Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy. Recovering the forest restores each domain in the forest to its state at the time of the last trusted backup. Consequently, the restore operation will result in the loss of at least the following Active Directory data:.
For each domain in the forest, the password of a Domain Admin account must be known. Preferably, this is the password of the built-in Administrator account.
In general, it is a good practice to archive the Administrator account and DSRM password history in a safe place for as long as the backups are valid, that is, within the tombstone lifetime period or within the deleted object lifetime period if Active Directory Recycle Bin is enabled. You can also synchronize the DSRM password with a domain user account in order to make it easier to remember.
For more information, see KB article Synchronizing the DSRM account must be done in advance of the forest recovery, as part of preparation. The Administrator account is a member of the built-in Administrators group by default, as are the Domain Admins and Enterprise Admins groups. This group has full control of all DCs in the domain. Back up at least two writeable DCs for each domain regularly so you have several backups to choose from.
We recommend that you restore the DCs by using backups that were taken a few days before the occurrence of the failure. In general, you must determine a tradeoff between the recentness and the safeness of the restored data.
Choosing a more recent backup recovers more useful data, but it might increase the risk of reintroducing dangerous data into the restored forest. Restoring system state backups depends on the original operating system and server of the backup. For example, you should not restore a system state backup to a different server. In this case, you may see the following warning:. We do not recommend performing a system state recovery with the backup to an alternate server because the server might become unusable.
Are you sure you want to use this backup for recovering the current server? If you need to restore Active Directory to different hardware, create full server backups and plan to perform a full server recovery.
Beginning with Windows Server , it is not supported to restore system state backup to a new installation of Windows Server on new hardware or the same hardware. If Windows Server is reinstalled on the same hardware, as recommended later in this guide, then you can restore the domain controller in this order:. Those are a few questions you should be able to answers if you want performing a successful recovery.
The difference between those two restore types is that within a non-authoritative restore, the DC understands that it was out for a while, so it lets other in site DCs update its own database with the latest changes that occurred when it was down. With an authoritative restore, the DC claims itself as the only one with correct information and a valid database, and it authoritatively updates other DCs with its own data.
In addition, restoring a DC in authoritative mode can be harmful and cause further damage. For an authoritative restore with Veeam, see below for some additional steps, which are required. You simply:. Veeam recognizes the DC role of this VM and gently restores it using special logic:.
The DC will be aware of the restored from the backup state and start acting accordingly, invalidating the existing database and allowing replication partners to update it with the most recent information. Here you can read about Bare-metal restore of a backup using Veeam Endpoint Backup. You will need a Veeam recovery media prepared beforehand and the access to the backup file itself USB disk or a network share. This KB article will be helpful here. Re: Restoring Windows Domain Controllers Post by Gostev » Wed Oct 10, pm this post tsightler wrote: My guess is that the replication services failed to start for some reason, perhaps they were not restored at the same time.
Re: Restoring Windows Domain Controllers Post by kurbycar32 » Fri Jan 04, pm this post I would still love to see an article that says "Yes you can backup a domain controller, here is how to do it". Popular belief is that you don't want to pull a snapshot of any type of replicated database because the restore would result in a mismatch of its partner system.
Obviously Veeam makes this work by booting into restore mode but i need a document that explains this. Also setting up the job for the first time: do i want to enable application aware image processing?
Should i use full backups? Please spell it out in a KB. Re: Restoring Windows Domain Controllers Post by Yuki » Fri Jan 04, pm 3 people like this post I second this - while the steps and procedures may be obvious to some, it should be documented so people can find the information easier and faster.
I find that searching forums can be frustrating on occasion due to certain word being used in many discussions. Re: Restoring Windows Domain Controllers Post by kurbycar32 » Fri Jan 04, pm this post Yuki wrote: it should be documented so people can find the information easier and faster. Re: Restoring Windows Domain Controllers Post by kurbycar32 » Fri Jan 04, pm this post That's a start but management isn't going to want to watch an hour long YouTube video.
Just a simple KB article stating whats supported and how its supposed to work is all we need. I am configuring surebackups for our DC's which pass the DC test scripts, however I configured the lab environment to remain until stopped manually as I wanted to do some manual checks call me paranoid. The point is I agree that a KB for recommended best practices would be useful and confidence boosting for new customers, especially if common issues can be highlighted.
Many of them REQUIRE disaster recovery procedures to be fully written out in documentation so anyone can pick up the documentation package and follow the procedures to restore all systems. We don't get to debate this policy, as we don't get to debate proper user creation and termination procedures and others.
So how does a KB help us with this? Simple - we can cite the source of the information when we put it together. Re: Restoring Windows Domain Controllers Post by jlyle » Thu Jan 17, pm this post It does look like DC backup and restore is supposed to be handled automatically, perhaps we are the minority having difficulty. The Windows name and OS version of the restore target must match the original system.
The OS on the restore target must be installed to the path as the original system. All of the latest OS service packs must be applied to the restore target.
0コメント