In the previous article, we covered how to backup an Active Directory domain controller using Windows Server Backup. In this post, we’ll show you how to restore an AD or a specific domain controller from a backup.
Before proceeding, you need to understand which recovery scenario you would like to use:
- Case when your domain controller is failed (physical server or virtual machine) and there are still multiple online domain controllers in the domain. The best scenario for recovering a domain controller, in this case, would be replication recovery. Check if there are FSMO roles on failed DC. If there are, move them according to this guide. Remove the failed DC computer account using the ADUC (dsa.msc) and Active Directory Sites and Services (dssite.msc) consoles. Then install a new Windows Server instance and promote it to a domain controller. The new DC will automatically replicate the AD database from the closest DC.
- You can use one of two methods to restore a domain controller from a previously created backup: nonauthoritative or authoritative restore.
- Nonauthoritative restore — this restore method assumes you restore the failed domain controller from backup and wait while it replicates AD data from other DCs. A recovered domain controller allows other domain controllers to update its database with the latest changes that occurred while it was away. If your closest DC is in a remote branch office, this can cause significant replication traffic over the WAN link.
- Authoritative restore — in this mode, the domain controller restored from the backup assumes that the actual AD database is located on it. This DC gets the authority to update the databases of other domain controllers based on its data. This is the most difficult and long-term AD recovery mode, which can lead to various unpleasant consequences. If you choose to use AD authoritative recovery mode, you must have a clear understanding of how Active Directory recovery works.
Hint. If you have a single domain controller and it is down, you can use Bare Metal Recovery in Windows Server Backup to restore a DC from a backup in Authoritative restore mode.
Restoring DC from Backup
- Deploy a new server with the same version of Windows Server that was on the failed DC.
- Set the server network settings (static IP address, mask, DNS settings).
- You don’t need to set an old name of the server, join it to the AD domain, or install ADDS role.
- Install the Windows Server Backup role on the server:
Install-WindowsFeature -Name Windows-Server-Backup -IncludeAllSubfeature –IncludeManagementTools
- Run the msconfig command, go to the Boot tab and select the Active Directory Repair option.
- After restarting Windows Server will boot into DSRM mode (Directory Services Restore Mode).
- Start Windows Server Backup (wbadmin) and select Recover.
- Select the options A backup stored on another location > select the backup location (local drive or remote UNC network folder) > specify the path > select the date of the backup you want to restore.
- Select to restore System State.
- In the next window, you can select the type of recovery for the Active Directory domain controller.
- If you want to use non-authoritative DC recovery, select the Original location option;
- If you need to perform an authoritative restore of a DC, enable the Perform and authoritative restore of Active Directory files option.
- Click the Recover button to recover your DC from a backup. After the recovery is complete, run MSConfig and disable Safe boot mode.