If your Active Directory domain controller fails and you have a DC backup (created using Windows Server Backup or other backup tools), you can restore a single domain controller or the entire AD domain. In this article, we will show you how to perform a non-authoritative AD DS recovery using Windows Server Backup. It is assumed that you have a DC backup and you know the DSRM password (if the DSRM password is lost, you can reset it).
There are two domain controller recovery modes:
- Non-authoritative restore of Active Directory Domain Services—in this mode, it is assumed that one of your domain controllers is failed and you don’t want to add an additional DC in the domain. During Non-authoritative recovery, all domain controllers understand that your DC has been restored from the backup and send to it all the changes that were accumulated in AD since the backup was created;
- Authoritative restore of ADDS—performed extremely rarely. For example, when the NTDS base on all DCs in a domain is destroyed or corrupted (or you only had one DC in the domain deployed). In this case, the AD database on the restored DC is considered primary, and its objects are replicated to all other DCs. Keep in mind that incorrect authoritative recovery can lead to new problems with your AD.
In the vast majority of cases, if you have several DCs deployed in your domain, the non-authoritative recovery is used. You can use non-authoritative DC recovery if:
- The physical server with the ADDS role has failed and you want to deploy the role of the old DC on the newly deployed server;
- You need to perform recovery from a snapshot, clone, or roll back a virtual DC. This mode is supported for virtualized DC guests with Windows Server 2012 and newer. Hypervisor host platform must support VM-Generation ID (VMGID) (at least Hyper-V 2012 or VMWare vSphere 5.0 Update 2).
When performing non-authoritative DC recovery, the following steps will be taken:
- The state of the OS returns to the state at the time of backup;
- A new DSA Invocation ID is generated—this is a unique GUID for the ntds.dit database. By resetting this parameter, the domain controller informs other DCs in the forest that it was restored from a backup;
- The current RID pool will be reset and a new one will be received. If you do not reset the RID pool and request a new one, security principals with the same SID will appear in the forest. RID pool is requested from the DC with the FSMO role RID Master;
- A non-authoritative SYSVOL recovery will occur (SYSVOL directory files are copied from other DCs).
Hint. However, you can perform an authoritative SYSVOL restore by just ticking the corresponding box in the WSB wizard or setting the flag -authsysvol in the wbadmin command. For example: wbadmin start systemstaterecovery -version:03/01/2020-13:00 -authsysvol
So, you perform a clean install of the same Windows Server version on a new server and want to restore the DC role from backup on it. Set the static IP address of the old DC for the server and install the ADDS role (without configuring it) and the Windows Server Backup feature.
In order to restore Active Directory, you need to boot the server into the Directory Services Restore Mode (DSRM). To do this, run the msconfig command, go to the Boot tab, select the Safe Boot > Active Directory repair option.
Or just execute the commands:
bcdedit /set safeboot dsrepair shutdown -t 0 –r
Reboot the server. It should boot in DSRM mode. Run the Windows Server Backup (wbadmin) and select Recover from the action panel.
In the recovery wizard, select A backup stored on another location.
Select Local Drive as a backup location.
Select the backup version, date and time of system state backup that we are restoring.
On the Select Recovery screen, select System State.
Select Original location to perform non-authoritative restore.
Click on “Recover” button on the Confirmation step in order to start the recovery process.
Wait until the AD domain controller recovery is complete. The name of your new server will change to the name of the old DC.
Run the msconfig and disable Safe Boot mode (otherwise your server will boot into DSRM mode again).
After the server boots up, run the Active Directory Users and Computers (ADUC) console and verify that it successfully connected to your DC.