GuidesAD Key Health Checks, Part 4: Backing Up AD Partitions

AD Key Health Checks, Part 4: Backing Up AD Partitions

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Welcome to Part 4 of our popular “Active Directory Key Health Check Items” series of Server Tutorials.

In Part 3, we explained why it’s necessary to avoid designating manual bridgehead servers in a large Active Directory environment. We also provided a PowerShell script that you can use to generate an easy to read report in a CSV file that will help you understand the assignment of bridgehead servers in your Active Directory environment. Windows Server Tutorials

Every AD Admin needs to ensure that backups of their Active Directory partitions are being taken regularly. In today’s Server Tutorial we’re going to explain why it becomes imperative to check the backup status of all Active Directory partitions. We’re also going to provide a PowerShell script that you can use to check the backup status of each AD partition.

Have Your AD Partitions Been Backed Up Recently?

You want to ensure that you’re backing up AD partitions using a production backup tool such as Windows Server Backup or a third-party tool that has been certified by Microsoft. Taking backups of AD partitions will help you seamlessly recover from any disasters. An easy way to check the backup status of AD partitions is to use a simple PowerShell script that we are going to share as part of this article.

Checking the Backup Status of AD Partitions

To ensure your AD partitions have been backed up recently, you can execute the following PowerShell script, which performs these key functions:

  • Collects AD partitions from the current Active Directory Forest
  • Checks the date and time of LastOriginatingChangeTime property of each AD partition
  • Uses the New-TimeSpan PowerShell cmdlet to calculate date and time and then report the date and time on which each AD partition was backed up
  • Records the script output in the C:TempADBackupStatus.CSV file

Note: This script does not perform any write operations to the Active Directory environment.

Please follow the steps outlined below when using the script:

  1. Modify the report file location in “$TestCSVFile” variable. The default location for storing script output is C:TempADBackupStatus.CSV
  2. Copy the entire script below to a .PS1 file and then execute from an elevated PowerShell window

### Script starts here ###

$TotNo = 0
$TestStatus = "Passed"
$TestText = ""
$TodaysDate = Get-Date
$IssueOrNot = "No"
$AnyGap = "No"
$AnyOneOk = "No"

$TestCSVFile = "C:TempADBackupStatus.CSV"
Remove-item $TestCSVFile -ErrorAction SilentlyContinue

[string]$dnsRoot = (Get-ADDomain).DNSRoot
[string[]]$Partitions = (Get-ADRootDSE).namingContexts
$contextType = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
$context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext($contextType,$dnsRoot)
$domainController = [System.DirectoryServices.ActiveDirectory.DomainController]::findOne($context)
IF ($Error.count -eq 0)
	$AnyOneOk = "Yes"
	ForEach($partition in $partitions)
		$domainControllerMetadata = $domainController.GetReplicationMetadata($partition)
		$dsaSignature = $domainControllerMetadata.Item("dsaSignature")

		$R = $($dsaSignature.LastOriginatingChangeTime.DateTime)
		$Z = $TodaysDate
		$FinCom = "Ok"
		$DaysNotBack = (New-TimeSpan -Start $R -End $Z).Days
		IF ($DaysNotBack -ge 7)
			$FinCom = "Partition has NOT been backed up since last 7 days."
			$TestStatus = "Failed"
			$AnyGap = "Yes"

		$ThisSTr = '"'+$Partition+'"'+","+'"'+$($dsaSignature.LastOriginatingChangeTime.DateTime)+'"'+","+$FinCom
		Add-Content "$TestCSVFile" $ThisStr

IF ($AnyGap -eq "Yes")
	$TestStatus = "High"
	$SumVal = ""
	$TestText = "Some AD Partitions have not been backed up since last 7 days."

IF ($AnyGap -eq "No")
	$TestStatus = "Passed"
	$SumVal = ""
	$TestText = "All AD Partitions were backed up recently."

	IF ($AnyOneOk -eq "No")
		$TestStatus = "Error"
		$TestText = "Error Executing Dynamic Pack"
		$SumVal = ""

$STR = $ADTestName +","+$TestStartTime+","+$TestStatus+","+$SumVal +","+$TestText

### Script Ends here ###

Once the script has finished executing for the Active Directory Forest, a report will be generated in the C:TempADBackupStatus.CSVfile as shown in the screenshot below:

AD Health Check Screenshot

As you can see in the report above, the script collected all AD partitions from the Active Directory Forest and then reported the backup status of each AD partition in the Last Backup Date column.

Note that the script checks to see if any AD Partitions were missed in terms of being backed up during the last seven days. For example, the partition “DC=DomainDnsZones,DC=ServerWatch,DC=Com” was not backed up during the last seven daysm and that’s why we see “Partition has NOT been backed up since last 7 Days” in the Final Status column.

If you need to modify the “seven days” check to a different number of days, you can do so by modifying the “IF ($DaysNotBack -ge 7)” line in the script.

The above PowerShell script is part of the “AD Partitions Backup Test“ Dynamic Pack, which is available for use with the Active Directory Health Profiler. AD Health Profiler provides 97 health check for Active Directory and is capable of reporting the issue severity for each issue that it identifies in a managed Active Directory Forest.


We shared a small PowerShell script you can use to check the backup status for each AD Partition in an Active Directory forest environment. The PowerShell script reports the backup status of each AD partition in a CSV file that is generated by the PowerShell script. You can add the PowerShell script to your set of Active Directory key health check procedures.

Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He specializes in directory services, Microsoft Azure, Failover clusters, Hyper-V, System Center and Exchange Servers, and has been involved with Microsoft technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Health Packs for ADHealthProf.ITDynamicPacks.Net solutions. Nirmal can be reached at

Follow ServerWatch on Twitter and on Facebook

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends & analysis

Latest Posts

Related Stories