Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Information

Performing System State Restore of computer (or virtual machine) with Windows Active Directory Domain Controller role allows restoration of Active Directory Database. However, it requires special procedure, which is different from running System State restore on any member computer of Active Directory domain or stand alone Windows operating system instance. 

Overview

In order to restore System State on Windows Server running Active Directory Domain Services, the computer must be booted into Directory Service Restore Mode (DSRM), which is in essence similar to Windows Safe mode with no Active Directory services running. 

This means the following in the context of System State restore using ZCB:

    1. All ZCB services are configured to run as the amandabackup user, which is not available in DSRM mode 
    2. therefore you will need to to reconfigure and restart all ZCB services to run under LocalSystem account (ZWC Service, ZWC-MySQL, and ZCB Service)
    3. Once restoration is completed, all ZCB services will be reset to run as the amandabackup user again

In the instructions below, we provide general steps which apply to all versions of Windows Server OS. Some specific Window version might require additional / different steps, which will be noted below.

Booting into DSRM mode

The steps are

  1. For Windows Small Business Server of Server Essentials operating system: 
    1. Enable built-in “administrator” account, which is disabled by default and assign password. For this example, we will call it “dsrm-password
    2. In normal boot, change DSRM password to “dsrm-password”. See this article: http://blogs.technet.com/b/sbs/archive/2009/02/27/what-username-and-password-do-i-need-to-use-for-directory-services-restore-mode-dsrm-in-sbs-2008.aspx
  2. For All Windows versions:  Restart computer and press F8 during boot phase so that system boot menu is displayed and select DSRM mode.  See following Technet articles for more details: 
    For Windows Server 2008, Windows Server 2008 R2 and up: Restart the Domain Controller in Directory Services Restore Mode Locally
    For Windows Server 2003, Windows Server 2003 R2: Restart the domain controller in Directory Services Restore Mode locally
  3. In case your forgot or do not know DSRM passwrod you can reset it using following procedure: How To Reset the Directory Services Restore Mode Administrator Account Password
  4. Login to Windows, using following format .\Administrator & dsrm-password
  5. Use Control Panel - Services to reconfigure all ZCB services (ZWC Service, ZWC-MySQL, ZCB Service) to run under LocalSystem account and restart them.

    (warning) In case you forget or do not know DSRM password, you can reset if by following this Technet article: Reset the DSRM Administrator Password

Restoration Process (once in the DSRM Mode)

Scenario #1: Backup archives are stored on directly attached storage.

  1. Simply open ZCB user interface and proceed with Restoration of the latest System State backup run to Original Location.
  2. Use Monitor / Report page in ZCB UI to observe Restore progress/results. 

Scenario #2: Backup archives are in the Cloud.

  1. In case your have single Domain Controller in your environment, you will need to change DNS setting of your primary network interface to public DNS server, such as OpenDNS: 208.67.222.222 or Goolge - 8.8.8.8
    1. This setting will be reverted back by restoration process.
    2. This step is required because by default, on Domain Controller "Preferred DNS Server" setting of local network adapter points to itself, but the DNS service is not running in DSRM mode.
  2. Open the ZCB user interface and proceed with Restoration of the latest System State backup run to Original Location. 
  3. Use Monitor / Report page in ZCB UI to observe Restore progress/results. 

Scenario #3: Backups are only in CIFS/NFS share.

You have two options:

  1. You need to make sure that local administrator user on the domain controller can access the network device using the dsrm-password password. 
    1. you can map the share using “different credentials”.
    2. It is up to user to test and establish correct security permission on the network share. 
  2. If you are not able to access network share in DSRM mode, reboot to normal mode and copy the backup data from the network share to the local drive. Then use the "Restore Catalog from Local Directory" option in ZCB (Tools menu > Restore Catalog) to restore the backup set.
  3. Open the ZCB user interface and proceed with Restoration of the latest System State backup run to Original Location.
  4. Use Monitor / Report page in ZCB UI to observe Restore progress/results. 

Scenario #4: Backups are in a Windows Share.

This scenario is a bit challenging as it requires connecting to the network share when the domain controller is not available. To avoid the steps below, you can copy the backup data from the network share to the local drive, and use the "Restore Catalog from Local Directory" option in ZCB (Tools menu > Restore Catalog) to restore the backup set

If the above (moving the backup data to local system) is not possible then please continue with the directions below.

If your server is the the only domain controller on the network:

  1. Reconfigure network share containing your backup archives to give both Share and NTFS read permission to a local administrator user on member server. This is required because the member server has to query the DC to allow connection to its share, but the DC is not available, since it is booted in DSRM mode.
  2. If local administrator user password on member server equals dsrm-password of your domain controller server, connection to network share will work. If passwords are different, while booted in DSRM, you need to connect / map network drive with credentials of any using local user account (but not administratorwith appropriate permissions on member server. See following article http://technet.microsoft.com/en-us/library/bb490717.aspx.  For instance: net use f: \\server\backup-share /user:hostname\somelocaluser
  3. You need to assign same drive letter to mapped network drive as original setup - i.e. drive letter should be the same in DSRM or Normal boot mode. 
  4. Open the ZCB user interface and proceed with Restoration of the latest System State backup run to Original Location.
  5. Use Monitor / Report page in ZCB UI to observe Restore progress/results.  

If there are other domain controllers on the network:

  1. If local administrator user password on member server hosting network share with your backup archive equals dsrm-password of of your domain controller server, connection to network share will work.
    If passwords are different, while booted in DSRM you need to map network drive using any domain user credentials who has read permissions on your backup network share. See following article http://technet.microsoft.com/en-us/library/bb490717.aspx. For instance: net use f: \\server\backup-share /user:mydomain\yourusername
  2. You need to assign same drive letter to mapped network drive as original setup - i.e. drive letter should be the same in DSRM or Normal boot mode. 
  3. Open the ZCB user interface and proceed with Restoration of the latest System State backup run to Original Location. 
  4. Use Monitor / Report page in ZCB UI to observe Restore progress/results. 

Upon successful system state restore

Case #1: Your server is the one and only domain controller in your environment (e.g. Small Business Server, Widows Foundation Server, Windows Essentials Server )

Once ZCB UI conforms that System State restore was successful simply restart your server - that's it.

Case #2: There are multiple domain controllers  in your environment

Active Directory database exist and replicated to every domain controller in your environment. Every time any object is database is updated, database version changes. Such changes are synchronized by replication process that takes place between all domain controllers. 

Option A (default): Non-authoritative restore 

By default, restoring System State on domain controller is non-authoritative AD restore, which means: after booting to back to normal mode from DSRM, Active Directory will be updated (synchronized) to the latest version from other DCs in your environment. In other words: the restored version of AD database on your server is OLDER then one present on all other domain controllers, therefore all changes that took place on other domain controllers will be synchronized back to restored controller.

For example:

  • you accidentally  deleted some Organization Unit in AD
  • synchronization between DCs took place and deletion of this object propagated to other domain controllers.
  • you run System State restore on one of the domain controllers, which is by default non-authoritative restore. Restored AD database contains deleted objects, but its version is older the on other DCs. 
  • you boot Domain Controller to normal mode and synchronization with other DCs occurs
  • The deleted objects will NOT appear in AD, because synchronization process will replay the deletion of your objects.


Therefore, if the goal of System State restore on Domain Controller is anything else, but restoration of deleted objects - your are done, - simply reboot your server back to normal mode. 

Otherwise, you need to perform authoritative restore. 

Option B: Authoritative restore 

Authoritative restore is a process of marking AD objects in the restored database to be authoritative for other domain controllers. After reboot of your restored server to Normal mode, synchronization process will propagate these objects to other domain controllers.  

If your goal is to perform authoritative restore on your domain controller, follow these steps:

  1. Once ZCB UI conforms that System State restore was successful and BEFORE you boot into normal mode lunch NTDSUTIL
  2. click Start, click Run, type ntdsutil, and then press ENTER.
  3. For Windows 2008 and up at the ntdsutil: prompt, type activate instance ntds, and then press ENTER.)
  4. At the ntdsutil: prompt, type authoritative restore, and then press ENTER.
  5. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER:

To restore a subtree (for example, an organizational unit and all child objects):

restore subtree DistinguishedName

To restore a single object:

restore object DistinguishedName

DistinguishedName  The distinguished name of the subtree or object that is to be marked authoritative

For example, if you want to restore a deleted organizational unit named Marketing NorthAm in the corp.contoso.com domain, type:

restore subtree “OU=Marketing NorthAm,DC=corp,DC=contoso,DC=com

6. Click Yes in the message box to confirm the command.

7.  At the authoritative restore: and ntdsutil: prompts, type quit and then press ENTER.

8. Restart the domain controller in normal operating mode.


For more information see following Technet articles:

  • No labels