Active Directory backup and restore

UPDATE: I’ve written a related post about disaster recovery of Active Directory, I strongly recommend that you all read it. https://pertorben.wordpress.com/2015/02/21/active-directory-disaster-recovery-with-windows-server-backup/

Active Directory is one of the most central service in your infrastructure I wanted to write a quick post on how you can perform a backup and a restore, and this post will cover the basics of it. As with all other restore scenarios I think it’s very important to practice the restore procedure before you really need to restore something.

Authorative vs non-autorative restore

When you restore an object in AD then the object will we updated in the next replication run, this is because the other domain controllers have a newer version of the same object. This also means that if you restore a deleted user then the user is deleted again when replication runs. This is because a regular restore is a “non-authorative restore”. If you perform an “authorative restore” then the restores user will remain and update the other domain controllers.

Backup Active Directory

You can use Windows Server Backup to backup Active Directory quickly and easily. Note that the backup destination can’t be a local systemdrive on the domain controller. To backup AD using Windows Server Backup simply run

wbadmin start systemstatebackup -backuptarget:(path)

Directory Services Restore Mode

Every time you want to perform a restore you must boot you DC into “Directory Services Restore Mode” (DSRM). I know AD now is a service which you can stop and start, but there may be information stored in memory or other caches. Don’t cut cornes here, boot into DSRM. You need the DSRM password on your domain controller and if you find at this point that you don’t know this password or haven’t documentated it, then I strongly suggest you look into your disaster recovery plans because this is vital for disaster recovery. The DSRM password can be reset using “ntdsutil”. I recommend that you enable DSRM as the default boot option so you don’t have to struggle with F8-spamming when the server boots. You can run this command to enable boot into DSRM every time the server boots:

bcdedit /set safeboot dsrepair

Now that the server boots into DSRM every time you can safely reboot the domain controllers without fear of booting into normal mode prematurely. When you’re all done with the restore procedure and want to boot normally you can run

bcdedit /deletevalue safeboot

Also note that the shutdown.exe has a new switch: -o which lets you choose how to boot your server, though this is only the next boot and Windows Server 2012 wants an additional reboot into DSRM for doing an authorative restore. Therefore I prefer the bcdedit approach.

Performing a restore 

Before you perform an authorative restore it helps to note the Distinguished Name of the container where it resided. Then you can reboot your DC into DSRM and login using the lodal administrator account and DSRM password. Then you just use wbadmin to restore AD

wbadmin start systemstaterecovery -version:(versionnumber)

To find your backupversion use the command

wbadmin get versions

In this screenshot I’m performing a restore from backup on one of my lab DC’s using wbadmin. I’ve deleted a user named “user 1” who was a member of the group dnsadmins.

ad-restore1

After the restore the server wants a new reboot, if you want to do an authorative restore then you have to boot straight into DSRM again to avoid having the object deleted by replication. This is why the bcdedit approach is very useful in my opinion.

ad-restore2

After the reboot you login again with the DSRM password and you should see a popup confirming the restore has successfully completed.

Making the restore authorative

Now it’s time to run ntdsutil from a command prompt. There you must first activate the ntds instance and then then the authorative restore prompt. Here you can either restore an OU using

Restore subtree (DN of the container)

or a simple objece with

Restore object (DN of the object)

Below I make an authorative restore of the “user 1” object I have deleted earlier.

ad-restore3

Now the next part is to fix the group memberships if the restored user is member of groups in other domains. The output in the screenshot above name a .ldf file which you can use to fix this. You don’t have to do this to restore group memberships within the same domain. Just exit ntdsutil and from the command prompt you run

ldifde -i -k -f filename.ldf

Now you can remove the boot-option for booting into DSRM and reboot your domain controller normally. The replication will make the user restored on all domain controllers with group membership intact.

Advertisements

2 thoughts on “Active Directory backup and restore

  1. Hello, I do believe your website could be having web browser compatibility issues.
    When I take a look at your site in Safari, it looks
    fine but when opening in Internet Explorer, it has some overlapping issues.
    I merely wanted to give you a quick heads up!
    Other than that, wonderful blog!

  2. Pingback: Active Directory disaster recovery with Windows Server Backup | Per-Torben Sørensen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s