Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Restoring Active Directory Domain Controller from a Backup

January 31, 2025

Restoring Active Directory Domain Controller from a Backup

In this article, we’ll show how to restore the Active Directory domain controller from a previously created System State backup (see the Active Directory backup post), and discuss the types and principles of AD DC recovery.

Contents:
  • Replacing a Failed Domain Controller with a New One with AD Replication
  • Authoritative and Non-Authoritative Active Directory Restore
  • Restoring AD Domain Controller from a System State Backup
  • How to Restore Individual Objects in Active Directory

If a domain controller fails, even if you have a backup, you must select the AD recovery scenario you want to use. It depends on whether you have other healthy domain controllers, whether they are accessible over the network from the site with the failed DC, and whether the Active Directory database on them is consistent.

Replacing a Failed Domain Controller with a New One with AD Replication

If you have several additional domain controllers deployed (which is the recommended configuration for Active Directory), it might be easier to deploy a new domain controller instead of restoring a failed server with the DC role from a backup

If the ADDS database size is small and other DCs are accessible via a high-speed network link, this is much faster than restoring a DC from a backup. The old domain controller must be removed from AD (if FSMO roles were running on the failed DC, they must first be seized).

After a server is promoted to a DC, the new DC synchronizes (replicates) the NTDS.dit database, GPOs, SYSVOL folder contents, and other AD objects from other healthy DCs that remain online. This is the simplest way to restore the domain controller’s functionality, ensuring that no irreversible changes are made to the Active Directory

Authoritative and Non-Authoritative Active Directory Restore

There are two types of restoring Active Directory Domain Services from a backup that you need to clearly understand before you start:

  • Authoritative Restore – after recovery of AD objects, replication is performed from the recovered DC to all other domain controllers in the domain. This type of restoring is used in scenarios where a single DC or all DCs have failed simultaneously (for example, as a result of a ransomware or virus attack), or where a corrupted NTDS.DIT database has been replicated across the domain. This mode increments the Update Sequence Number (USN) on the restored AD object by 100,000. Such restored objects are considered newer by other DCs and are replicated across the domain. Use Authoritative Restore very carefully!
    If you perform an authoritative restore, you will lose all changes made to AD since the backup was created (AD group membership, Exchange attributes, etc.).
  • Non-authoritative Restore – restored DC tells other DCs it has been restored from backup and needs the latest AD changes (a new DSA Invocation ID is created for the DC). This restore mode can be used at remote sites where it is difficult to immediately replicate a large AD database over a slow WAN channel; or if the failed server contained critical data or apps.

Restoring AD Domain Controller from a System State Backup

Let’s say there is only one DC in your domain and that DC becomes unavailable due to a physical server hardware failure. You have a system state backup of the old domain controller and want to restore Active Directory to a brand-new server using authoritative restore mode.

Prepare a new host (physical or virtual) to restore a DC from a backup:

  • The new server must be running the same version of Windows Server as the failed DC.
  • Perform a clean installation of Windows Server. It is not necessary to set the hostname of the old DC and the IP address.
  • Install the Active Directory Domain Services role (don’t configure it) and the Windows Server Backup feature. Server Manager or PowerShell can be used to add these components: Install-WindowsFeature -Name AD-Domain-Services, Windows-Server-Backup

install Windows Server Backup feature

To proceed with the Active Directory restore, boot the server into the Directory Services Restore Mode (DSRM). To do this, run msconfig and on the Boot tab, select Safe Boot -> Active Directory repair. Or run commands:

bcdedit /set safeboot dsrepair
shutdown /r /t 0

boot your server in a Active Directory repair mode (DSRM

After restart, the server will boot into DSRM safe mode. Open the Windows Server Backup Management snap-in (wbadmin.msc) and select Restore from the right pane. run the recover wizard in windows server backup tool
In the Recovery Wizard, select A backup stored on another location.
Windows server backup: restore a backup stored on another location
Select the drive where the DC backup is located, or enter the UNC path to the shared network folder where WindowsImageBackup is located. For example, \\192.168.158.151\Backup\DC1 .

select ad backup location in shared folder by UNC

To make WSB see your backup on the local drive, copy the WindowsImageBackup directory containing your backup to the root folder of your drive. This command can be used to ensure that backups are available on a drive:
wbadmin get versions -backupTarget:D:

Select the date of the backup to be used for recovery.
select dc last backup date
Check the System State to restore.
recover system state backup on active directory domain controller

Select the Original location and check the box Perform an authoritative restore of Active Directory files.

As a reminder, we are considering the scenario of an authoritative AD restore when there is only DC in the domain, and there are no other healthy domain controllers!!!

A non-authoritative restore will be performed if this option is disabled.

Perform an authoritative restore of Active Directory files
A warning will appear stating that this is a backup from another server and if recovered on a different server it may not work. Click OK.
the specified backup in oa a different server than the current one
Agree to another warning as well:

Windows Server Backup
Note: This recovery option will cause replicated content on the local server to re-synchronize after recovery. This may cause potential latency or outage issues.

Windows Server Backup Note: This recovery option will cause replicated content on the local server to re-synchronize after recovery. This may cause potential latency or outage issues.

The process of restoring the AD domain controller to a new server will then begin. Once complete, the server will need to be restarted (the server hostname will automatically change to the DC name in the backup).

Login to the server using the local DSRM administrator account after the reboot. Specify the user name in the format .\administrator

wbadmin windows server backup recovery ad domain controller system state

Now boot the DC in normal mode by disabling DSRM boot from msconfig or with the command:

bcdedit /deletevalue safeboot

Login to the server using a domain admin account (you can reset the domain administrator password if you don’t know it).

Currently, the ADDS service is not operational. An error occurs when trying to open the Active Directory Users and Computers (ADUC) snap-in:

Active Directory Domain Services
Naming information cannot be located for the following reason:
The server is not operational.

Active Directory Domain Services Naming information cannot be located for the following reason: The server is not operational.

Lists available shared folders:

net share

Note that the SYSVOL and NETLOG shared folders are missing from the restored domain controller.

missing sysvol and netlogon dc

To fix the error:

  1. Run the regedit.exe;
  2. Go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters;
  3. Change the SysvolReady value from 0 to 1; dc registry SysvolReady set to 1
  4. Then restart the NetLogon service: net stop netlogon & net start netlogon

Try to open the ADUC console again. You should now see the Organizational Units (OU) structure of the domain. recovered ad objects in active directory

So, you have successfully recovered your AD domain controller in the Authoritative Restore mode. All objects from the recovered domain controller will be automatically replicated to other DCs

How to Restore Individual Objects in Active Directory

If you have accidentally deleted an AD object, there is no need to restore it from a backup. You can enable the Active Directory Recycle Bin, which allows you to restore deleted AD objects within 180 days (the default value for tombstoneLifetime) using the Restore-ADObject cmdlet or from the Active Directory Administrative Center snap-in.

You can use Authoritative Restore to restore individual AD objects if the tombstone time has expired or ActiveDirectory RecycleBin is not enabled. This can be used by running the ntdsutil command in DSRM mode.

  1. List the available back: wbadmin get versions
  2. Start restoring from the selected backup: wbadmin start systemstaterecovery –version:[your_version]
  3. Confirm the DC restore (in the Non-Authoritative mode)
  4. After the restart, run the ntdsutil
  5. activate instance ntds
  6. authoritative restore
  7. Specify the full LDAP path to the object you want to restore.

To restore the entire OU:

restore subtree "OU=Users,DC=woshub,DC=com"

Or a single AD object:

restore object "cn=Test,OU=Users,DC=woshub,DC=com"

ntdsutil authoritaive restore a single ad object

This command prevents the specified objects from being replicated from other domain controllers and increases the object’s USN by 100000. This ensures that replication considers these objects as new (updated) and copies them to all DCs in the domain.

Exit from ntdsutil:

quit

Boot the DC in normal mode and check that the deleted AD object has been restored.

12 comments
5
Facebook Twitter Google + Pinterest
Active DirectoryWindows Server 2022
previous post
Unable to Access SYSVOL and NETLOGON folders from Windows 10
next post
Creating Desktop Shortcuts using Group Policy (GPO)

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Get-ADDomainController: Getting Domain Controllers Info via PowerShell

July 8, 2022

Repairing the Domain Trust Relationship Between Workstation and...

May 16, 2024

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Unable to Access SYSVOL and NETLOGON folders from...

May 10, 2023

Generating Strong Random Password with PowerShell

January 31, 2020

Configuring Password Policy in Active Directory Domain

March 12, 2024

How to Find Inactive Computers and Users in...

March 11, 2024

12 comments

p3t November 27, 2020 - 11:31 am

Login after performing a system state backup fails. Account that had administrator privileges in the domain that was restored now can’t log in. Local login also doesn’t go through.

Reply
Mike March 10, 2021 - 5:16 pm

Hi!
Just to be sure….
I’ve a recent system state backup on a network share and my 2 hdd died…
Can I just install a clean w2008 r2, add the 2 roles and perform the restore? Will it recreate the entire domain controller / active directory objects? Is it so easy? (i don’t need the user data and apps installed…). I’ve 25 clients in that domain…I don’t want to reconfigure those pc on a new domain…

Reply
Doug July 6, 2022 - 9:03 pm

I’ve run into the same issue that P3T did – I restored the backup, and now when I try to log in using the domain admin account I get “Invalid function”. If I try a local admin account or a server admin account it says my username/password is incorrect.

Reply
admin July 14, 2022 - 8:37 am

Try logging in with DSRM password

Reply
Daniella November 29, 2024 - 12:48 pm

Kan vara för att maskinen fortfarande ligger i safe boot. då loggar du bara in på maskinen med det som går, ex gäst eller lokalkonto. går in på msconfig och under boot klicka ur safe boot. Nu borde du få logga in med domänadmin om du loggar ut och in dig igen.

Could be because the machine is still in safe boot. then you just log in to the machine with whatever works, e.g. guest or local account. go to msconfig and under boot click out of safe boot. Now you should be able to log in with domain admin if you log out and log in again.

Reply
Piotr Gruszczyński September 27, 2022 - 10:52 pm

Try login with DSRM Password
put .\Administrator and type password used while you were promoting your AD server

Reply
Srg February 9, 2023 - 1:30 pm

AD restore from system state backup is not supported by Microsoft.

Reply
Ramzcode October 14, 2023 - 10:06 pm

This is not a correct statement. I just did for one of my client, he had only one AD. I had a system state backup.

Reply
Mihai B. September 21, 2023 - 12:55 pm

Hello, which is the proper method for restoring a lone domain controller – it’s the only dc in the network (very small site), thus no replication…

Kind regards,

Reply
DOUG September 21, 2023 - 1:43 pm

Mihai, what is your situation – do you have a full backup? You should be able to restore from that; the same situation I went through above. The DSRM password was the key to get it all working again.

Reply
Ramzcode October 14, 2023 - 10:11 pm

Authoritative Restore, Follow this thread carefully, there is one critical piece missing for the standalone DC and no other DC available.

1. Same IP as the old or Dead DC
2. Just need a new clean OS
3. keep your old local Admin accounts creds handy of the exDC Server. For help reach me on Github @ramzcode

Reply
Narvel Fartman December 20, 2024 - 8:27 pm

“…Install the ADDS role (don’t configure it)…” This is where the process fails. The machine is not a DC and, at least in server 2022, will absolutely not boot into DSRM even after the msconfig step. DCPromo has to run in order for the ADDS and all its bits and bobs (like DSRM) to be functional.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Using WMI Filters to Target Group Policies in Active Directory
  • Using Managed Service Accounts (MSA and gMSA) in Active Directory
  • How to Set a User Thumbnail Photo in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • How to Rename an Active Directory Domain
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top