Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / How to Restore Active Directory from a Backup?

July 9, 2020 Active DirectoryWindows Server 2012 R2Windows Server 2016

How to Restore Active Directory from a Backup?

In this article we’ll show how to restore Active Directory domain controller from a System State backup created earlier (see the article Active Directory backup) and discuss the types and principles of AD DC recovery.

Contents:
  • How to Restore a Domain Controller Using Replication?
  • Active Directory Restore Types: Authoritative & Non-Authoritative
  • Restore Active Directory Domain Controller from a System State Backup
  • How to Restore Separate AD Objects from a Backup?

Suppose, your AD domain controller has failed, and you want to restore it from a backup copy. Before you start to restore your DC, you must understand which scenario to use. It depends on whether you have other domain controllers in your network and the health of the Active Directory database on them.

How to Restore a Domain Controller Using Replication?

DC recovery through standard AD replication is not quite a restoration of a DC from a backup. You can use this scenario if you have multiple domain controllers in your enterprise network, and all of them are operable. This scenario involves new server installation with its further promotion to a new ADDS domain controller on the same site. The old DC is simply removed from AD.

It is the easiest way that is not related to any irreversible AD changes. In this scenario, the ntds.dit database, GPO files and the contents of the SYSVOL folder will be automatically replicated to the new domain controller from the DCs that have stayed online.

If the ADDS database is small and another DC is available over a high-speed network link, the method described above is faster than to restore a DC from a backup copy.

Active Directory Restore Types: Authoritative & Non-Authoritative

There are two types of Active Directory DC restore from a backup that you must clearly understand prior you try to do it:

  • Authoritative Restore — after you have restored your AD objects, the replication is performed from the restored DC to all other domain controllers. This restore type is used in the scenarios when a single DC or all DCs have failed at the same time (for example, after a ransomware or virus attack) or a damaged NTDS.DIT database was replicated across a domain. In this mode the USN (Update Sequence Number) value of all restored AD objects is increased by 100,000. Thus, DCs will see all restored objects as newer ones and they will be replicated in the domain. Use the Authoritative Restore very carefully!!!
    At the Authoritative Restore you will lose most AD changes made after you have created your backup (AD group membership, Exchange attributes, etc.).
  • Non-authoritative Restore — after you have restored your AD database, the controller informs other DCs that it has been restored from a backup and needs the latest AD changes (a new DSA Invocation ID is created for the DC). You can use this recovery method on remote sites when it is hard to quickly replicate a large AD database through a slow WAN channel or if you had some important data or apps on your server.

Restore Active Directory Domain Controller from a System State Backup

Suppose, you have only one DC in your domain. On some reason a physical server it has been running on failed.

You have a relatively recent System State of your domain controller, and you want to restore Active Directory on a brand new server using Authoritative Restore.

To start the DC restore, you must install the same Windows Server version you had on a failed DC. Install the ADDS role (don’t configure it) and Windows Server Backup feature in the Windows Server you have just installed.

install Windows Server Backup feature

In order to restore your Active Directory you must boot the server in the DSRM (Directory Services Restore Mode). To do it, run msconfig and select the option Safe Boot -> Active Directory repair in the Boot tab.

boot your server in a Active Directory repair mode (DSRM

Restart you server. It will boot in the DSRM. Run the Windows Server Backup (wbadmin) and select Recover in the right menu.
run the recover wizard in windows server backup tool
In the Recovery Wizard, check ‘A backup stored on another location.’
Windows server backup: restore a backup stored on another location
Then select the disk, on which the backup of the old AD domain controller is stored or specify the UNC path to it.

To make WSB see your backup on the disk, place the WindowsImageBackup directory with your backup to the root drive folder. You can make sure that there are backups on your drive using this command:
wbadmin get versions -backupTarget:D:

Select the date of the backup to be used for recovery.
select dc backup date
Check System State to restore it.
recover system state backup on active directory domain controller
Select Original location and do check Perform an authoritative restore of Active Directory files.
Perform an authoritative restore of Active Directory files
The system will show a warning that it is another server backup and if recovered on a different server it may not work. Click OK.
the specified backup in oa a different server than the current one
Agree to another warning as well:

Windows Server Backup
Note: This recovery option will cause replicated content on the local server to re-synchronize after recovery. This may cause potential latency or outage issues.

Windows Server Backup Note: This recovery option will cause replicated content on the local server to re-synchronize after recovery. This may cause potential latency or outage issues.
Then the process of AD domain controller recovery on a new server will start. When it is over, the server will require a reboot (the name of the new server will be changed to the DC hostname from the backup).
windows server backup recovery ad domain controller system state
Boot the server in the normal mode (disable the DSRM using msconfig).

Login to the server using an account with the domain administrator privileges.

When I ran the Active Directory Users and Computers (ADUC) console for the first time, I got the following error:

Active Directory Domain Services
Naming information cannot be located for the following reason:
The server is not operational.

Active Directory Domain Services Naming information cannot be located for the following reason: The server is not operational.

There were no SYSVOL and NETLOGON folders on the restored domain controller To fix this error:

  1. Run the regedit.exe;
  2. Go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters;
  3. Change the SysvolReady value from 0 to 1; dc registry SysvolReady set to 1
  4. Then restart the NetLogon service: net stop netlogon & net start netlogon

Try to open ADUC again. You will see your domain structure.
recovered ad objects in active directory
So you have successfully recovered your AD domain controller in the Authoritative Restore mode. Then all objects in Active Directory will be automatically replicated to other domain controllers.

If you have the only DC left, make sure that it owns all 5 FSMO roles and seize them if needed.

How to Restore Separate AD Objects from a Backup?

If you want to restore specific AD objects, use the Active Directory Recycle Bin. If the tombstone lifetime has already expired or Active Directory Recycle Bin is not enabled, you can recover separate AD objects using the Authoritative Restore mode.

In brief, the procedure has the following steps:

  1. Boot the DC in the DSRM mode;
  2. Display the list of available backups: wbadmin get versions
  3. Start the recovery of the selected backup: wbadmin start systemstaterecovery –version:[your_version]
  4. Confirm the DC restore (in the Non-Authoritative mode)
  5. After the restart, run the ntdsutil
  6. activate instance ntds
  7. authoritative restore

Specify the ful LDAPl path to the object you want to restore. You can restore the entire OU:

restore subtree ″OU=Users,DC=woshub,DC=com″

Or a single AD object:

restore object “cn=Test,OU=Users,DC=woshub,DC=com”

ntdsutil authoritaive restore a single ad object

This command will deny the replication of the specified objects (paths) from other domain controllers and increase the object USN by 100,000.

Exit ntdsutil: quit

Boot the DC in the normal mode and make sure that the object has been restored.

5 comments
3
Facebook Twitter Google + Pinterest
previous post
Unable to Access SYSVOL and NETLOGON folders from Windows 10
next post
How to Downgrade Windows Server Datacenter to Standard Edition?

Related Reading

How to Install the PowerShell Active Directory Module...

January 31, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

Fix: The Requested Certificate Template is Not Supported...

January 9, 2023

How to Create a Scheduled Task Using GPO?

December 29, 2022

Configure Google Chrome Settings with Group Policy

December 20, 2022

5 comments

p3t November 27, 2020 - 11:31 am

Login after performing a system state backup fails. Account that had administrator privileges in the domain that was restored now can’t log in. Local login also doesn’t go through.

Reply
Mike March 10, 2021 - 5:16 pm

Hi!
Just to be sure….
I’ve a recent system state backup on a network share and my 2 hdd died…
Can I just install a clean w2008 r2, add the 2 roles and perform the restore? Will it recreate the entire domain controller / active directory objects? Is it so easy? (i don’t need the user data and apps installed…). I’ve 25 clients in that domain…I don’t want to reconfigure those pc on a new domain…

Reply
Doug July 6, 2022 - 9:03 pm

I’ve run into the same issue that P3T did – I restored the backup, and now when I try to log in using the domain admin account I get “Invalid function”. If I try a local admin account or a server admin account it says my username/password is incorrect.

Reply
admin July 14, 2022 - 8:37 am

Try logging in with DSRM password

Reply
Piotr Gruszczyński September 27, 2022 - 10:52 pm

Try login with DSRM Password
put .\Administrator and type password used while you were promoting your AD server

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • How to Refresh AD Groups Membership without Reboot/Logoff?
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • Changing Desktop Background Wallpaper in Windows through GPO
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top