Welcome to Part 4 of our popular “Active Directory Key Health Check Items” series of Server Tutorials.
In Part 3, we explained why it’s necessary to avoid designating manual bridgehead servers in a large Active Directory environment. We also provided a PowerShell script that you can use to generate an easy to read report in a CSV file that will help you understand the assignment of bridgehead servers in your Active Directory environment. 
Every AD Admin needs to ensure that backups of their Active Directory partitions are being taken regularly. In today’s Server Tutorial we’re going to explain why it becomes imperative to check the backup status of all Active Directory partitions. We’re also going to provide a PowerShell script that you can use to check the backup status of each AD partition.
You want to ensure that you’re backing up AD partitions using a production backup tool such as Windows Server Backup or a third-party tool that has been certified by Microsoft. Taking backups of AD partitions will help you seamlessly recover from any disasters. An easy way to check the backup status of AD partitions is to use a simple PowerShell script that we are going to share as part of this article.
To ensure your AD partitions have been backed up recently, you can execute the following PowerShell script, which performs these key functions:
C:TempADBackupStatus.CSV fileNote: This script does not perform any write operations to the Active Directory environment.
Please follow the steps outlined below when using the script:
C:TempADBackupStatus.CSV### Script starts here ###
$TotNo = 0
$TestStatus = "Passed"
$TestText = ""
$TodaysDate = Get-Date
$IssueOrNot = "No"
$AnyGap = "No"
$AnyOneOk = "No"
$TestCSVFile = "C:TempADBackupStatus.CSV"
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$Error.Clear()
[string]$dnsRoot = (Get-ADDomain).DNSRoot
[string[]]$Partitions = (Get-ADRootDSE).namingContexts
$contextType = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
$context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext($contextType,$dnsRoot)
$domainController = [System.DirectoryServices.ActiveDirectory.DomainController]::findOne($context)
IF ($Error.count -eq 0)
{
$AnyOneOk = "Yes"
ForEach($partition in $partitions)
{
$domainControllerMetadata = $domainController.GetReplicationMetadata($partition)
$dsaSignature = $domainControllerMetadata.Item("dsaSignature")
$R = $($dsaSignature.LastOriginatingChangeTime.DateTime)
$Z = $TodaysDate
$FinCom = "Ok"
$DaysNotBack = (New-TimeSpan -Start $R -End $Z).Days
IF ($DaysNotBack -ge 7)
{
$FinCom = "Partition has NOT been backed up since last 7 days."
$TestStatus = "Failed"
$AnyGap = "Yes"
}
$ThisSTr = '"'+$Partition+'"'+","+'"'+$($dsaSignature.LastOriginatingChangeTime.DateTime)+'"'+","+$FinCom
Add-Content "$TestCSVFile" $ThisStr
$ThisSTR
}
}
IF ($AnyGap -eq "Yes")
{
$TestStatus = "High"
$SumVal = ""
$TestText = "Some AD Partitions have not been backed up since last 7 days."
}
IF ($AnyGap -eq "No")
{
$TestStatus = "Passed"
$SumVal = ""
$TestText = "All AD Partitions were backed up recently."
IF ($AnyOneOk -eq "No")
{
$TestStatus = "Error"
$TestText = "Error Executing Dynamic Pack"
$SumVal = ""
}
}
$STR = $ADTestName +","+$TestStartTime+","+$TestStatus+","+$SumVal +","+$TestText
### Script Ends here ###
Once the script has finished executing for the Active Directory Forest, a report will be generated in the C:TempADBackupStatus.CSVfile as shown in the screenshot below:
As you can see in the report above, the script collected all AD partitions from the Active Directory Forest and then reported the backup status of each AD partition in the Last Backup Date column.
Note that the script checks to see if any AD Partitions were missed in terms of being backed up during the last seven days. For example, the partition “DC=DomainDnsZones,DC=ServerWatch,DC=Com” was not backed up during the last seven daysm and that’s why we see “Partition has NOT been backed up since last 7 Days” in the Final Status column.
If you need to modify the “seven days” check to a different number of days, you can do so by modifying the “IF ($DaysNotBack -ge 7)” line in the script.
The above PowerShell script is part of the “AD Partitions Backup Test“ Dynamic Pack, which is available for use with the Active Directory Health Profiler. AD Health Profiler provides 97 health check for Active Directory and is capable of reporting the issue severity for each issue that it identifies in a managed Active Directory Forest.
We shared a small PowerShell script you can use to check the backup status for each AD Partition in an Active Directory forest environment. The PowerShell script reports the backup status of each AD partition in a CSV file that is generated by the PowerShell script. You can add the PowerShell script to your set of Active Directory key health check procedures.
Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He specializes in directory services, Microsoft Azure, Failover clusters, Hyper-V, System Center and Exchange Servers, and has been involved with Microsoft technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Health Packs for ADHealthProf.ITDynamicPacks.Net solutions. Nirmal can be reached at nirmal_sharma@mvps.org.
Nirmal Sharma is a ServerWatch contributor.
ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
