In this article, you will learn how to restore an Active Directory domain controller from a previously backed up system state (see the Active Directory Backup item), and we will discuss the types and principles of AD DC recovery.
Suppose your AD domain controller failed and you want to restore it from a backup. Before you can start rebuilding a DC, you need to decide which scenario you want to use. This depends on whether you have other domain controllers on the network and the status of the Active Directory database on these domain controllers.
Restoring a DC with standard AD replication is not exactly restoring a DC from a backup. You can use this scenario if you have multiple domain controllers on your corporate network that are all functional. In this scenario, a new server is installed and then promoted to a new ADDS domain controller at the same location. The old DC will just be removed from the DA.
This is the easiest way and no irreversible changes to the DA are required. In this scenario, the ntds.dit database, the GPO files, and the contents of the SYSVOL folder are automatically replicated from the domain controllers that remain online to the new domain controller.
If the ADDS database is small and another DC is available via a fast network connection, the above method is faster than restoring a DC from a backup.
There are two ways to restore Active Directory DC from a backup that you should understand before trying:
- Authorized Recovery – After recovering your AD objects, replication is performed from the recovered domain controller to all other domain controllers. This type of recovery is used in scenarios where one or all CDs have failed simultaneously (for example, after a ransomware or virus attack) or a corrupt NTDS.DIT database has been replicated in the domain. In this mode, the update sequence number (USN) of all recovered AD objects is increased by 100,000. In this way, DCs consider all restored objects to be more recent and are reproduced in the field. Use Authoritative Recovery with great care! With an authoritative restore, you lose most AD changes made since the backup (belonging to an AD group, Exchange attributes, etc.).
- Unauthorized recovery – After restoring the AD database, the controller informs the other DAs that it has been restored from a backup and needs the latest AD changes (a new AD call ID is created for the AD). You can use this recovery method in remote locations when it is difficult to quickly copy a large AD database over a slow WAN connection, or when your server contains important data or applications.
Suppose there is only one DC in your field. For some reason, the physical server it was running on was taken down.
You have a relatively new domain control system and want to restore Active Directory on a brand new server using Authoritative Restore.
To perform DC recovery, you must install the same version of Windows Server that you had on the failed DC. Install the ADDS (do not configure) role and the Windows server backup function on the newly installed Windows server.
To restore Active Directory, you must start the server in Directory Services Restore Mode (DSRM). To do this, start msconfig and select Safe Boot -> Restore Active Directory in the Boot tab.
Restart the server. It’s loaded into the DSRM. Run the Windows server backup (wbadmin) and select Restore from the right menu.
In the Restore Wizard, select the Backup saved elsewhere check box.
Then select the disk on which the old AD domain controller is stored or provide the UNC path to it. To have the BMS see your backup on the disk, place the WindowsImageBackup folder containing your backup in the root folder of the disk. Use this command to make sure you have backups on your hard drive:
wbadmin invokes versions of -backupTarget:D:
Select the backup date to be used for restoration.
Check the system status to restore it.
Select the original location and enable the Perform Authorized Active Directory File Restore option.
The system displays a warning that this is a backup from another server and may not work if restored to another server. Press OK.
Also accept a different warning :
Server Backup Message : This recovery option resynchronizes the replicated content on the local server after the recovery period. This can lead to delays or potential disruptions.
It then starts rebuilding the AD domain controller on the new server. Once this operation is complete, restart the server (the new server name will be replaced with the DC host name from the backup).
Start the server in normal mode (disable DSRM with msconfig).
Log in to the server using an account with domain administrator privileges.
The first time I launched the Active Directory Users and Computers (ADUC) console, I received the following error message
Information about Active Directory Domain Services domain name
cannot be found for the following reason:
The server is down.
The restored domain controller did not have the SYSVOL and NETLOGON directories to resolve this:
- Run regedit.exe ;
- Access to registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters ;
- Change the value of SysvolReady from 0 to 1;.
- Then restart the NetLogon service: net stop netlogon & net start netlogon.
Try opening CUDA again. You will see the structure of your domain.
You have successfully restored an AD domain controller in Allowed Recovery Mode. All objects in Active Directory are then automatically replicated to other domain controllers.
If you only have one DC left, make sure it has all 5 FSMO roles and take them if necessary.
To recover specific AD objects, use the Active Directory Recycle Bin. If the tombstone has already expired or the Active Directory Recycle Bin is not activated, you can restore individual AD objects in Restore Allowed mode.
In short, the procedure consists of the following steps:
- Charge the DC in DSRM mode;
- Display the list of available backups: wbadmin gets versions
- Start restoring the selected backup: wbadmin start systemstaterecovery -version: [your_version].
- Confirm DC recovery (in unauthorized mode).
- After rebooting, start ntdsutil.
- activate the ntds instance
- major refurbishment
Specify the full LDAPl path to the object you want to restore. You can rebuild the whole OR:
restore the subtree OU=Users,DC=contoso,DC=com.
Or a single AD object:
Recovery object cn=Test,OU=Users,DC=contoso,DC=com.
This command denies replication of specified objects (paths) from other domain controllers and increases the object’s USN by 100,000.
Exit ntdsutil: stop
Charge the DC in normal mode and ensure that the object is restored.
how to restore active directory backup in windows 2012 step-by-step, restore active directory from backup to new server, active directory backup and restore in windows server 2016 step by step, restore active directory from windows server backup, active directory backup and restore step-by-step, how to recover active directory without backup, restore domain controller from backup, active directory backup best practices