In this post we’ll show how you to restore a Active Directory domain controller from a System State backup created earlier (see the post Active Directory backup) and discuss the types and principles of AD DC recovery.
Suppose, your AD domain controller has failed, and you want to restore it from a backup copy. Before you start to restore your DC, you must understand which scenario to use. It depends on whether you have other domain controllers in your network and the health of the Active Directory database on them.
How to Restore a Domain Controller Using Replication?
DC recovery through standard AD replication is not quite a restoration of a DC from a backup. You can use this scenario if you have multiple domain controllers in your enterprise network, and all of them are operable. This scenario involves new server installation with its further promotion to a new ADDS domain controller on the same site. The old DC is simply removed from AD.
It is the easiest way that is not related to any irreversible AD changes. In this scenario, the ntds.dit database, GPO files and the contents of the SYSVOL folder will be automatically replicated to the new domain controller from the DCs that have stayed online.
If the ADDS database is small and another DC is available over a high-speed network link, the method described above is faster than to restore a DC from a backup copy.
Active Directory Restore Types: Authoritative & Non-Authoritative
There are two types of Active Directory DC restore from a backup that you must clearly understand prior you try to do it:
- Authoritative Restore — after you have restored your AD objects, the replication is performed from the restored DC to all other domain controllers. This restore type is used in the scenarios when a single DC or all DCs have failed at the same time (for example, after a ransomware or virus attack) or a damaged NTDS.DIT database was replicated across a domain. In this mode the USN (Update Sequence Number) value of all restored AD objects is increased by 100,000. Thus, DCs will see all restored objects as newer ones and they will be replicated in the domain. Use the Authoritative Restore very carefully! As the Authoritative Restore you will lose most AD changes made after you have created your backup (AD group membership, Exchange attributes, etc.).
- Non-authoritative Restore — after you have restored your AD database, the controller informs other DCs that it has been restored from a backup and needs the latest AD changes (a new DSA Invocation ID is created for the DC). You can use this recovery method on remote sites when it is hard to quickly replicate a large AD database through a slow WAN channel or if you had some important data or apps on your server.
Restore Active Directory Domain Controller from a System State Backup
Suppose, you have only one DC in your domain. On some reason a physical server it has been running on failed.
You have a relatively recent System State of your domain controller, and you want to restore Active Directory on a brand new server using Authoritative Restore.
To start the DC restore, you must install the same Windows Server version you had on a failed DC. Install the ADDS role (don’t configure it) and Windows Server Backup feature in the Windows Server you have just installed.
In order to restore your Active Directory you must boot the server in the DSRM (Directory Services Restore Mode). To do it, run msconfig and select the option Safe Boot -> Active Directory repair in the Boot tab.
Restart you server. It will boot in the DSRM. Run the Windows Server Backup (wbadmin) and select Recover in the right menu.
In the Recovery Wizard, check ‘A backup stored on another location.’
Then select the disk, on which the backup of the old AD domain controller is stored or specify the UNC path to it. To make WSB see your backup on the disk, place the WindowsImageBackup directory with your backup to the root drive folder. You can make sure that there are backups on your drive using this command:wbadmin get versions -backupTarget:D:
Select the date of the backup to be used for recovery.
Check System State to restore it.
Select Original location and do check Perform an authoritative restore of Active Directory files.
The system will show a warning that it is another server backup and if recovered on a different server it may not work. Click OK.
Agree to another warning as well:
Windows Server Backup Note: This recovery option will cause replicated content on the local server to re-synchronize after recovery. This may cause potential latency or outage issues.
Then the process of AD domain controller recovery on a new server will start. When it is over, the server will require a reboot (the name of the new server will be changed to the DC hostname from the backup).
Boot the server in the normal mode (disable the DSRM using msconfig).
Login to the server using an account with the domain administrator privileges.
When I ran the Active Directory Users and Computers (ADUC) console for the first time, I got the following error:
Active Directory Domain Services Naming information cannot be located for the following reason: The server is not operational.
There were no SYSVOL and NETLOGON folders on the restored domain controller To fix this error:
- Run the regedit.exe;
- Go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters;
- Change the SysvolReady value from 0 to 1;
- Then restart the NetLogon service:
net stop netlogon & net start netlogon
Try to open ADUC again. You will see your domain structure.
So you have successfully recovered your AD domain controller in the Authoritative Restore mode. Then all objects in Active Directory will be automatically replicated to other domain controllers.
If you have the only DC left, make sure that it owns all 5 FSMO roles and seize them if needed.
How to Restore Separate AD Objects from a Backup?
If you want to restore specific AD objects, use the Active Directory Recycle Bin. If the tombstone lifetime has already expired or Active Directory Recycle Bin is not enabled, you can recover separate AD objects using the Authoritative Restore mode.
In brief, the procedure has the following steps:
- Boot the DC in the DSRM mode;
- Display the list of available backups:
wbadmin get versions - Start the recovery of the selected backup:
wbadmin start systemstaterecovery –version:[your_version] - Confirm the DC restore (in the Non-Authoritative mode)
- After the restart, run the
ntdsutil activate instance ntdsauthoritative restore
Specify the ful LDAPl path to the object you want to restore. You can restore the entire OU:
restore subtree ″OU=Users,DC=contoso,DC=com″
Or a single AD object:
restore object “cn=Test,OU=Users,DC=contoso,DC=com”
This command will deny the replication of the specified objects (paths) from other domain controllers and increase the object USN by 100,000.
Exit ntdsutil: quit
Boot the DC in the normal mode and make sure that the object has been restored.
