Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Information

System State Restore of a server with the Windows Active Directory Domain Controller role allows restoration of the Active Directory Database. However, it requires special procedures which are different from a standard System State restore.

Overview

A Windows Server running Active Directory Domain Services must be booted into Directory Service Restore Mode (DSRM) in order to restore the System State. DSRM is similar to Windows Safe mode and has no Active Directory services running. 

DSRM mode behaves  very differently from standard

Requirements

There are many requirements for System State restore to an Active Directory Domain Controller, most of which revolve around the limitations of DSRM mode.

Icon

Active Directory restore can not be performed if backup archive is older than the tombstone lifetime set in Active Directory. This is a Microsoft limitation. See the following article for more information: Useful shelf life of a system-state backup of Active Directory

Enable the built-in administrator account

  1. In normal boot mode, enable the built-in “administrator” account, which is disabled by default
    1. Assign a password. For this example, we will use dsrm-password as our password.
    2. See this Technet article for details: What Username and Password Do I Need to Use for Directory Services Restore Mode (DSRM) in SBS 2008?

The DSRM password can be reset using the following procedure: How To Reset the Directory Services Restore Mode Administrator Account Password

Boot into DSRM mode

  1. Restart the computer, and press F8 during the boot phase so that system boot menu is displayed. Select DSRM mode from the boot menu.
    1. See the following Technet articles for more details: 
      1. For Windows Server 2008, Windows Server 2008 R2 and up: Restart the Domain Controller in Directory Services Restore Mode Locally
      2. For Windows Server 2003, Windows Server 2003 R2: Restart the domain controller in Directory Services Restore Mode locally
  2. Log on to Windows
    1. Username: .\Administrator
    2. Password: dsrm-password

Reconfigure the log-on user for all ZCB Services

ZCB uses two services to control backup and restore, named ZWC Service and ZCB Service. In a standard environment, these services are configured to run as the amandabackup user. The amandabackup user is not available in DSRM mode. All ZCB services must be reconfigured to run under the Local System account. 

The ZWC-Database service will also exist, but runs as the Local System account by default.

  1. Open Services.msc
  2. Right click the ZWC Service and click Properties.
  3. Visit the Log On tab
  4. Change the log-on user to the Local System account.
  5. Restart the service.
  6. Repeat for ZCB Service and, if necessary, for ZWC-Database.

Once restoration is completed, reconfigure ZWC Service and ZCB Service to run as amandabackup.

Restoration Process 

Once the server is in DSRM mode and the services reconfigured, restoration can begin. The process depends on where your backups are stored.

Scenario #1: Backup archives are stored on directly attached storage

  1. Simply open ZCB and proceed with restoration of the chosen System State backup to the Original Location.
  2. Use the Monitor or Report pages in ZCB to observe the restore progress and result. 

Scenario #2: Backup archives are in the Cloud.

  1. The DNS server must be set manually.
    1. Change DNS setting of your primary network interface to a public DNS server, such as OpenDNS: 208.67.222.222 or Google: 8.8.8.8.
    2. This setting will be reverted back by the restoration process.
    3. This step is required because the "Preferred DNS Server" setting of the local network adapter points to itself by default on a Domain Controller. However, the DNS service is not running in DSRM mode.
  2. Open ZCB and proceed with Restoration of the chosen System State backup run to Original Location. 
  3. Use the Monitor or Report pages in ZCB to observe the restore progress and result. 

Scenario #3: Backups are only on CIFS/NFS share.

There are two options:

  1. Ensure that the local administrator user account on the domain controller can access the network device using the dsrm-password password. 
    1. Map the share using “different credentials”.
    2. Test and ensure correct security permissions to the network share before the restore begins.
  2. If you are not able to access network share in DSRM mode, reboot to normal mode and copy the backup data from the network share to the local drive.
    1. Then use the "Restore Catalog from Local Directory" option in ZCB (Tools menu > Restore Catalog) to restore the backup set.

Once complete, open ZCB and proceed with Restoration of the chosen System State backup run to Original Location. Use the Monitor or Report pages in ZCB to observe the restore progress and result. 

Scenario #4: Backups are on a Windows Share.

This scenario is a bit challenging when there is a single domain controller, as it requires connecting to the network share when the domain controller is not available.

It is much simpler to copy the backup archive from the network share to the local drive, and then use the "Restore Catalog from Local Directory" option in ZCB (Tools menu > Restore Catalog) to restore the backup set. Once complete, open ZCB and proceed with Restoration of the chosen System State backup run to Original Location. Use the Monitor or Report pages in ZCB to observe the restore progress and result. 

If the above (moving the backup data to local system) is not possible, please continue with the directions below.

If the server is the the only domain controller on the network:

  1. Reconfigure the network share containing your backup archives to give both Share and NTFS read permissions to a local administrator user on the member server.
    1. This is required because the member server has to query the DC to allow connection to its share, but the DC is not available, since it is booted in DSRM mode.
  2. If the local administrator user password on the member server is dsrm-password, the connection to network share will work.
  3. If the chosen password is not dsrm-password, map network drive with the credentials of any local user account (but not administratorwho has appropriate permissions on the member server.
    1. See following article http://technet.microsoft.com/en-us/library/bb490717.aspx.  For instance: net use f: \\server\backup-share /user:hostname\somelocaluser
  4. You need to assign same drive letter to mapped network drive as original setup - i.e. drive letter should be the same in DSRM or Normal boot mode. 
  5. Open the ZCB user interface and proceed with Restoration of the latest System State backup run to Original Location.
  6. Use Monitor / Report page in ZCB UI to observe Restore progress/results.  

If there are other domain controllers on the network:

  1. If local administrator user password on member server hosting network share with your backup archive equals dsrm-password of your domain controller server, connection to network share will work.
    If passwords are different, while booted in DSRM you need to map network drive using any domain user credentials who has read permissions on your network share. See following article http://technet.microsoft.com/en-us/library/bb490717.aspx. For instance: net use f: \\server\backup-share /user:mydomain\yourusername
  2. You need to assign same drive letter to mapped network drive as original setup - i.e. drive letter should be the same in DSRM or Normal boot mode. 
  3. Open the ZCB user interface and proceed with Restoration of the latest System State backup run to Original Location. 
  4. Use Monitor / Report page in ZCB UI to observe Restore progress/results. 

Upon successful system state restore

Case #1: Your server is the one and only domain controller in your environment (e.g. Small Business Server, Widows Foundation Server, Windows Essentials Server )

Once ZCB UI conforms that System State restore was successful simply restart your server - that's it.

Case #2: There are multiple domain controllers  in your environment

Active Directory database exist and replicated to every domain controller in your environment. Every time any object in database is updated, a database version number changes. Such changes are synchronized by replication process that takes place between all domain controllers. 

Option A (default): Non-authoritative restore 

By default, restoring System State on domain controller is non-authoritative AD restore, which means: after booting to back to normal mode from DSRM, Active Directory will be updated (synchronized) to the latest version from other DCs in your environment. In other words: the restored version of AD database on your server is OLDER then one present on all other domain controllers, therefore all changes that took place on other domain controllers will be synchronized back to restored controller.

For example:

  • you accidentally  deleted some Organization Unit in AD
  • synchronization between DCs took place and deletion of this object propagated to other domain controllers.
  • you run System State restore on one of the domain controllers, which is by default non-authoritative restore. Restored AD database contains deleted objects, but its version is older the on other DCs. 
  • you boot Domain Controller to normal mode and synchronization with other DCs occurs
  • The deleted objects will NOT appear in AD, because synchronization process will replay the deletion of your objects.


Therefore, if the goal of System State restore on Domain Controller is anything else but restoration of deleted objects,  - your are done, - simply reboot your server back to normal mode. 

Otherwise, you need to perform authoritative restore. 

Option B: Authoritative restore 

Authoritative restore is a process of marking AD objects in the restored database to be authoritative for other domain controllers. After reboot of your restored server to Normal mode, synchronization process will propagate these objects to other domain controllers.  

If your goal is to perform authoritative restore on your domain controller, follow these steps:

  1. Once ZCB UI conforms that System State restore was successful and BEFORE you boot into normal mode lunch NTDSUTIL
  2. click Start, click Run, type ntdsutil, and then press ENTER.
  3. For Windows 2008 and up at the ntdsutil: prompt, type activate instance ntds, and then press ENTER.
  4. At the ntdsutil: prompt, type authoritative restore, and then press ENTER.
  5. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER:

To restore a subtree (for example, an organizational unit and all child objects):

restore subtree DistinguishedName

To restore a single object:

restore object DistinguishedName

DistinguishedName  The distinguished name of the subtree or object that is to be marked authoritative

For example, if you want to restore a deleted organizational unit named Marketing NorthAm in the corp.contoso.com domain, type:

restore subtree “OU=Marketing NorthAm,DC=corp,DC=contoso,DC=com

6. Click Yes in the message box to confirm the command.

7.  At the authoritative restore: and ntdsutil: prompts, type quit and then press ENTER.

8. Restart the domain controller in normal operating mode.


For more information see following Technet articles:

  • No labels