Information

In order to restore System State on SBS 2011, the computer needs to be booted into Directory Service Restore Mode (DSRM) since SBS2011 is the Active Directory Domain controller.

DSRM, in essence, is like Windows Safe mode, with no AD service running.

This means the following in the context of System State restore using ZCB:

  1. Your System State backup sets need to have encryption turned off.
    1. To decrypt your encrypted backups at the time of restore, ZCB will need to access the certificate which is installed into the certificate store as the amandabackup user. But since this user account will not be available in DSRM mode, restore of encrypted backups of System State will fail. Therefore, it is highly recommended NOT to encrypt System State backup, due to complexity or even inability of restoration.
  2. To restore System State backups, you will need to reconfigure all ZCB services to run under LocalSystem account. (ZWC Service, ZWC-MySQL, and ZCB Service)
    1. All ZCB services are configured to run as the amandabackup user, which is not available in DSRM mode.
    2. Reconfigure all ZCB services to run under LocalSystem account and restart them.
    3. Once restoration is completed, all services will be reset to run as the amandabackup user.

Booting into DSRM mode

The steps are

  1. Enable built-in “administrator” account, which is disabled by default and assign password.
    1. For this example, we will call it “dsrm-password”
  2. In normal boot, change DSRM password to “dsrm-password”. See this article: http://blogs.technet.com/b/sbs/archive/2009/02/27/what-username-and-password-do-i-need-to-use-for-directory-services-restore-mode-dsrm-in-sbs-2008.aspx
  3. Boot Windows in DSRM (press F8 during boot).
  4. Login to Windows, using following format YourServerName/Administrator & dsrm-password
  5. Reconfigure all ZCB services to run under LocalSystem account and restart them.

Restoration Process (once in the DSRM Mode)

Scenario #1: Backups are in locally attached storage.

Simply open ZCB user interface and proceed with Restoration of System State backup run.
 

Scenario #2: Backups are in Cloud.

  1. Change DNS setting to public DNS server, such as OpenDNS: 208.67.222.222.
    1. This setting will be reverted back by restoration process.
    2. This step is required because by default, on Domain Controller "Preferred DNS Server" setting of local network adapter points to itself, but the DNS service is not running in DSRM mode.
  2. Open the ZCB user interface and proceed with Restoration of System State backup run.

Scenario #3: Backups are in CIFS/NFS share.

You have two options:

  1. You need to make sure that administrator user on the SBS 2011 machine can access the network device using the dsrm-password password.
    1. Or you can map the share using “different credentials”.
    2. It is up to user to test and establish correct security permission on the network share. 
  2. Copy the backup data from the network share to the local drive.
  3. Use the "Restore Catalog from Local Directory" option in ZCB (Tools menu > Restore Catalog) to restore the backup set.

Scenario #4: Backups are in a Windows Share.

This scenario is a bit challenging as it requires connecting to the network share when the domain controller is not available.

To avoid the steps below, you can copy the backup data from the network share to the local drive, and use the "Restore Catalog from Local Directory" option in ZCB (Tools menu > Restore Catalog) to restore the backup set

If the above (moving the backup data to local system) is not possible then please continue with the directions below.

If SBS 2011 is the only domain controller on the network (90% of installations):

  1. Reconfigure network share to give both Share and NTFS permission to local user on member server. This is required because the member server has to query the DC to allow connection to its share, but the DC is not available, since it is booted in DSRM mode.
  2. If local administrator password on member server equals dsrm-password of SBS2011 server, connection to network share should work. If not, then from SBS2011 booted in DSRM, user needs to connect or map network drive using “local user on member server” credentials and map it to same letter as it was mapped in original setup.

If there are other domain controllers on the network:

  1. By default, restoring System State in this case would be non-authoritative restore: i.e. other domain controller will replicate all change back to restored AD. If user needs to restore AD objects, they will need to follow this article for guidelines: http://blogs.technet.com/b/sbs/archive/2011/03/31/how-to-perform-an-authoritative-system-state-restore-in-sbs-2008-2011-standard.aspx
  2. If local administrator password on member server equals dsrm-password of SBS2011 server, connection to network share should work. If not, then from SBS2011 booted in DSRM, user needs to connect or map network drive using “local user on member server” credentials and map it to same letter as it was mapped in original setup.