Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / How to Restore Active Directory from a Backup?

July 9, 2020 Active DirectoryWindows Server 2012 R2Windows Server 2016

How to Restore Active Directory from a Backup?

In this article we’ll show how to restore Active Directory domain controller from a System State backup created earlier (see the article Active Directory backup) and discuss the types and principles of AD DC recovery.

Contents:
  • How to Restore a Domain Controller Using Replication?
  • Active Directory Restore Types: Authoritative & Non-Authoritative
  • Restore Active Directory Domain Controller from a System State Backup
  • How to Restore Separate AD Objects from a Backup?

Suppose, your AD domain controller has failed, and you want to restore it from a backup copy. Before you start to restore your DC, you must understand which scenario to use. It depends on whether you have other domain controllers in your network and the health of the Active Directory database on them.

How to Restore a Domain Controller Using Replication?

DC recovery through standard AD replication is not quite a restoration of a DC from a backup. You can use this scenario if you have multiple domain controllers in your enterprise network, and all of them are operable. This scenario involves new server installation with its further promotion to a new ADDS domain controller on the same site. The old DC is simply removed from AD.

It is the easiest way that is not related to any irreversible AD changes. In this scenario, the ntds.dit database, GPO files and the contents of the SYSVOL folder will be automatically replicated to the new domain controller from the DCs that have stayed online.

If the ADDS database is small and another DC is available over a high-speed network link, the method described above is faster than to restore a DC from a backup copy.

Active Directory Restore Types: Authoritative & Non-Authoritative

There are two types of Active Directory DC restore from a backup that you must clearly understand prior you try to do it:

  • Authoritative Restore — after you have restored your AD objects, the replication is performed from the restored DC to all other domain controllers. This restore type is used in the scenarios when a single DC or all DCs have failed at the same time (for example, after a ransomware or virus attack) or a damaged NTDS.DIT database was replicated across a domain. In this mode the USN (Update Sequence Number) value of all restored AD objects is increased by 100,000. Thus, DCs will see all restored objects as newer ones and they will be replicated in the domain. Use the Authoritative Restore very carefully!!!
    At the Authoritative Restore you will lose most AD changes made after you have created your backup (AD group membership, Exchange attributes, etc.).
  • Non-authoritative Restore — after you have restored your AD database, the controller informs other DCs that it has been restored from a backup and needs the latest AD changes (a new DSA Invocation ID is created for the DC). You can use this recovery method on remote sites when it is hard to quickly replicate a large AD database through a slow WAN channel or if you had some important data or apps on your server.

Restore Active Directory Domain Controller from a System State Backup

Suppose, you have only one DC in your domain. On some reason a physical server it has been running on failed.

You have a relatively recent System State of your domain controller, and you want to restore Active Directory on a brand new server using Authoritative Restore.

To start the DC restore, you must install the same Windows Server version you had on a failed DC. Install the ADDS role (don’t configure it) and Windows Server Backup feature in the Windows Server you have just installed.

install Windows Server Backup feature

In order to restore your Active Directory you must boot the server in the DSRM (Directory Services Restore Mode). To do it, run msconfig and select the option Safe Boot -> Active Directory repair in the Boot tab.

boot your server in a Active Directory repair mode (DSRM

Restart you server. It will boot in the DSRM. Run the Windows Server Backup (wbadmin) and select Recover in the right menu.
run the recover wizard in windows server backup tool
In the Recovery Wizard, check ‘A backup stored on another location.’
Windows server backup: restore a backup stored on another location
Then select the disk, on which the backup of the old AD domain controller is stored or specify the UNC path to it.

To make WSB see your backup on the disk, place the WindowsImageBackup directory with your backup to the root drive folder. You can make sure that there are backups on your drive using this command:
wbadmin get versions -backupTarget:D:

Select the date of the backup to be used for recovery.
select dc backup date
Check System State to restore it.
recover system state backup on active directory domain controller
Select Original location and do check Perform an authoritative restore of Active Directory files.
Perform an authoritative restore of Active Directory files
The system will show a warning that it is another server backup and if recovered on a different server it may not work. Click OK.
the specified backup in oa a different server than the current one
Agree to another warning as well:

Windows Server Backup
Note: This recovery option will cause replicated content on the local server to re-synchronize after recovery. This may cause potential latency or outage issues.

Windows Server Backup Note: This recovery option will cause replicated content on the local server to re-synchronize after recovery. This may cause potential latency or outage issues.
Then the process of AD domain controller recovery on a new server will start. When it is over, the server will require a reboot (the name of the new server will be changed to the DC hostname from the backup).
windows server backup recovery ad domain controller system state
Boot the server in the normal mode (disable the DSRM using msconfig).

Login to the server using an account with the domain administrator privileges.

When I ran the Active Directory Users and Computers (ADUC) console for the first time, I got the following error:

Active Directory Domain Services
Naming information cannot be located for the following reason:
The server is not operational.

Active Directory Domain Services Naming information cannot be located for the following reason: The server is not operational.

There were no SYSVOL and NETLOGON folders on the restored domain controller To fix this error:

  1. Run the regedit.exe;
  2. Go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters;
  3. Change the SysvolReady value from 0 to 1; dc registry SysvolReady set to 1
  4. Then restart the NetLogon service: net stop netlogon & net start netlogon

Try to open ADUC again. You will see your domain structure.
recovered ad objects in active directory
So you have successfully recovered your AD domain controller in the Authoritative Restore mode. Then all objects in Active Directory will be automatically replicated to other domain controllers.

If you have the only DC left, make sure that it owns all 5 FSMO roles and seize them if needed.

How to Restore Separate AD Objects from a Backup?

If you want to restore specific AD objects, use the Active Directory Recycle Bin. If the tombstone lifetime has already expired or Active Directory Recycle Bin is not enabled, you can recover separate AD objects using the Authoritative Restore mode.

In brief, the procedure has the following steps:

  1. Boot the DC in the DSRM mode;
  2. Display the list of available backups: wbadmin get versions
  3. Start the recovery of the selected backup: wbadmin start systemstaterecovery –version:[your_version]
  4. Confirm the DC restore (in the Non-Authoritative mode)
  5. After the restart, run the ntdsutil
  6. activate instance ntds
  7. authoritative restore

Specify the ful LDAPl path to the object you want to restore. You can restore the entire OU:

restore subtree ″OU=Users,DC=woshub,DC=com″

Or a single AD object:

restore object “cn=Test,OU=Users,DC=woshub,DC=com”

ntdsutil authoritaive restore a single ad object

This command will deny the replication of the specified objects (paths) from other domain controllers and increase the object USN by 100,000.

Exit ntdsutil: quit

Boot the DC in the normal mode and make sure that the object has been restored.

6 comments
3
Facebook Twitter Google + Pinterest
previous post
Unable to Access SYSVOL and NETLOGON folders from Windows 10
next post
How to Downgrade Windows Server Datacenter to Standard Edition?

Related Reading

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

Configure Windows LAPS (Local Administrator Passwords Solution) in...

April 25, 2023

Configuring DNS Conditional Forwarding and DNS Policies on...

April 17, 2023

Updating PowerShell Version on Windows

April 12, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • How to Refresh AD Groups Membership without Reboot/Logoff?
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Active Directory Dynamic User Groups with PowerShell
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top