Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What must be done to backup AD (Active Directory)?
System state’s data backup must be done to backup of AD.
What data contains System State?
System State contains:
-
AD (database including other files in NTDS folder) (only on DC (Domain Controller)).
-
Boot and system files.
-
DFSR (Distributed File System Replication) staging.
-
AD CS (Active Directory Certificate Services) (only if Certificate Authority server is installed).
-
Cluster Service Database (only if Failover Cluster server is installed).
-
COM+ class registration database.
-
File system junctions.
-
Group Policies settings (only on DC).
-
IIS (Internet Information Services) meta-directory (only if IIS server is installed).
-
Registry
-
Netlogon shared folders: default profiles, system policies, logon/logoff/startup/shutdown scripts.
-
SYSVOL (System Volume) folder (only on DC).
What are AD Restore types?
There are two AD Restore types:
-
Non-Authoritative Restore (D2 restore).
-
Authoritative Restore (D4 restore).
What is Non-Authoritative Restore of AD?
-
Non-Authoritative Restore is the default method to restore AD, and it is using when its data lost or corrupted.
-
It restores a DC to its state at the time of backup. After restoring of DC, the local copy of SYSVOL is compared with its replication partners. After restarting DC, SYSVOL replicates any necessary changes to itself, bringing restored DC up-to-date with the other DCs within the domain.
-
To perform a Non-Authoritative restore, DC must be started in DSRM (Directory Services Restore Mode).
What is the Authoritative Restore of AD?
-
Authoritative Restore performs restoring of DC from backup, and after making up necessary configurations, the AD marks the local SYSVOL as authoritative and replicates it to the other DCs within the domain.
-
It has abilities to restore only particular objects.
For example, if OU (Organizational Unit) was deleted. The Authoritative Restore will be able to restore just this object.
-
To perform an Authoritative restore, DC must be started in DSRM.
-
Authoritative Restores need to use ntdsutil utility.
-
Authoritative Restore often needed when human error is involved, such as when an administrator accidentally deletes some objects and that change replicated to the other DCs and the object cannot be recreated easily.
What is DSRM (Directory Services Restore Mode)?
-
DSRM is a special boot mode, which is using for repairing or recovering AD.
-
It is used to login to the computer when AD has failed or needs to be restored on DC.
Active Directory - Backup, Restore
Knowledge Base Questions & Answers
What component should be selected for backing up AD (Active Directory) on a DC (Domain Controller)?
To backup AD (Active Directory), we must choose the “System State” component on the DC (Domain Controller).
What are the components included in the “System State” backup of a DC?
“System State” on DC backup typically includes the following components:
-
System Boot Files
-
“AD Database” - folder “C:\Windows\NTDS”
-
SYSVOL (System Volume) folder
-
System Registry
-
“COM+ Class Registration Database” - stores information about COM+ components and applications
What is the “Recycle Bin,” and what must be done before it can be used?
-
“Recycle Bin” is a feature that preserves accidentally deleted objects, making it easier to recover them without a full restore.
-
It must be enabled first.
What are the two types of AD restore processes?
There are the following types of AD restore processes:
-
Authoritative Restore (D4 Restore)
-
Non-Authoritative Restore (D2 Restore)
What is an “Authoritative Restore” (D4 Restore) of AD, and how is it performed?
-
“Authoritative Restore” (D4 Restore) is used to restore an AD to its state at the backup time.
-
It can restore specific objects. For example, if an OU (Organizational Unit) is accidentally deleted, the “Authoritative Restore” can selectively restore that particular object.
-
After restoring AD, the server replicates AD to the other DCs after you set up settings for “Authoritative Restore” by using ntdsutil utility.
-
To perform an “Authoritative Restore,” the DC must be started in DSRM (Directory Services Restore Mode).
What is a “Non-Authoritative Restore” (D2 Restore) of AD, and how is it performed?
-
“Non-Authoritative Restore” (D2 Restore) restores an AD to its state at the backup time.
-
After restoring AD, the server requests and accepts updates from other DCs to get the current AD database.
-
To perform a “Non-Authoritative Restore,” the DC must be started in DSRM.
What is “AD Forest Recovery,” and what does this process require?
-
“AD Forest Recovery” is the process of restoring the entire AD Forest after a severe disaster or failure.
-
It involves multiple steps, including recovering the Schema, configuration, and all DCs.
What is the name of the Windows Server software that allows AD backup?
-
Backup can be done using the WSB (Windows Server Backup) software.
-
WSB feature must be installed first.
What is DSRM (Directory Services Restore Mode)?
DSRM (Directory Services Restore Mode) is a specialized boot mode that is used for repairing or recovering AD.
Experience-Based/Practical Questions & Answers
What is the recommended strategy for backing up DCs?
Better to backup all DCs. But if you cannot backup all DCs, then backup at least two.
Why are regular backups of AD important?
Regular AD backups are essential because they protect against data loss, aid in DR (Disaster Recovery,) ensure business continuity, and help recover deleted or corrupted objects.
What is the difference between an “Authoritative Restore” and a “Non-Authoritative Restore”?
-
“Authoritative Restore” sets the recovered AD (or its objects) on the DC as Authoritative for all AD databases on other DCs, overwriting conflicting data.
-
“Non-Authoritative Restore” restores the entire AD database and then updates it from another DC.
What is the easiest way to recover deleted AD objects?
The easiest way to recover the AD objects is using the “AD Recycle Bin.”
Can AD be directly restored to a different DC within the same domain?
The backup of one DC cannot be directly restored to another DC.
“AD Database” was backed up 210 days ago. You want to restore the AD objects that were on backup and were deleted 200 days ago. Why is restoring these AD objects not recommended?
-
If you restore these objects on DC, they will not replicate to other DCs because the default “Tombstone Period” has expired and was permanently deleted from all other DCs.
-
These objects will become Lingering objects.
How to configure a backup of AD on DC by using WSB?
-
Navigation: “Windows Server Backup (Local)” -> “Local Backup” -> “Backup Once” -> “Backup Once Wizard” -> “Select Backup Configuration” page -> Custom radio button -> “Select Items For Backup” page -> “Add Items” button -> “System State” check box.
-
Follow the wizard.
How to perform an “Authoritative Restore”?
-
Restart the DC in DSRM
-
Open the backup application and choose the appropriate backup file containing the “System State.”
-
Perform the restore process.
-
Use the ntdsutil utility to perform an “Authoritative Restore” of the entire “AD Database” or specific objects.
-
After completing the “Authoritative Restore,” restart the DC normally.
How to perform a “Non-Authoritative Restore”?
-
Restart the DC in DSRM.
-
Open the backup application and choose the appropriate backup file containing the “System State.”
-
Perform the restore process.
-
After completing the restore, restart the DC in normal mode.
-
AD replicates the rest of the AD data from other DCs.
What can be used to change the DSRM password?
ntdsutil utility.