At work, we have a Microsoft Small Business Server 2011 server that's doing AD for the company. There are multiple Windows client machines that are part of the domain, but that server is the only domain controller in the AD. Keeping track of users and groups is pretty much the only thing the AD was doing for us - it has no GPOs configured, no exchange server, and nothing else that we need to worry about.

After years of running good, the server started crashing. We figured out that the hard drive on it had bad sectors, and we are going to be switching out the hard drive. While we are doing that, management wants us to actually reinstall the SBS server and import the AD users and groups rather than do a bare metal restore from our backups.

My question is this: how can we backup users and groups from the currently running server (it's still running with a bad drive for now) so that we can restore them when we reinstall SBS? We need a way to backup all user information, group membership, and to make sure that all user SIDs and RIDs remain the same so that any permissions that are setup on our Windows clients don't need to be reconfigured (from what I understand, that's how that works).

PS. Yes, we should really have more than one domain controller in case one dies as this one did, and yes, we will be using RAID in the future.

  • 295
  • 1
  • 4
  • 11

2 Answers2


A system state backup will back up AD. You can do this for free with the Windows Server Backup software that comes with your server.

The command line for that is:

wbadmin start systemstatebackup -backupTarget:<VolumeName>

The only "gotcha" is that the backup disk has to be something that the install DVD can see while booting, so I use things like 2TB external USB drives. (If it refuses one drive, it probably dislikes the partition size or block size. Try another.)

Once you have a system state backup, you can then restore the SBS server by booting off the install media, choosing recovery, and following the wizard. (You might want to test this process with a non-networked VM first.)

Good luck!

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59

Use VEEAMs tool: http://www.veeam.com/microsoft-active-directory-explorer.html

It's fully featured for 30 days so roll it out when ready. Keep in mind LDAP/AD for 2011 is Active Directory 2008 R2 (ADSI/etc.) so it's not really a funky version it's a true 2008 R2 AD Server - SBS 2011 isn't that much different from Server 2008R2 it's just limited in many respects so when you look for tools to do any kind of utility just look at that as the OS.

You can also do an ATTR Recovery with Powershell: http://blogs.technet.com/b/ashleymcglone/archive/2014/04/24/oh-snap-active-directory-attribute-recovery-with-powershell.aspx

*This script is useful if you have corruption resulting from your HDD:

Running locally from a domain controller...

# Dot source a reference to the function library            
. .\AD_Snapshot_Functions.ps1            

# Create a new snapshot and view it in the list            
Show-ADSnapshot | Out-GridView            
Show-ADSnapshot -WMI | Out-GridView            

# Mount the database            
Get-Help Mount-ADDatabase -Full            
Mount-ADDatabase -Last -LDAPPort 33389            

# Notice the snapshot list now shows which one is mounted            
Show-ADSnapshot | Out-GridView            
Show-ADSnapshot -WMI | Out-GridView            

# View a user in both copies of the database            
Get-ADUser Guest -Properties Description -Server localhost:33389            
Get-ADUser Guest -Properties Description -Server localhost            

# Repair a single attribute for a single account            
Get-ADUser Guest -Server localhost |             
    Repair-ADAttribute -Property Description -LDAPPort 33389            

# Repair multiple attributes for multiple users            
Get-ADUser -Filter {name -like "G*"} |             
    Repair-ADAttribute -Property Department,Description -LDAPPort 33389            

# Finish cleanly            

My question is this: how can we backup users and groups from the currently running server (it's still running with a bad drive for now) so that we can restore them when we reinstall SBS? We need a way to backup all user information, group membership, and to make sure that all user SIDs and RIDs remain the same so that any permissions that are setup on our Windows clients don't need to be reconfigured (from what I understand, that's how that works).

Use Workstation for the backup piece if VEEAM isn't your cup of tea. https://www.vmware.com/products/workstation

Then use converter: https://www.vmware.com/products/converter to P2V your SBS Server into it (make sure you have space) and perform all your recover from the Type 2 Hypervisor.

Matthew Dartez
  • 61
  • 1
  • 1
  • 10