Restore Domain Controller

Restore Domain Controller

Restore Domain Controller

Unfortunately, it can happen that you have to restore one or more Active Directory domain controllers. In this case, we will see the different possibilities.

Backup Domain Controller

I usually create a backup job only for domain controllers. Indeed, it is necessary to use an account with the domain administrator right to do a granular restore of the AD Guest Processing Windows.

Restore Domain Controller - Enable Application processing

I shutdown one of my Domain Controller and I delete it.

Restore Domain Controller -  Delete VM on ESXi

Non-authoritative restoration

This restoration is used in most cases. One of the domain controllers suffers a malfunction and it is necessary to restore it. Following the restore operation, the restored domain controller will detect its restored state and will ask its peers for an update of the Active Directory database. The AD replication will then take place so that the domain controller that has just been restored has the latest changes made to the AD directory.

After I deleted my second domain controller, I added user and OU objects to my Active Directory.

Restore Domain Controller - Add account on AD

From the Veeam console, open the Home tab. In Backup click on Disk. Select the backup job and the VM to restore.

Restore Domain controleer - Select Backup job

In the ribbon, click the Entire VM option to restore the VM.

Restore Domain Controller - Select Entire VM Option

A wizard appears, only the concerned VM is selected, click on Next.

Domain Controller - Select VM

The VM will be restored to the same location, leave the default options in Restore Mode windows and click Next. The Restore to a new location or with different settings option allows you to restore the VM to another VMware cluster.

Restore mode - Select location for the restore operation

It is possible to scan the restored VM to make sure that no malware is present. Beware that this may require a longer restoration time.

Enable scan for the restored machine

Enter a reason and click on Next.

Enter a reason

Click Finish to proceed with the restore. Check Power on target VM after restoring to start the VM after the restore.

Click on Finish to restore VM

The restoration is in progress…

Restore is in progress

Following the restoration, the virtual machine starts a second time (if the network card is not connected wait for the reboot). Then the VM is well connected to the local network.

Test following the restoration

Verify that the Active Directory Users and Computers console is connected to the previously restored domain controller. Verify that the changes made after the backup are present.

Test if restore is functionnal

Additional tests must be run to ensure that the Active Directory is functioning properly after this restore. The following commands must be executed

DCDIAG /V /C /D /E > c:\dcdiag.txt
Repadmin /showrepl * /csv > c:\Report.csv

Copy a text file into the Sysvol directory. The file must be present on all the domain controllers. Use the local path and not the UNC path. This operation validates the replication of SYSVOL.

Authoritative restoration

This type of recovery can be used when all domain controllers are corrupted or an accidental deletion replicated to all DCs.

First, perform a non-authoritative restore (see above). On the second reboot, press the F8 key and select the Directory Services Repair Mode option.

Enable Directory Services Repair Mode

Open a session with .\administrator account. Password is the same has FORMATION\administrator (FORMATION is my Active Directory domain).

open a session with .\administrator account

Open a powershell prompt and run the following command for launch ntdsutil tools and enable authorative restore for subtree

activate instance ntds
authoritative restore
restore subtree "OU=Training,DC=Formation,DC=local"
configure ntdsutil for authoritative restore

Click Yes to perform Authoritative Restore.

Perform authoritative restoration

Restoration has been completed, close the powershell Widnows.

Authoritative restoration

Authoritative restoration for Active Directory is now been configured. You can now configure restoration for Sysvol.

DFSR is used for replicate Sysvol

Sysvol can be replicated by DFSR or FRS. If you used DFSR, you can run the following step. For the FRS replication see, the next section.

From the domain controller previously configured, access to the following registry key


Verify if the key Restore is present. Create it if it’s not present. Create a DWORD SYSVOL and enter authoritative value.

Configure authorative restoration

Access to the following registry key

Select registry key

Select SystemStateRestore key and modify the value of LastRestoreId. I modify by 10000000-0000-0000-0000-000000000000 but you can enter an other ID

Configure LastRestoreID

Restart the domain controller and restore all domain controller with non-authoritative method. You can verify the replication of the SYSVOL with gpotool command.

FRS is used for replicate Sysvol

Sysvol can be replicated by DFSR or FRS. If you used DFSR, you can run the following step. For the FRS replication see, the next section.

From the domain controller previously configured, access to the following registry key.


Change the value of the Burflag key to 000000D4 in hexadecimal or 212 in decimal.

Restart the computer.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.