Restoring domain controller from an application-aware backup

KB ID: 2119
Products: Veeam Backup & Replication
Version: 7.x 8.x 9.x
Published:
Last Modified: 2016-10-07

Challenge

Since Active Directory implements multi-master replication, where multiple domain controllers sync changes with each other, one of the key challenges is the DC recovery process. This article outlines different DC restore scenarios and goes into some specifics of when and why this or that type of restore is required as well as gives instructions on the manual steps to perform proper DC recovery from backup created with Veeam B&R.

Before going into details, it is worth stressing that by default Veeam B&R performs automated non-authoritative restore of domain controller and in most cases when you need to recover failed DC, authoritative restore is not required.

The following situations are possible:

  • Restoring single lost DC in a multi-DC environment
  • Restoring entire AD infrastructure (AKA “all DC’s are lost”)
  • Restoring from Active Directory corruption

Depending on the scenario, different steps (or no steps at all) are required to perform DC restore. All of the scenarios assume application-aware image processing was enabled in the backup job that backed up the DC being restored.

Solution

Restoring single lost DC in a multi-DC environment or in environment with only a single DC

This scenario, actually the most common one, incurs restoring just one of the multiple DC’s when there are still other functional DC’s in the environment that the restored DC can replicate changes from.
DC recovery with Veeam B&R in this case is fully automated and does not require any user interaction. If your backup was done with application-aware image processing enabled in the backup job settings, Veeam B&R performs a non-authoritative restore of the DC, where the restored VM should first boot in Directory Services Restore Mode (DSRM) mode and then reboot automatically immediately to boot up next time normally.
The domain controller itself will understand that it has been recovered from backup and will allow normal replication to update everything that has been changed since the backup took place.
The automatic recovery should also work for environments with only a single DC.



Restoring entire AD infrastructure (AKA “all DC’s are lost”)

As mentioned above, the automatic recovery process performs a non-authoritative restore, where the DC reboots and starts looking for other DC’s to sync up. However, in a scenario where all DC’s are gone, there are no other partners available and replication may take quite long (15-30 minutes) to start. To avoid wasting the time attempting to contact replication partners, it is recommended to restore two of the domain controllers at once, power them on, wait for their reboot and force one of them to become authoritative for SYSVOL, so that they can start replicating. Then restoring other DC’s will be similar to the first scenario, i.e. will be 100% automatic.

Note: During the restore procedure, make sure the restored DC’s DNS records point to available DNS servers (e.g. to itself).

The procedure for designating DC as authoritative for SYSVOL varies based on whether FRS or DFS-R is used for SYSVOL replication. Here we discuss the steps for DFS-R as the more widely used these days (recovery with FRS might need additional manual steps), which are basically consist of setting the following registry values:

Key: HKLM\System\CurrentControlSet\Services\DFSR\Restore
Value: SYSVOL (REG_SZ) = “authoritative”

Key: HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\SystemStateRestore
Value: LastRestoreId (REG_SZ) = any GUID value (e.g. 10000000-0000-0000-0000-000000000000)
 

If the first restored DC already hosts operations master roles, set the following registry value in order to bypass initial synchronization requirements and not to wait for another partners to replicate the directory partitions:
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters
Value: Repl Perform Initial Synchronizations (REG_DWORD) = 0

Note: Don’t forget to reset this value back to 1 after domain recovery is completed, so that domain controller has successful replication with its partners before starting to service client requests.

After setting the values above, restart the domain controller.

Notes:
• If you’re restoring DC without FSMO roles, you might want to transfer them to it manually after the restore, using the ntdsutil seize command.
• This type of restore is similar to what Veeam B&R performs automatically when restoring DC within SureBackup isolated virtual lab.

 


Restoring from Active Directory corruption

Scenario where no DC’s are actually lost, however, AD itself is damaged in some way (corrupt objects or schema) and you need to restore from the backup created before corruption occurred. In this case you need to restore one of the multiple DC’s when other DC’s are still operating a damaged copy of AD and force all of them to accept replication changes from the restored DC. This is where authoritative restore of the DC is required.

Note: It is recommended to perform restore with network disabled to prevent DC from accepting changes from other controllers after the default non-authoritative restore.

To perform an authoritative restore:
1. Restore the DC and let it complete the default non-authoritative restore (wait until it reboots second time).
2. During this second boot, press F8 to get to DSRM mode.
3. Log in with DSRM account and password.
4. Open a command prompt and run ntdsutil command.
5. At the "ntdsutil:" prompt, type "authoritative restore" and press Enter.
6. At the "ntdsutil authoritative restore:" prompt, type "restore database" and press Enter.
7. At the Authoritative Restore Confirmation dialog box, click Yes.
8. Upon restore completion, type "quit" and press Enter to exit the ntdsutil utility.
9. Reboot server.
10. Perform an authoritative restore of the SYSVOL, as was already discussed above.

Note: For an easier item-level recovery of Active Directory objects (without the need to restore the domain controller itself), consider using Veeam Explorer for Active Directory.
 

More Information

5 / 5 (9 votes cast)

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Orphus system