This article is also available as a PDF download.

When it comes to server backups, the old adage still holds true:
Don’t put all your eggs in one basket. I’m not referring to backup media or
storage locations. I’m talking about backing up the different roles that can be
assigned to Windows Server 2003 servers.

Making a single tape backup of a domain controller that
hosts user data and, for example, acts as DHCP server, is a bad idea, and the
more roles you add, the worse it gets. (Domain controllers that serve in a
variety of roles are not that uncommon, especially in smaller domains and in
small to midsize enterprises.)

But why is a single backup of a domain controller that acts as data
server, DNS server, WINS server, DHCP server, print server, etc., such a bad
idea? For several reasons:

  • You have a single point of failure. If the
    latest tape backup doesn’t work, you’ll have to rely on an older full backup to
    restore everything. It can become much worse if you can’t restore from tape at
  • Because tape backups are slow, full backups tend
    to be made less often. That means in case of a disaster, you might end up with
    critical information like Active Directory data being relatively old.
  • Restoring from tape is slow. Restoring
    everything from a single tape can become intolerable in a production
  • Resynchronization becomes a time-consuming
  • Performance of remaining Active Directory
    servers will suffer, as they have to cope with the added workload.

In this article, I’ll show you how to make several
dedicated (role-specific) backups of a Windows Server 2003 server. A dedicated backup
involves backing up certain server roles separately. Doing so will make life
much easier for you when it matters most–when disaster strikes and you have to
restore one or more DCs. Restoring will be simpler
and faster. It will also be a lifesaver in a scenario where recovery from a
normal tape backup is problematic or not an option.


I suggest using removable media other than tape for these role-based
backups. I’ve found adding a big IDE drive to every server invaluable. I use it
to store many role-specific backups and all kind of useful utilities,
documentation, tips, and useful articles.

Active Directory

Let’s start with backing up Active Directory. As you know, if you back
up a DC’s System State data, your AD is backed up. (The System State data
includes the Active Directory database, system boot files, SYSVOL, and the
registry, among other things. The server’s role determines the content.) As you
can see in Figure A and Figure B, backing up the System State
data is straightforward.

Figure A

Backing up the System State data using the Ntbackup’s

Figure B

If you don’t use the wizard, just select the System State data from the left

As I mentioned in “Rescuing a
failed domain controller: Disaster recovery in action,”
the important
thing to remember about backing up System State data is that you can’t restore
it if your backup is older than the tombstone age. The default tombstone
lifetime is 60 days. After that, AD suffers from memory loss, in a manner of
speaking. That’s because the tombstone lifetime determines how long a DC
“remembers” deleted objects. To prevent you from restoring data older
than the specified life, restoring from backups older than this lifetime isn’t allowed.
So check the tombstone lifetime setting for your DCs.


Shuddering at the thought of setting up DNS from scratch? Not to worry.
You can do it in a flash with the right backup procedure. First, back up the
registry settings pertaining to DNS:

  1. Stop the DNS service.
  2. Start the registry editor and go to
  3. Right-click the DNS folder and choose Export. You’ll
    have to give the file a name. Let’s call it dnsreg1. Press [Enter].
  4. Navigate to
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS
    Server (Figure C).
  5. Right-click on the DNS Server folder and select Export.
    Let’s name this file dnsreg2. Press [Enter].
  6. Save these two registry files to the storage medium of
    your choice.
  7. Second, back up all the files with the extension .dns
    from the following folder on your server:


    Back it up to where you have saved the DNS registry files. (You don’t
    have to, but it makes sense to keep all your DNS eggs in one basket.)

    Finally, restart the DNS service.


    If you have an Active Directory-integrated zone, the DNS zone data
    forms part of the System State data of your DNS server.

    Figure C

    The place in the registry where the DNS settings reside

    Now if your domain controller that’s hosting the DNS server role or
    your dedicated DNS server gives up the ghost, restoring your DNS settings will
    be a snap. Here are the steps to restore
    it to its former pristine glory. (Let’s assume you have set up a new machine with
    Windows Server 2003 and the same server name, DNS suffix, and IP address as the
    failed one.)

    1. Install the DNS service.
    2. Copy all of those files with the .dns
      extension you backed up to the same location you backed it up from, i.e.,
    3. Stop the DNS service.
    4. Now restore those two registry files you backed up. Just
      double-click each one of them and confirm you want them installed.
    5. Restart the DNS service.


    Always have at least two DCs per domain. This
    will enable you to restore a failed DC through reinstallation–your only option
    if your backup set fails or, owing to a disaster, isn’t available. Restoring
    through reinstallation entails Active Directory replication, so you’ll need a
    functioning DC in the same domain. (Again, see “Rescuing a
    failed domain controller: Disaster recovery in action”
    for such a


    Losing your DHCP server (or DHCP server role together with the DC it
    was on) can be more then a mere mishap, as you’ll have to configure the scopes,
    reservations, and classes from scratch. Not a nice thought while you’re
    recovering from a disaster in the middle of the night! Fortunately, backing up
    and restoring your DHCP settings is simple. You can back it up from the command
    line with a single command:

    netsh dhcp server dump
    > dhcpback.txt

    (The > dhcpback.txt part of the command will save the output
    to a file named dhcpback.txt. You can, of course, choose another filename and
    specify a location.)

    To restore your DHCP configuration after a meltdown, you just need the
    following command (after installing the DHCP server service):

    netsh exec dhcpback.txt


    Backing up WINS is an often neglected task. Remember that WINS is not
    backed up by default, so you won’t be able to restore a corrupt WINS database.
    Yet configuring automatic WINS backups is a breeze:

    1. Bring up the WINS console.
    2. Right-click on the relevant server and select Properties.
    3. Select the General tab (Figure D) and in the Default
      Backup Path field, enter the path to the location you want to back up to. You
      can also click Browse and navigate to a backup location. The default location
      is %WinDir%\System32\Wins.
    4. Select Back Up Database During Shutdown. This will ensure
      that backups are created whenever the WINS service is stopped.
    5. Click OK.

    You can also manually backup WINS by right-clicking on the relevant
    server and selecting Back Up Database.


    Make screen shots of settings (e.g., DNS and DHCP) just in case of the
    absolutely worst case scenario!

    Figure D

    Backing up WINS

    Print servers

    Let’s cover one last role: that of print servers. I’ll cut to the chase:
    Just use Microsoft’s free tool, Print Migrator. To quote Microsoft: “Print
    Migrator provides complete backup, restore and migration operations for Windows
    NT-based operating systems from Windows NT 4 to Windows 2003.” You can get
    Windows Print Migrator (and more information about it) from the Microsoft Download Center.