Active Directory disaster recovery with Windows Server Backup

Hello.

Earlier I wrote a post on how to backup and restore objects in Active Directory with Windows Server Backup here:  https://pertorben.wordpress.com/2013/04/15/active-directory-backup-and-restore/

Here I used the command wbadmin start systemstatebackup -backuptarget:(path) to perform a system state backup on a domain controller and use Directory Service Restore Mode (DSRM) to recover deleted items, as was explained on Microsoft Technet. However there is one drawback to this method, and it’s that you can’t perform a disaster recovery of your AD using this backup, and by disaster recovery I mean that all of your servers are completely gone and you have nothing left except your backups. If you try to use a complete server restore with this backup, this is as far as you will get.

Disaster Recovery error

So in order to do a disaster recovery you need a backup that support this. With wbadmin you can run

wbadmin start backup -allcritical -systemstate -vssfull -backuptarget:(path):

With this backup you can boot a blank server form the 2012 R2 install media and select Repair your computer. Choose image restore and it should detect your backup if it’s available.

DR_AD_OK

After the restore you have a complete server restored form the point in time of which the backup was taken. From here you can seize any FSMO roles if you need, then and start promoting more domain controllers. In a disaster recovery scenario I would rather promote new domain controllers instead of running restore on every single Domain Controller. Note that your NIC will most likely be set to default on the restored server so you may need to set the correct IP address again.

So the big question now is: Can you use this backup procedure to do a restore of a deleted object in AD, instead of a complete Disaster recovery? The answer is yes. You don’t need to have 2 backups (one of AD and one for disaster recovery). All you need is the backup from this post and follow the procedure form the post I linked at the top to restore deleted object in AD.

Advertisements

Active Directory backup and restore

UPDATE: I’ve written a related post about disaster recovery of Active Directory, I strongly recommend that you all read it. https://pertorben.wordpress.com/2015/02/21/active-directory-disaster-recovery-with-windows-server-backup/

Active Directory is one of the most central service in your infrastructure I wanted to write a quick post on how you can perform a backup and a restore, and this post will cover the basics of it. As with all other restore scenarios I think it’s very important to practice the restore procedure before you really need to restore something.

Authorative vs non-autorative restore

When you restore an object in AD then the object will we updated in the next replication run, this is because the other domain controllers have a newer version of the same object. This also means that if you restore a deleted user then the user is deleted again when replication runs. This is because a regular restore is a “non-authorative restore”. If you perform an “authorative restore” then the restores user will remain and update the other domain controllers.

Backup Active Directory

You can use Windows Server Backup to backup Active Directory quickly and easily. Note that the backup destination can’t be a local systemdrive on the domain controller. To backup AD using Windows Server Backup simply run

wbadmin start systemstatebackup -backuptarget:(path)

Directory Services Restore Mode

Every time you want to perform a restore you must boot you DC into “Directory Services Restore Mode” (DSRM). I know AD now is a service which you can stop and start, but there may be information stored in memory or other caches. Don’t cut cornes here, boot into DSRM. You need the DSRM password on your domain controller and if you find at this point that you don’t know this password or haven’t documentated it, then I strongly suggest you look into your disaster recovery plans because this is vital for disaster recovery. The DSRM password can be reset using “ntdsutil”. I recommend that you enable DSRM as the default boot option so you don’t have to struggle with F8-spamming when the server boots. You can run this command to enable boot into DSRM every time the server boots:

bcdedit /set safeboot dsrepair

Now that the server boots into DSRM every time you can safely reboot the domain controllers without fear of booting into normal mode prematurely. When you’re all done with the restore procedure and want to boot normally you can run

bcdedit /deletevalue safeboot

Also note that the shutdown.exe has a new switch: -o which lets you choose how to boot your server, though this is only the next boot and Windows Server 2012 wants an additional reboot into DSRM for doing an authorative restore. Therefore I prefer the bcdedit approach.

Performing a restore 

Before you perform an authorative restore it helps to note the Distinguished Name of the container where it resided. Then you can reboot your DC into DSRM and login using the lodal administrator account and DSRM password. Then you just use wbadmin to restore AD

wbadmin start systemstaterecovery -version:(versionnumber)

To find your backupversion use the command

wbadmin get versions

In this screenshot I’m performing a restore from backup on one of my lab DC’s using wbadmin. I’ve deleted a user named “user 1” who was a member of the group dnsadmins.

ad-restore1

After the restore the server wants a new reboot, if you want to do an authorative restore then you have to boot straight into DSRM again to avoid having the object deleted by replication. This is why the bcdedit approach is very useful in my opinion.

ad-restore2

After the reboot you login again with the DSRM password and you should see a popup confirming the restore has successfully completed.

Making the restore authorative

Now it’s time to run ntdsutil from a command prompt. There you must first activate the ntds instance and then then the authorative restore prompt. Here you can either restore an OU using

Restore subtree (DN of the container)

or a simple objece with

Restore object (DN of the object)

Below I make an authorative restore of the “user 1” object I have deleted earlier.

ad-restore3

Now the next part is to fix the group memberships if the restored user is member of groups in other domains. The output in the screenshot above name a .ldf file which you can use to fix this. You don’t have to do this to restore group memberships within the same domain. Just exit ntdsutil and from the command prompt you run

ldifde -i -k -f filename.ldf

Now you can remove the boot-option for booting into DSRM and reboot your domain controller normally. The replication will make the user restored on all domain controllers with group membership intact.

Hyper-V backup using Windows Server Backup

A new feature in Windows Server 2012 is that Windows Server Backup (WSB) now has Hyper-V support, meaning you can use it to take backup of and restore virtual machines running on Hyper-V. This provides a complete backup and restore solution out-of-the-box which can prove to be good enough in some environments, particularly in the SMB market.

Install Windows Server Backup

To install Windows Server Backup you can use

  • Server Manager – Added as a feature under “”Add/Remove Roles and Features”
  • Command Line – Run “start /w ocsetup WindowsServerBackup”
  • Powershell (2012) – Run “Add-WindowsFeature Windows-Server-Backup”
  • Powershell (2008 R2) – Run “Import-Module ServerManager” and then “Add-WindowsFeature -Name Backup-features -IncludeAllSubFeature”

Nice 2 know about Windows Server Backup 

  1. WSB uses VSS (Volume Shadow copy Service) to create a .VHDX file which contains a snapshot of the virtual machines that is backed up. This also enables WSB to take full backup of and flush the transaction logs of VSS-aware databases like Active Directory and Microsoft Exchange when you select “VSS full backup”, this is not selected by default.
  2. WSB uses VSS to manage the backup versions, and since VSS is pr-volume this makes WSB unable to maintain several versions of a backup job when you backup to a network share. A backup to a network share will overwrite the previous backup. If you backup to you locally connected drive you can have several versions.
  3. When you backup a VM you get a warning saying the VM will be put in saved state while the backup runs. This is not the case. The VM will continue to run uninterrupted and no one will notice you are backing it up.

Backing up a VM

“wbadmin start backup” is the primary command to backup you vm’s and I won’t go through all the options and switches but there are a few examples.

To backup a VM named “Server1” to the disk mapped as Y, run the following command:

wbadmin start backup -backuptarget:Y: -hyperv:Server1

To backup a VM named “Server1” to a shared folder, run the following command:

wbadmin start backup -backuptarget:\\server2\backup -hyperv:Server1

To backup a VM named “DC1” to a the mapped as Y and flush the transaction logs of AD, run the following command:

wbadmin start backup -backuptarget:Y: -hyperv:DC1 -vssFull

Restore a VM

“wbadmin start recovery” is the primary command to recover a VM from backup. Recovering a VM is slightly more trickier than backing it up, but I have never heard of a backup product where a restore is easier than taking a backup. The command has several options and switches but I’ll stick to the basic ones in this post.

The restore procedure involves finding the version of your backups you want to restore, then which items within that version before the restore itself. To begin with you find your backup versions with the following command

wbadmin get versions

wbadmin1

This will provide a list for the backups taken from the local machine. Look for the field “Version Identifier” which you need in the next command. Then we take a look what resides in this backup version with the next command

wbadmin get items -version:(version identifier)

wbadmin2

Here you see I have a VM named “LAB2-PC2” that I am able to restore from this backup. To do so I have to grab the “vm identifier” value and the backup version number from before and run the following command

wbadmin start recovery -itentype:hyperv -version:(version identifier) -items:(VM identifier)

wbadmin3

Notice the warnings that it will delete the VM if it still exists and restore the VM from the backup. Also you have to verify the network settings of the VM after the restore. As mentioned this command has a numerous options for restoring to alternate locations and such so I would suggest that you go exploring with “wbadmin -?” or have a look at http://technet.microsoft.com/en-us/library/cc754015(v=ws.10).aspx

Restore a single file or folder

WSB only provides a snapshot og the vm and you have to restore the entire vm or nothing at all. But if you just need to restore a file or a folder, then locate the .VHDX file in the backup and mount in disk manager and extract the files from there. Alternatively you can restore on another hyper-v host and boot it up ther to extract the files.

Final words

I’ll keep this short and straight to the point: TEST YOUR BACKUP!

Longer version: I’m convinced one of the more common failures among IT is that people does not try a proper restore until the day they need it the most. I can’t express how important it is that you test your backups and try a restore. Create a restore procedure and write it down! When the day comes that you need it, you will thank yourself that you did.

Thank you for reading, hopefully you have enjoyed it.