Full Server Recovery of a Domain Controller


Full Server Recovery of a Domain Controller   (a nonauthoritative restore)

02 February 2011
07:45
Scenario 1
Loss of a DC, Not a FSMO Role Holder
Requirements: Full Bare Metal & System State of Single DC
 
To recover: Windows, Disks and Applications
 
Performing Nonauthoritative Restore of Active Directory Domain Services
Updated: January 9, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller.
You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS.
 
Note
If your objective is to recover objects that were deleted since the last backup, first perform a nonauthoritative restore from backup to reinstate the deleted objects and then perform an authoritative restore to mark the deleted objects as authoritative so that they are not overwritten during replication. When you are performing both a nonauthoritative restore and an authoritative restore, do not allow the domain controller to restart after the nonauthoritative restore. For information about performing authoritative restore, see Performing Authoritative Restore of Active Directory Objects.
 
 
 
 
Nonauthoritative Restore Requirements
You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a stand-alone server, member server, or domain controller.
On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system. If you need to reinstall the operating system and then restore AD DS, see Restoring a Domain Controller Through Reinstallation or Restoring a Domain Controller Through Reinstallation.
To perform a nonauthoritative restore, you need one of the following types of backup for your backup source:
  • System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command.
  • Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command.
  • Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS.. For information about performing a full server backup for disaster recovery, see Performing a Full Server Recovery of a Domain Controller on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=116206).
 
 
 
 
 
 
 
Performing a full server recovery of a domain controller by using the GUI
You can use this procedure to perform full server recovery of a domain controller with Windows Complete PC Restore.
There are no administrative credential requirements. No authentication is performed when you start in Windows RE.
To perform full server recovery of a domain controller (a nonauthoritative restore) by using the GUI
  1. Insert the Windows Server 2008 installation DVD into the disk drive, and then restart the domain controller.
  2. When you are prompted, press a key to start from the DVD.
  3. At the initial Windows screen, accept or select language options, the time and currency format, and a keyboard layout, and then click Next.
  4. At the Install now screen, click Repair your computer.
  5. In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair, and then click Next.
  6. Under Choose a recovery tool, click Windows Complete PC Restore.
  7. If the backup is stored on a remote server, a message indicates that Windows cannot find a backup on the hard disks or DVDs on this computer. Click Cancel to close the message.
  8. Click Restore a different backup, and then click Next.
  9. On the Select the location of the backup page, perform either set of the following steps, depending on whether the backup is stored locally or on a network shared folder:
    1. If the backup is stored on the local computer, select the location of the backup, and then click Next.

      Or
    1. If the backup is stored on a network shared folder, click Advanced, and then click Search for a backup on the network.
    1. Click Yes to confirm that you want to connect to the network.
    2. In Network Folder, type the Universal Naming Convention (UNC) name for the network share, and then click OK.
    3. Type credentials for a user account that has sufficient permissions to restore the backup, and then click OK.
    4. On the Select the location of the backup page, click the location of the backup, and then click Next.
  1. Click the backup to restore, and then click Next.
  1. If you want to replace all data on all volumes, regardless of whether they are included in the backup, on the Choose how to restore the backup page, select the Format and repartition disks check box.
  2. To prevent volumes that are not included in the restore from being deleted and re-created, click Exclude Disks, select the check box for the disks that you want to exclude, and then click OK.
  1. Click Next, and then click Finish.
  1. Select the I confirm that I want to format the disks and restore the backup check box, and then click OK.
Performing a full server recovery of a domain controller by using the command line
Use the following procedure to perform full server recovery of a domain controller from the command line.
There are no administrative credential requirements. No authentication is performed when you start in Windows RE.
To perform full server recovery of a domain controller (a nonauthoritative restore) by using the command line
  1. Insert the Windows Server 2008 installation DVD into the disk drive, and then restart the domain controller.
  1. When you are prompted, press a key to start from the DVD.
  1. At the initial Windows screen, accept or select language options, the time and currency format, and a keyboard layout, and then click Next.
  2. At the Install now screen, click Repair your computer.
  3. In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair, and then click Next.
  4. Under Choose a recovery tool, click Command Prompt.
  1. At the Sources prompt, type diskpart, and then press ENTER.
  1. At the Diskpart prompt, type list vol, and then press ENTER.
  1. Identify the volume from the list that corresponds to the location of the full server backup that you want to restore.
    The drive letters in Windows RE do not necessarily match the volumes as they appear in Windows Server 2008.
  1. Type exit, and then press ENTER.
  1. At the Sources prompt, type the following command, and then press ENTER:
    wbadmin get versions -backupTarget::
    -machine:
    Where:
    • : is the location of the backup that you want to restore.
    • is the name of the computer where you want to recover the backup. This parameter is required, if the backup is stored on a remote computer.
  1. Identify the version that you want to restore.
    You must enter this version exactly in the next step.
  1. At the Sources prompt, type the following command, and then press ENTER:
    wbadmin start sysrecovery -version:
    -backuptarget:: -machine:
    -restoreAllVolumes
    Where:
    • is the version of the backup that you want to restore.
    • : is the drive that contains the backup.
    • is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken.
  1. When you are prompted, press Y to proceed with the restore process.
  1. After the recovery operation has completed, minimize the command window, and then, in the System Recovery Options dialog box, click Restart.
 
Post Recovery Tests
 
Repadmin /replsum
dcdiag /test:CheckSecurityError /s:DRDC01
repadmin /showrepl
w32tm /monitor
dcdiag /s:DCName
dcdiag /test:dns /e /s:DCName
dcdiag /test:netlogons /v /s:DCName
dcdiag /test:fsmocheck /s:DCName
 
Additional considerations
Be aware of the following issues when you perform a full server recovery of a domain controller:
  • Wbadmin.exe does not require that you provide the recovery target. By specifying the backup version that you want to recover, the command proceeds to recover to the source location of the specified backup version.
  • Backup files are named for the date and time of the backup. When you recover, the version must be stated in the form MM/DD/YYYY-HH:MM, which specifies the name of the backup that you want to recover.
  • After the restore is completed, restart the server normally, and perform basic verification. When you restart the computer normally, AD DS and Active Directory Certificate Services (AD CS) automatically detect that they have been recovered from a backup. They perform an integrity check and index the database again.
  • After you log on to the system, browse AD DS. Verify that the following conditions are met:
    • All of the user objects and group objects that were present in the directory at the time of the backup are restored.
 
Note
Active Directory replication updates the objects that you restore with any changes that have been made to them since the time that the backup was taken.
  • Files that were members of a File Replication Service (FRS) replica set and certificates that were issued by AD CS are present.
  • The Windows Time service (W32time) is synchronized correctly.
  • The NETLOGON and SYSVOL folders are properly shared.
  • The Preferred DNS server address is configured correctly.
  • Host (A) and service (SRV) resource records are registered correctly in Domain Name System (DNS).
 

Posted by Madferret at 15 Feb 2011, 8:06 AM
Categories: Active Directory Recovery
 

What did you think of this article?




Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment

Submitted comments are subject to moderation before being displayed.

 Enter the above security code (required)

 Name

 Email (will not be published)

 Website

Your comment is 0 characters limited to 3000 characters.