In this article we’ll show how to restore Active Directory domain controller from a System State backup created earlier (see the article Active Directory backup) and discuss the types and principles of AD DC recovery.
Suppose, your AD domain controller has failed, and you want to restore it from a backup copy. Before you start to restore your DC, you must understand which scenario to use. It depends on whether you have other domain controllers in your network and the health of the Active Directory database on them.
How to Restore a Domain Controller Using Replication
DC recovery through standard AD replication is not quite a restoration of a DC from a backup. You can use this scenario if you have multiple domain controllers in your enterprise network, and all of them are operable. This scenario involves a new server installation with its further promotion to a new ADDS domain controller on the same site. The old DC is simply removed from AD.
It is the easiest way that is not related to any irreversible AD changes. In this scenario, the ntds.dit database, GPO files, and the contents of the SYSVOL folder will be automatically replicated to the new domain controller from the DCs that have stayed online.
If the ADDS database is small and another DC is available over a high-speed network link, the method described above is faster than restoring a DC from a backup copy.
Active Directory Restore Types: Authoritative & Non-Authoritative
There are two types of Active Directory DC restore from a backup that you must clearly understand prior you try to do it:
- Authoritative Restore — after you have restored your AD objects, the replication is performed from the restored DC to all other domain controllers. This restore type is used in scenarios when a single DC or all DCs have failed at the same time (for example, after a ransomware or virus attack) or a damaged NTDS.DIT database was replicated across a domain. In this mode, the USN (Update Sequence Number) value of all restored AD objects is increased by 100,000. Thus, DCs will see all restored objects as newer ones and they will be replicated in the domain. Use the Authoritative Restore very carefully!!!At the Authoritative Restore you will lose most AD changes made after you have created your backup (AD group membership, Exchange attributes, etc.).
- Non-authoritative Restore — after you have restored your AD database, the controller informs other DCs that it has been restored from a backup and needs the latest AD changes (a new DSA Invocation ID is created for the DC). You can use this recovery method on remote sites when it is hard to quickly replicate a large AD database through a slow WAN channel or if you have some important data or apps on your server.
Restore Active Directory Domain Controller from a System State Backup
Suppose, you have only one DC in your domain. For some reason a physical server it has been running on failed.
You have a relatively recent System State of your domain controller, and you want to restore Active Directory on a brand new server using Authoritative Restore.
To start the DC restore, you must install the same Windows Server version you had on a failed DC. Install the ADDS role (don’t configure it) and Windows Server Backup feature in the Windows Server you have just installed.
To restore your Active Directory you must boot the server in the DSRM (Directory Services Restore Mode). To do it, run msconfig and select the option Safe Boot -> Active Directory repair in the Boot tab.
Restart your server. It will boot in the DSRM. Run the Windows Server Backup (wbadmin
) and select Recover in the right menu.
In the Recovery Wizard, check ‘A backup stored on another location.’
Then select the disk, on which the backup of the old AD domain controller is stored or specify the UNC path to it.
wbadmin get versions -backupTarget:D:
Select the date of the backup to be used for recovery.
Check the System State to restore it.
Select Original location and check Perform an authoritative restore of Active Directory files.
The system will show a warning that it is another server backup and if recovered on a different server it may not work. Click OK.
Agree to another warning as well:
Windows Server Backup Note: This recovery option will cause replicated content on the local server to re-synchronize after recovery. This may cause potential latency or outage issues.
Then the process of AD domain controller recovery on a new server will start. When it is over, the server will require a reboot (the name of the new server will be changed to the DC hostname from the backup).
Boot the server in the normal mode (disable the DSRM using msconfig).
Login to the server using an account with the domain administrator privileges.
When I ran the Active Directory Users and Computers (ADUC) console for the first time, I got the following error:
Active Directory Domain Services Naming information cannot be located for the following reason: The server is not operational.
There were no SYSVOL and NETLOGON folders on the restored domain controller To fix this error:
- Run the regedit.exe;
- Go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters;
- Change the SysvolReady value from 0 to 1;
- Then restart the NetLogon service:
net stop netlogon & net start netlogon
Try to open ADUC again. You will see your domain structure.
So you have successfully recovered your AD domain controller in the Authoritative Restore mode. Then all objects in the Active Directory will be automatically replicated to other domain controllers.
If you have only DC left, make sure that it owns all 5 FSMO roles and seize them if needed.
How to Restore Separate AD Objects from a Backup?
If you want to restore specific AD objects, use the Active Directory Recycle Bin. If the tombstone lifetime has already expired or Active Directory Recycle Bin is not enabled, you can recover separate AD objects using the Authoritative Restore mode.
In brief, the procedure has the following steps:
- Boot the DC in the DSRM mode;
- Display the list of available backups:
wbadmin get versions
- Start the recovery of the selected backup:
wbadmin start systemstaterecovery –version:[your_version]
- Confirm the DC restore (in the Non-Authoritative mode)
- After the restart, run the
ntdsutil
activate instance ntds
authoritative restore
Specify the full LDAPl path to the object you want to restore. You can restore the entire OU:
restore subtree ″OU=Users,DC=woshub,DC=com″
Or a single AD object:
restore object “cn=Test,OU=Users,DC=woshub,DC=com”
This command will deny the replication of the specified objects (paths) from other domain controllers and increase the object USN by 100,000.
Exit ntdsutil: quit
Boot the DC in the normal mode and make sure that the object has been restored.
10 comments
Login after performing a system state backup fails. Account that had administrator privileges in the domain that was restored now can’t log in. Local login also doesn’t go through.
Hi!
Just to be sure….
I’ve a recent system state backup on a network share and my 2 hdd died…
Can I just install a clean w2008 r2, add the 2 roles and perform the restore? Will it recreate the entire domain controller / active directory objects? Is it so easy? (i don’t need the user data and apps installed…). I’ve 25 clients in that domain…I don’t want to reconfigure those pc on a new domain…
I’ve run into the same issue that P3T did – I restored the backup, and now when I try to log in using the domain admin account I get “Invalid function”. If I try a local admin account or a server admin account it says my username/password is incorrect.
Try logging in with DSRM password
Try login with DSRM Password
put .\Administrator and type password used while you were promoting your AD server
AD restore from system state backup is not supported by Microsoft.
This is not a correct statement. I just did for one of my client, he had only one AD. I had a system state backup.
Hello, which is the proper method for restoring a lone domain controller – it’s the only dc in the network (very small site), thus no replication…
Kind regards,
Mihai, what is your situation – do you have a full backup? You should be able to restore from that; the same situation I went through above. The DSRM password was the key to get it all working again.
Authoritative Restore, Follow this thread carefully, there is one critical piece missing for the standalone DC and no other DC available.
1. Same IP as the old or Dead DC
2. Just need a new clean OS
3. keep your old local Admin accounts creds handy of the exDC Server. For help reach me on Github @ramzcode