Are your Active Directory Partitions Backed Up?

Ever used repadmin /showbackup to check Active Directory backup status?

If not, here's what is does:

Right then. It reads the DSASignature attribute from each partition. Actually, it reads replication metadata for the DSASignature attribute which tells us when it was last updated. Let's do the same with PowerShell!

Partition List

First, we need to get a list of partitions:

$Partitions = (Get-ADRootDSE -Server $DC).namingContexts

Replication Metadata

Now, we can loop through those partitions with foreach and request the replication metadata for each partition object by asking for the msDS-ReplAttributeMetaData constructed attribute.

$Object = Get-ADObject -Identity $Partition -Properties msDS-ReplAttributeMetaData

Once we have the replication metadata we need to pick out the DSASignature:

$Object."msDS-ReplAttributeMetaData" | ForEach-Object {

$MetaData = [XML]$_.Replace("`0","")

$MetaData.DS_REPL_ATTR_META_DATA | ForEach-Object {

If ($_.pszAttributeName -eq "dSASignature") {..}}}

Wow! I 'borrowed' some of this off Pierre Audonnet, a French PFE. He's written a couple of great posts on working with replication metadata.

So...the msDS-ReplAttributeMetaData object contains XML. This makes it very easy to work with. We have to do a little tidying up with the Replace method, but apart from that we loop through the metadata with ease until we find data for the DSASignature attribute.

DSASignature Replication Metadata

Now get the time of the last backup, i.e. when the DSASignature for this partition was last changed:

$LastBackup = Get-Date $_.ftimeLastOriginatingChange

Function It!

Of course, I had to put all this into a function and share:

Get-ADPartitionBackupStatus Function

You call the function with a -DC parameter and -BackupThreshold parameter. The later parameter lets you determine partitions that haven't been backed up within the last N days. Let's see it in action:

Now, let's see repadmin in action: