Performing A Restore Of A Domain Controller In Non
Whenever youre about to restore a DC, first determine whether a non-authoritative restore is enough, or if should you go further and perform an . The difference between those two restore types is that within a non-authoritative restore, the DC understands that it was out for a while, so it lets other in site DCs update its own database with the latest changes that occurred when it was down. With an authoritative restore, the DC claims itself as the only one with correct information and a valid database, and it authoritatively updates other DCs with its own data.
In most scenarios, a non-authoritative restore is what you need because its usually a multi-DC environment. In addition, restoring a DC in authoritative mode can be harmful and cause further damage. Due to this, the logic of Veeam Backup & Replication was developed accordingly, and by default, it performs automated, non-authoritative DC restore, assuming that it was not the only DC in place. For an authoritative restore with Veeam, see below for some additional steps, which are required.
Lets go back to the backup files I created when I wrote the previous article. Restoring a DC from Veeam Backup & Replication backup is quite easy. You simply:
- Select a Restore wizard in GUI
- Find a desired DC
- Choose the Restore Entire VM option from the recovery menu
- Then, select the recovery point
- Choose if the restore should happen to the original location or a new one
- Complete the procedure
There Are Other Domain Controllers On The Network
If there are other domain controllers on the network:
Determine if there are multiple domain controllers in your environment, then follow the appropriate steps below.
How To Verify Your Software Is Active Directory
After a backup, check the domain controllers event logs. Look under Applications and Services-> Directory Services for Event ID 1917. If you find it, this is an absolute guarantee that your software is properly triggering the VSS writer. However, some applications still take a consistent backup of Active Directory without generating this event, as long as they trigger the VSS writer. Ensure that your application is set to at least take a System State backup and use the VSS writer, then look in the Application log for several Event 2001 and Event 2003 entries generated by ESENT. If there are no associated errors, then your directory is being safely backed up.
After you restore a domain controller into a domain with other active domain controllers, immediately check its Directory Services event log for ID 1109. If it is not there, disconnect that domain controller from the network as soon as possible or it could lead to a USN rollback condition.
Don’t Miss: How To Get Free Email Domain
Determining Which Domain Controllers To Restore
Ease of the restore process is an important factor when deciding which domain controller to restore. It is recommended to have a dedicated DC for each domain that is the preferred DC for a restore. A dedicated restore DC makes it easier to reliably plan and execute the forest recovery because you use the same source configuration that was used to perform restore tests. You can script the recovery, and not contend with different configurations, such as whether the DC holds operations master roles or not, or whether it is a GC or DNS server or not.
Note
While it is not recommended to restore an operations master role holder in the interest of simplicity, some organizations may choose to restore one for other advantages. For example restoring the RID master may help prevent problems with managing RIDs during the recovery.
Choose a DC that best meets the following criteria:
Maintain security procedures when handling or restoring backup files that include Active Directory. The urgency that accompanies forest recovery can unintentionally lead to overlooking security best practices. For more information, see the section titled âEstablishing Domain Controller Backup and Restore Strategiesâ in Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part II.
Changing The Task Scheduler
The last process is to tweak the task scheduler to run your backup.
- Go to Windows search and type Task Scheduler. This will display the app and double-click to open it.
- Youll see the backup task on the right-hand pane. Double-click it.
- On the General tab, check if the user account is SYSTEM. Look for an option called Configure for: towards the central bottom part and choose your current operating system.
- Go to the Settings tab and make any changes if needed. Ideally, check the Allow task to be run on demand option and, if required, choose the max time limit for your task, so it automatically stops if the backup exceeds the set time.
With this, your AD backup is done, and it runs as per your configuration.
If all this looks cumbersome, many third-party tools ease this process for you.
Don’t Miss: How To Create Business Email Domain
Enable Backup On The Second Domain Controller
The second Domain Controller is from the child domain in the Active Directory forest.
Enabling backup for the second server will be much faster since all the requirements are created already.
From the VM menu in Azure, select Backup from the Operations section. Under Recovery Services vault, select existing. Select the vault and backup policy created with the first Domain Controller and then select Enable Backup to complete.
The deployment will take a few minutes to complete. Once deployment is complete, go back to the Backup menu on the VM Operations section to start a manual backup, following the same process as with the first Domain Controller.
Challenges Of Virtualized Domain Controller Backup
Running a traditional-style backup that specifically triggers the VSS writer to operate on the System State of a domain controller ensures that Active Directory knows its been backed up and therefore the consistency of the Active Directory database is guaranteed. Backing up the virtual machine from the host level using a method that does not trigger the guests VSS writer does not result in a state thats guaranteed to be accurate. More details are given in the Challenges of Domain Controller Restores section.
You May Like: Does It Cost To Have A Domain Name
Learn How To Back Up And Restore Domain Controllers With Windows Server Backup In This Backup Tip By Brien Posey
What you will learn in this tip: When Microsoft created Windows Server 2008, the company did away with NTBackup and provided a new data backup application called Windows Server Backup. Windows Server Backup is very different from NTBackup. One of the things that’s changed the most is the process of backing up and restoring domain controllers. You will learn about some of these changes in this tip.
As was the case with Windows Server 2003, if you want to back up the Active Directory database in Windows Server Backup, you will have to perform a system-state backup . But the similarities end there. As you may know, NTBackup allowed you to perform a system-state backup through the GUI. Once created, the backup existed as a BKF file. In Windows Server 2008, however, the method for creating a system-state backup requires entering the following command:
Wbadmin start systemstatebackup –backuptarget:E:
When you run the command shown above, there are two things that you will notice. First, it takes longer to create a system-state backup with Windows Server 2008 than it did with Windows Server 2003. That’s because Windows Server Backup includes some system files as part of a system-state backup that were not included with backups made using NTBackup.
The other thing that you will notice is that when you create the backup, Windows creates a .VHD file rather than a .BKF file.
Performing a restoration in Windows Server Backup
More on Windows Server Backup
Related Resources
Restoring Azure Vm Domain Controllers
To restore an Azure VM domain controller, see Restore domain controller VMs.
If you’re restoring a single domain controller VM or multiple domain controller VMs in a single domain, restore them like any other VM. Directory Services Restore Mode is also available, so all Active Directory recovery scenarios are viable.
If you need to restore a single domain controller VM in a multiple domain configuration, restore the disks and create a VM .
If you’re restoring the last remaining domain controller in the domain, or restoring multiple domains in one forest, we recommend a forest recovery.
Note
Virtualized domain controllers, from Windows 2012 onwards use virtualization based safeguards. With these safeguards, Active directory understands if the VM restored is a domain controller, and performs the necessary steps to restore the Active Directory data.
Read Also: How To Tell Who Owns A Domain Name
Domain Controller Restore With Dpm
- Hi,I have taken backup of Windows Server 2008 R2 Domain Controllers through SCDPM 2012. Its a bare metal backup which contains image of active directory.I want to restore Domain controller DPM backup for test purpose. Is there any specific procedure or precaution to follow during the restoration of Domain Controller?I have read somewhere that there are two types of restores in Domain Controller, Authoritative and Non-Authoritative restore.Can anyone suggest me the right procedure for recovering Domain Controller through Domain Controller through DPM??Regards,Monday, October 15, 2018 6:07 AM
Promote The Server Into A Domain Controller
Also Check: How To Improve Your Domain Authority
What You Should Know
Read through this section first before attempting an Active Directory backup and restoration.
- There are two types of restoration, namely an authoritative restore and a non-authoritative restore. Understand the difference before choosing the one that best fits your situation.
- Have multiple domain controllers to provide a full recovery without a backup when one of your domain controllers fail. That said, do a regular backup, so you can restore when all your controllers fail due to a virus attack, database corruption, or other reasons.
- Backup at least two domain controllers, if you cant do a complete backup.
- Enable the Active Directory Recycle Bin so that you can restore deleted objects quickly.
- Create a document that includes your backup policy, frequency, disaster recovery plan, and more.
- Backup your active directory at least once daily and twice or more if it is large.
- Understand that not all domain controllers are the same, so have a backup strategy accordingly.
- Keep an offsite backup of your AD. Also, follow the 3-2-1 rule where you keep two backups on different media locally and one offsite.
- Know what FSMO is and the process of transfer/seize.
- At the minimum, back up the system state that includes your DNS server, Windows system files, COM+ class registration database, and more.
Now that you have the groundwork ready, lets see how to back up the Active Directory.
Active Directory Restore Types: Authoritative & Non
There are two types of Active Directory DC restore from a backup that you must clearly understand prior you try to do it:
- after you have restored your AD objects, the replication is performed from the restored DC to all other domain controllers. This restore type is used in the scenarios when a single DC or all DCs have failed at the same time or a damaged NTDS.DIT database was replicated across a domain. In this mode the USN value of all restored AD objects is increased by 100,000. Thus, DCs will see all restored objects as newer ones and they will be replicated in the domain. Use the Authoritative Restore very carefully!!! At the Authoritative Restore you will lose most AD changes made after you have created your backup .
- Non-authoritative Restore after you have restored your AD database, the controller informs other DCs that it has been restored from a backup and needs the latest AD changes . You can use this recovery method on remote sites when it is hard to quickly replicate a large AD database through a slow WAN channel or if you had some important data or apps on your server.
Don’t Miss: How To Use Multiple Domains For One Website
Backing Up Ad Domain Controller Using Windows Server Backup
If you dont have any special backup software, you can use the built-in Windows Server Backup . You can configure an automatic backup task in the Windows Server Backup GUI, but it has some restrictions. The main disadvantage is that a new server backup will always overwrite a previous one.
When you back up a domain controller using WSB, you create a System State backup. The System State includes the Active Directory database , Group Policy Objects, SYSVOL directory contents, the registry, the IIS metadata, the AD CS database and other system files and resources. The backup is created through the Volume Shadow Copy Service .
You can check if Windows Server Backup is installed using the Get-WindowsFeature PowerShell cmdlet:
Get-WindowsFeature Windows-Server-Backup
If WSB is not installed, you can add it with PowerShell:
Add-Windowsfeature Windows-Server-Backup Includeallsubfeature
Or install Windows Server Backup via Server Manager -> Features.
I will save the backup of this AD domain controller to a shared network folder on a dedicated backup server. For example, a path to the backup directory may look like this: \\mun-back1\backup\dc01. Configure the NTFS permissions for this folder: grant Read and Write access permissions to Domain Admins and Domain Controllers groups only.