Table of Contents

Introduction

I posted an article a few months back, where I prepared an Active Directory Backup Policy, and configured it. This is an end to end automated solution which includes AD Backup, version management, and space management. There is no human intervention required to perform these tasks.

Before you proceed, I would suggest to visit that article and understand how we have implemented the AD Backup Solution.

However, configuring and automating AD Backup is one part. Another part, which is equally important, is to monitor and ensure that the backup jobs are running as per the schedule, and more importantly, the backup is successful. Unlike the backup configuration, this is not a one-time task but daily or weekly; depending on your backup frequency.

Can we automate the backup monitoring task without using any third party tool? Can we receive an email notification after every backup job, indicating the success / failure status of the backup?

The answer is yes, we can automate this without using any additional tool, and using windows native solution.

The solution which I am going to propose here is tested, and we are running this in a production environment for last 1 year. Since then, we have got every single backup success and failure report without any slippage. It saved us a lot of time and effort, and I believe it would save a lot of your effort too, once you implement it.

Implementation Approach



The implementation approach would be as follows:
1) We have to prepare two PowerShell scripts :


backup-success.ps1: Will be invoked after successful completion of a backup job. This script will send a pre-configured email informing the backup on a particular Domain Controller is successful. The emails would be delivered to a pre-configured list of recipients.
backup-failure.ps1: Will be invoked if backup job fails. This script will send a pre-configured email informing the backup on a Domain Controller is NOT successful, and immediate attention is required. The emails would be delivered to a pre-configured list of recipients.


2) Backup success and failure status would be captured using Windows Event Log. Appropriate script (success or failure) would be invoked based on some specific codes in the event log.



Configuration of Backup Success Notification



Create a New PowerShell Script



Our first task is to prepare a PowerShell script, which will send the backup successful notification.

There are many parameters which are environment specific, so please put these values carefully in the below script:

$smtpServer: SMTP Server FQDN.
$msg.subject: Add a meaningful subject.
$bodyText: Email Message.
$msg.To.Add : Recipient email address / DL (For multiple email addresses add multiple lines of $msg.To.Add)


The script would look like this:



###############################################################



$bodyText=

@'



Hi Team,



Active Directory Daily Backup for subhro.com Domain is SUCCESSFUL.



No further action is required.



This is an auto-generated mail. Please do not reply.





Regards,

IT Team



'@

$smtpServer = <SMTP Server Name>
 
 
 
#Creating a Mail object
 
 
 
$msg = new-object Net.Mail.MailMessage
 
 
 
#Creating SMTP server object
 
 
 
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
 
 
 
#Email structure
 
 
 
$msg.From = DC.Subhro.Com # Server Name where backup job is successful
 
 
 
$msg.To.Add("Recipient Email-address/ DL")
 
 
 
$msg.To.Add("Reciient Email-address / DL")
 
 
 
$msg.subject = "AD Backup Success Report: Subhro.com Domain"
 
 
 
$msg.body = $bodyText
 
        
 
   
 
#Sending email
 
 
 
$smtp.Send($msg)
 
#############################################################




Save the file as a PS1 file, in the same Domain Controller where AD backup is configured.



In our case, we have saved it as “backup-success.ps1” in E: drive of Domain Controller.



Create a New task



We will now create a scheduled task on the same Domain Controller.



1. Go to start > Run > Compmgmt.msc > Task Scheduler > Task Scheduler Library.



2. Right Click > Create Task.



3. Carefully select the options as shown below.
Please note that the user account which will be used to run the task scheduler must have “Logon as a Batch Job” privilege, in order to execute the PowerShell script.
 
If you get below warning while saving the task, that means the account which you have specified does not have “Logon as a Batch Job” privilege on this computer (probably a Domain Controller). In that case, either change the user account or grant “Logon as a Batch Job” privilege to this account, through Group Policy - User Rights Assignments.


Without this privilege, the PowerShell script would not run and therefore you will not get any email notification.







Also, this account should be protected from accidental password reset and should be set as “Password Never Expires”. We recommend placing this account in an OU which is controlled by RBAC policy, so that it is not possible for Service Desk people to reset its password or make any other modification.

 

In the ‘Configure For’ field, we have selected Windows Server 2012 R2 since that is the OS of our Domain Controller.







The next tab is the “Trigger” tab, where we will define the condition which will trigger the task.



In this case, the condition would be an Event with Event ID 4, where the source is Microsoft-Windows-Backup. This event ensures that the backup has been completed successfully and no further action is required.



Perform following tasks in the “Trigger” tab:



1) Begin the task: On an Event

2) Log: Microsoft-Windows-Backup-Operational

3) Source: Backup

4) Event ID: 4





In the Actions tab, select the following parameters:



1. Action: Start a Program

2. Program / Script: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe

3. Add Arguments: Location of the Backup Success PowerShell script. Ex: E:\Scripts\backup-success.ps1 (This is the script which we have created in the previous section)







In the Settings tab, uncheck the option “Allow task to be run on demand”. This task should always run once event ID 4 is generated by Microsoft-Windows-Backup, and it should not run on demand.







Save the task. It will ask for credential during saving the task. Please make sure you do not get any warning / message while saving the task.



So the configuration is complete, and you should get an email notification once AD backup is successful on that Domain Controller / Server.



Likewise, you can configure it in other Domain Controllers where AD Backup is running.



Note: Make sure no other Backup job is running on that Domain Controller, other than AD Backup. Any other backup job can generate event ID 4 after successful completion, which would trigger the script and send a false notification.



Configuration of Backup Failure Notification

Most of the steps are same as configuring Backup Success notification, so we will not go through every step and will only cover the differences.



Part 1: Create a New PowerShell Script



Copy the backup-success.ps1 script which you have prepared in the previous section, and save it as backup-failure.ps1.

Edit the script and verify below parameters:



$msg.subject: Add a meaningful subject to indicate Backup Failure.

$bodyText: Email Message.

$msg.To.Add : Recipient email address / DL (For multiple email addresses add multiple lines of $msg.To.Add)



The script should look something like this:



######################################################################

$bodyText=

@'



Hi Team,



Active Directory Daily Backup for subhro.com Domain is NOT SUCCESSFUL.



This requires your IMMEDIATE ATTENTION!



This is an auto-generated mail. Please do not reply.





Regards,

IT Team



'@


$smtpServer = <SMTP Server Name>
 
 
 
#Creating a Mail object
 
 
 
$msg = new-object Net.Mail.MailMessage
 
 
 
#Creating SMTP server object
 
 
 
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
 
 
 
#Email structure
 
 
 
$msg.From = DC.Subhro.Com # Server Name where backup job has failed
 
 
 
$msg.To.Add("Recipient Email-address/ DL")
 
 
 
$msg.To.Add("Reciient Email-address / DL")
 
 
 
$msg.subject = "AD Backup FAILURE Report: Subhro.com Domain"
 
 
 
$msg.body = $bodyText
 
        
 
   
 
#Sending email
 
 
 
$smtp.Send($msg)
 
 
 
#######################################################################


Part 2: Create a New Task

Most of the steps are similar to what you have done in backup success configuration. So you can export that task and import it with a different name, like: AD Backup Failure Notification.







The only section which you need to modify is “Triggers”.



Please perform below steps:



Begin the Task: On an event

• Select “Custom” and click “New Event Filter”.







Select By Log : Microsoft-Windows-Backup/Operational

Include / Exclude Events : -4,-14,-1

• Click OK.





Putting a minus (-) sign would exclude events 4,14 and 1.


This means the action would be triggered when the event source is “Microsoft-Windows-Backup” and event ID would be anything excluding 4,14 and 1. These three event IDs are associated with backup success, so we are excluding these 3 events. So if the event ID would be any of these (4 / 14 /1) the action would not be triggered.

The next time you will open this filter section; you will not see the filter criteria, but an XML Query which would be as follows:




Here, the keyword “Suppress” denotes that the trigger would be suppressed (not executed) for event ID 4, 14 or 1.

In the “Action” section, mention the location of backup-failure.ps1.
So in this way, we have configured the notification for Ad Backup Failure.


Note: Make sure no other Backup job is running on that Domain Controller, other than AD Backup. Any other backup job can generate backup failure event ID, which would trigger the script and raise a false alarm.

Event Logs

We will now review some event logs which are associated with backup success and failure.



Backup Success Event Logs



A Backup success always generates an event ID 4, along with event ID 14 and 1. So we have used event ID 4 as the triggering condition for sending success notification.









Backup Failure Event Logs



Backup Failure can generate different error codes based on the failure cause and failure stage. In this scenario, we have made the backup drive offline, and it has generated event IDs 49 and 19.


As the error code is not fixed, so we have used a different logic in this case. Any event other than backup success would be considered a failure and action would be triggered. This logic is more generic and easy to configure.









Summary & Best Practices



Let’s summarize what we have done so far:

Created a Backup Success PowerShell script, for email notification.
The script would be triggered on an event, where event source is Microsoft-Windows-Backup and event ID is 4.
Created a Backup Failure PowerShell script, for email notification.
The script would be triggered on an event, where event source is Microsoft-Windows-Backup and event ID is anything other than 4, 14 or 1.
Make sure the user account (which is running these tasks) has “Logon as a batch job” privilege. Also, the user account should be protected from account expiry and password reset.
The SMTP server configuration should be correct for successful email notification. Please consult with your Email / Exchange team on this part.
Export these tasks and keep XML files as a backup .
Create Email Rules in your outlook / inbox to segregate backup success and failure notifications. This would make the monitoring task easy and quick.
Ensure you are receiving either success or failure notification from each Domain Controller where it is configured.



See Also