Restore Domain Controller
Unfortunately, it can happen that you have to restore one or more Active Directory domain controllers. In this case, we will see the different possibilities.
Backup Domain Controller
I usually create a backup job only for domain controllers. Indeed, it is necessary to use an account with the domain administrator right to do a granular restore of the AD Guest Processing Windows.
I shutdown one of my Domain Controller and I delete it.
Non-authoritative restoration
This restoration is used in most cases. One of the domain controllers suffers a malfunction and it is necessary to restore it. Following the restore operation, the restored domain controller will detect its restored state and will ask its peers for an update of the Active Directory database. The AD replication will then take place so that the domain controller that has just been restored has the latest changes made to the AD directory.
After I deleted my second domain controller, I added user and OU objects to my Active Directory.
From the Veeam console, open the Home tab. In Backup click on Disk. Select the backup job and the VM to restore.
In the ribbon, click the Entire VM option to restore the VM.
A wizard appears, only the concerned VM is selected, click on Next.
The VM will be restored to the same location, leave the default options in Restore Mode windows and click Next. The Restore to a new location or with different settings option allows you to restore the VM to another VMware cluster.
It is possible to scan the restored VM to make sure that no malware is present. Beware that this may require a longer restoration time.
Enter a reason and click on Next.
Click Finish to proceed with the restore. Check Power on target VM after restoring to start the VM after the restore.
The restoration is in progress…
Following the restoration, the virtual machine starts a second time (if the network card is not connected wait for the reboot). Then the VM is well connected to the local network.
Test following the restoration
Verify that the Active Directory Users and Computers console is connected to the previously restored domain controller. Verify that the changes made after the backup are present.
Additional tests must be run to ensure that the Active Directory is functioning properly after this restore. The following commands must be executed
DCDIAG /V /C /D /E > c:\dcdiag.txt
Repadmin /showrepl * /csv > c:\Report.csv
Copy a text file into the Sysvol directory. The file must be present on all the domain controllers. Use the local path and not the UNC path. This operation validates the replication of SYSVOL.
Authoritative restoration
This type of recovery can be used when all domain controllers are corrupted or an accidental deletion replicated to all DCs.
First, perform a non-authoritative restore (see above). On the second reboot, press the F8 key and select the Directory Services Repair Mode option.
Open a session with .\administrator account. Password is the same has FORMATION\administrator (FORMATION is my Active Directory domain).
Open a powershell prompt and run the following command for launch ntdsutil tools and enable authorative restore for subtree
ntdsutil
activate instance ntds
authoritative restore
restore subtree "OU=Training,DC=Formation,DC=local"
Click Yes to perform Authoritative Restore.
Restoration has been completed, close the powershell Widnows.
Authoritative restoration for Active Directory is now been configured. You can now configure restoration for Sysvol.
DFSR is used for replicate Sysvol
Sysvol can be replicated by DFSR or FRS. If you used DFSR, you can run the following step. For the FRS replication see, the next section.
From the domain controller previously configured, access to the following registry key
HKLM\System\CurrentControlSet\Services\DFSR
Verify if the key Restore is present. Create it if it’s not present. Create a DWORD SYSVOL and enter authoritative value.
Access to the following registry key
HKLM\System\CurrentControlSet\Control\BackupRestore
Select SystemStateRestore key and modify the value of LastRestoreId. I modify by 10000000-0000-0000-0000-000000000000 but you can enter an other ID
Restart the domain controller and restore all domain controller with non-authoritative method. You can verify the replication of the SYSVOL with gpotool command.
FRS is used for replicate Sysvol
Sysvol can be replicated by DFSR or FRS. If you used DFSR, you can run the following step. For the FRS replication see, the next section.
From the domain controller previously configured, access to the following registry key.
HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process
Change the value of the Burflag key to 000000D4 in hexadecimal or 212 in decimal.
Restart the computer.