of Active Directory are very important to have. For backing up Domain Controllers, this is typically a System State backup.
Why a Microsoft supported backup? If you are using a backup solution that isn’t fully AD aware, performing a restore may involve getting Microsoft involved and that costs $$.
I know companies that have used ####### (redacted) to backup their AD and there was no System State and the backup wasn’t a full AD aware backup so they ended up paying ###### $$$ and Microsoft $$$. Just get a System State backup of the DCs that host your FSMO roles about every month and be prepared for a scenario where you may have to restore AD.
Determining if a recent supported backup has been performed is easy since these backups update a bit in each partition.
PowerShell code to check the current domain for the last Microsoft supported AD backup:
$ContextType = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
$Context = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($ContextType,(Get-ADDomain).DNSRoot)
$DomainController = [System.DirectoryServices.ActiveDirectory.DomainController]::findOne($Context)
[string[]]$Partitions = (Get-ADRootDSE).namingContexts
foreach ($Partition in $Partitions)
{
$dsaSignature = $DomainController.GetReplicationMetadata($Partition).Item("dsaSignature")
Write-Host "$Partition was backed up $($dsaSignature.LastOriginatingChangeTime.DateTime)"
}
(Visited 1 times, 1 visits today)
Sean Metcalf
I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter.
Read the About page (top left) for information about me. :)
https://adsecurity.org/?page_id=8
如有侵权请联系:admin#unsafe.sh