In this text we’ll present how to restore Active Directory area controller from a System State backup created earlier (see the article ) and focus on the kinds and ideas of AD DC restoration.
Suppose, your AD area controller has failed, and also you need to restore it from a backup copy. Before you begin to restore your DC, you could perceive which state of affairs to use. It is determined by whether or not you might have different area controllers in your community and the health of the Active Directory database on them.
How to Restore a Domain Controller Using Replication?
DC restoration by means of normal AD replication just isn’t fairly a restoration of a DC from a backup. You can use this state of affairs when you’ve got a number of area controllers in your enterprise community, and all of them are operable. This state of affairs includes new server set up with its additional promotion to a new ADDS area controller on the identical website. The previous DC is solely eliminated from AD.
It is the simplest approach that isn’t associated to any irreversible AD modifications. In this state of affairs, the ntds.dit database, GPO information and the contents of the SYSVOL folder will probably be mechanically to the brand new area controller from the DCs which have stayed on-line.
If the ADDS database is small and one other DC is obtainable over a high-speed community hyperlink, the strategy described above is quicker than to restore a DC from a backup copy.
Active Directory Restore Types: Authoritative & Non-Authoritative
There are two forms of Active Directory DC restore from a backup that you could clearly perceive prior you attempt to do it:
- Authoritative Restore — after you might have restored your AD objects, the replication is carried out from the restored DC to all different area controllers. This restore kind is used within the eventualities when a single DC or all DCs have failed on the identical time (for instance, after a ransomware or virus assault) or a broken NTDS.DIT database was replicated throughout a area. In this mode the USN (Update Sequence Number) worth of all restored AD objects is elevated by 100,000. Thus, DCs will see all restored objects as newer ones and they are going to be replicated within the area. Use the Authoritative Restore very fastidiously!!!
At the Authoritative Restore you’ll lose most AD modifications made after you might have created your backup (, Exchange attributes, and so forth.).
- Non-authoritative Restore — after you might have restored your AD database, the controller informs different DCs that it has been restored from a backup and desires the latest AD modifications (a new DSA Invocation ID is created for the DC). You can use this restoration technique on distant websites when it’s laborious to shortly replicate a giant AD database by means of a sluggish WAN channel or for those who had some essential knowledge or apps in your server.
Restore Active Directory Domain Controller from a System State Backup
Suppose, you might have just one DC in your area. On some motive a bodily server it has been operating on failed.
You have a comparatively current System State of your area controller, and also you need to restore Active Directory on a model new server utilizing Authoritative Restore.
To begin the DC restore, you could set up the identical Windows Server model you had on a failed DC. Install the ADDS function (don’t configure it) and Windows Server Backup function within the Windows Server you might have simply put in.
In order to restore your Active Directory you could boot the server within the DSRM (Directory Services Restore Mode). To do it, run msconfig and choose the choice Safe Boot -> Active Directory restore within the Boot tab.
Restart you server. It will boot within the DSRM. Run the Windows Server Backup (
wbadmin) and choose Recover in the precise menu.
In the Recovery Wizard, test ‘A backup saved on one other location.’
Then choose the disk, on which the backup of the previous AD area controller is saved or specify the UNC path to it.
To make WSB see your backup on the disk, place the WindowsPictureBackup listing along with your backup to the foundation drive folder. You can ensure that there are backups in your drive utilizing this command:
wbadmin get variations -backupTarget:D:
Select the date of the backup to be used for restoration.
Check System State to restore it.
Select Original location and do test Perform an authoritative restore of Active Directory information.
The system will present a warning that it’s one other server backup and if recovered on a completely different server it could not work. Click OK.
Agree to one other warning as properly:
Windows Server Backup Note: This restoration possibility will trigger replicated content material on the native server to re-synchronize after restoration. This could trigger potential latency or outage points.
Then the method of AD area controller restoration on a new server will begin. When it’s over, the server would require a reboot (the identify of the brand new server will probably be modified to the DC hostname from the backup).
Boot the server within the regular mode (disable the DSRM utilizing msconfig).
Login to the server utilizing an account with the area administrator privileges.
When I ran the Active Directory Users and Computers (ADUC) console for the primary time, I obtained the next error:
Active Directory Domain Services Naming info can't be positioned for the next motive: The server just isn't operational.
There have been no SYSVOL and NETLOGON folders on the restored area controller To repair this error:
- Run the regedit.exe;
- Go to the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters;
- Change the SysvolReady worth from zero to 1;
- Then restart the NetLogon service:
web cease netlogon & web begin netlogon
Try to open ADUC once more. You will see your area construction.
So you might have efficiently recovered your AD area controller within the Authoritative Restore mode. Then all objects in Active Directory will probably be mechanically replicated to different area controllers.
If you might have the one DC left, ensure that it owns all if wanted.
How to Restore Separate AD Objects from a Backup?
If you need to restore particular AD objects, use the Active Directory Recycle Bin. If the tombstone lifetime has already expired or Active Directory Recycle Bin just isn’t enabled, you may get better separate AD objects utilizing the Authoritative Restore mode.
In temporary, the process has the next steps:
- Boot the DC within the DSRM mode;
- Display the listing of accessible backups:
wbadmin get variations
- Start the restoration of the chosen backup:
wbadmin begin systemstaterecovery –model:[your_version]
- Confirm the DC restore (within the Non-Authoritative mode)
- After the restart, run the
activate occasion ntds
Specify the ful LDAPl path to the item you need to restore. You can restore your entire OU:
restore subtree ″OU=Users,DC=woshub,DC=com″
Or a single AD object:
restore object “cn=Test,OU=Users,DC=woshub,DC=com”
This command will deny the replication of the desired objects (paths) from different area controllers and enhance the item USN by 100,000.
Boot the DC within the regular mode and ensure that the item has been restored.