Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A Windows Server running Active Directory Domain Services must be booted into Directory Service Restore Mode (DSRM) in order to restore the System State. DSRM is similar to Windows Safe mode and has no Active Directory services running. 

DSRM mode behaves  behaves very differently from standardnormal boot mode.

Requirements

There are many requirements for System State restore to an Active Directory Domain Controller, most of which revolve around the limitations of DSRM mode.

...

  1. In normal boot mode, enable the built-in “administrator” account, which is disabled by default
    1. Assign a password. For all examples on this examplepage, we will use dsrm-password as our password.
    2. See this Technet article for details: What Username and Password Do I Need to Use for Directory Services Restore Mode (DSRM) in SBS 2008?

...

  1. Restart the computer, and press F8 during the boot phase so that system boot menu is displayed.
  2. Select DSRM mode from the boot menu.
    1. See the following Technet articles for more details: 
      1. For Windows Server 2008, Windows Server 2008 R2 and up: Restart the Domain Controller in Directory Services Restore Mode Locally
      2. For Windows Server 2003, Windows Server 2003 R2: Restart the domain controller in Directory Services Restore Mode locally
  3. Log on to Windows
    1. Username: .\Administrator
    2. Password: dsrm-password

...

The ZWC-Database service will also exist, but it runs as the Local System account by default.

To reconfigure the log-on user:

  1. Open Services.msc
  2. Right click the ZWC Service and click Properties.
  3. Visit the Log On tab
  4. Change the log-on user to the Local System account.
  5. Restart the service.
  6. Repeat for ZCB Service and, if necessary, for ZWC-Database.

As a part of restoration process, The ZWC Service and ZCB Service log on settings will be reverted back to amandabackup as part of the restoration process. If you must perform multiple DSRM restores for some reason, please remember to change the log-on user for these services before you begin each time.

Restore the System State

Once Restoration can begin once the server is in DSRM mode and the services reconfigured, restoration can begin. The process depends on where your backups are stored.

...

  1. Simply open ZCB and proceed with restoration of the chosen System State backup to the Original Location.
  2. Use the Monitor or Report pages in ZCB to observe the restore progress and result. 

...

  1. The DNS server must be set manually, unless there are multiple Domain Controllers (DNS Servers) in your environment. 
    1. Change the DNS setting of your primary network interface to a public DNS server, such as OpenDNS: 208.67.222.222 or Google: 8.8.8.8.
    2. This setting will be reverted back by the restoration process.
    3. This step is required because the "Preferred DNS Server" setting of the local network adapter points to itself by default on a Domain Controller. However, the DNS service is not running in DSRM mode.
  2. Open ZCB and proceed with Restoration of the chosen System State backup run to Original Location. 
  3. Use the Monitor or Report pages in ZCB to observe the restore progress and result. 

...

Once completed, open ZCB and proceed with Restoration of the chosen System State backup run to Original Location. Use the Monitor or Report pages in ZCB to observe the restore progress and result. 

...

It is much simpler to copy the backup archive from the network share to the local drive, and then use the "Restore Catalog from Local Directory" option in ZCB (Tools menu > Restore Catalog) to restore the backup set. Once complete, open ZCB and proceed with Restoration of the chosen System State backup run to Original Location. Use the Monitor or Report pages in ZCB to observe the restore progress and result. 

...

  1. Reconfigure the network share containing your backup archives to give both Share and NTFS read permissions to a local administrator user on the member server.
    1. This is required because the member server has to query the DC to allow connection to its share, but the DC is not available, since it is booted in DSRM mode.
  2. If the local administrator user password on the member server is dsrm-password, the connection to network share will work.
  3. If the chosen password is not dsrm-password, map the network drive with the credentials of any local user account (but not administratorwho has appropriate permissions on the member server.
    1. See the following article http://technet.microsoft.com/en-us/library/bb490717.aspx
  4. Assign the same drive letter to the mapped network drive as in the original setup.
    1. Example: If the mapped drive was assigned to Z:\ in normal boot mode, it should also be assigned to Z:\ in DSRM mode.
  5. Open ZCB and proceed with Restoration of the latest System State backup run to Original Location.
  6. Use the Monitor or Report pages in ZCB to observe the restore progress and result.

If there are other domain controllers on the network:

  1. f If the local administrator user password on the member server is dsrm-password, the connection to network share will work.
  2. If the chosen password is not dsrm-password, map network drive with the credentials of any local user account (but not administratorwho has appropriate permissions on the member server.
    1. See the following article http://technet.microsoft.com/en-us/library/bb490717.aspx
  3. Assign the same drive letter to the mapped network drive as in the original setup.
    1. Example: If the mapped drive was assigned to Z:\ in normal boot mode, it should also be assigned to Z:\ in DSRM mode.
  4. Open ZCB and proceed with Restoration of the latest System State backup run to Original Location.
  5. Use the Monitor or Report pages in ZCB to observe the restore progress and result. 

...

The Active Directory database exists and is replicated to every domain controller in your environment. Every time any object in the database is updated, the database version number changes. Such changes are synchronized by the replication process that takes place between all domain controllers. 

...

If the goal of your System State restore is to restore a deleted Active Directory object, you must perform mark this restore as an authoritative restore.

...

  1. After the System State restore is successful, but BEFORE you before you boot into normal mode, launch NTDSUTIL.
    1. Click Start, click Run, type ntdsutil, and then press ENTER.
  2. In Windows 2008 and up, type activate instance ntds at the ntdsutil prompt and then press ENTER.
    1. This step is not necessary for Windows 2003.
  3. Type authoritative restore at the ntdsutil prompt and then press ENTER.
  4. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER:.
    1. To restore a subtree (for example, an organizational unit and all child objects):
      restore subtree DistinguishedName
    2. To restore a single object:
      restore object DistinguishedName
    3. DistinguishedName is the distinguished name of the subtree or object that is to be marked authoritative
  5. For example, if you want to restore a deleted organizational unit named Marketing NorthAm in the corp.contoso.com domain, type:
    1. restore subtree “OU=Marketing NorthAm,DC=corp,DC=contoso,DC=com"
  6. Click Yes in the message box to confirm the command.
  7. At the authoritative restore: and  and ntdsutil prompts, type quit and then press ENTER.
  8. Restart the domain controller in normal operating mode.

...