Restoring an Active Directory Backup
Full-Access Members Only
Sorry, this lesson is only available to Server Academy Full-Access members. Become a Full-Access member now and get instant access to this and many more premium courses. Click the button below and get instant access now.
Instructions
Q&A (0)
Notes (0)
Resources (0)
Saving Progress...
Resources
There are no resources for this lesson.
Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.
In this lession, we will be restoring an Active Directory / System State backup of our primary domain controller. To get started, I am going to log in to my test lab, open Active Directory and start breaking stuff.
I’m going to delete the root OU I have called “Server Academy”. This will delete several user and computer accounts as well as other sub OUs.
First I need to enable Advanced Features by clicking View > Advanced Features, then I can open the properties of each OU and remove the protection from accidental deletion:
Now that I have repeated this for all the OUs, I can go ahead and delete the OUs:
So now my OU and User Accounts are deleted:
Yikes! Now I need to restore my backup to get the data back. To restore a System State backup of an Active Directory we first need to boot the server into DSRM (Directory Services Restore Mode). We can boot into this mode by restarting the server and repeatidly pressing F8 from the moment the server powers off until you see the screen below:
Select Directory Services Repair Mode, then press Enter.
Notice: If you don’t have physical access to the server or don’t see the prompt when you reboot the server, use MSConfig:
Then select Boot > Safe boot > Active Directory repair:
Click OK then restart:
Once you have rebooting into DSRM mode, log in with the LOCAL administrator account and the DSRM password you created when you installed the ADDS server role:
If you see a message about no logon servers available, that means you are using a domain account and not a local account.
Once you’ve logged in, open Command prompt:
Next run the following command:
wbadmin get versions
Next start a recovery by running the command:
wbadmin start systemstaterecovery -version:[Insert your version identifier here] –authsysvol
Note that the “–authsysvol” marks this sysvol as the authoritative for your replication.
I am going to select the latest update I have, and run the command:
Next enter “Y” to confirm:
Again type “Y” to confirm that you may lose internet connectivity:
Confirm that you understand there will be increase network traffic between your domain controllers (if you have multiple) due to AD replication:
Finally, the backup will start and now it’s just a waiting game:
If you used MSConfig to start into DSRM mode, you will want to undo those changes before rebooting. Since my search doesn’t work, Im going to right-click the taskbar and select Task Bar.
Next click File > Run new task
Type MSConfig and press OK. Go to Goot and turn off Safe boot:
Now restart your server. The computer will take a while before booting up so you’ll need to be patient.
Once this is done, go ahead and log in. Once I open Active Directory I can see that the OUs and user accounts are now restored:
And that is how you perform an active directory backup and restore!
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.
You mention backups being finished a couple of times, But I think you mean the restore is finished.
Hello i tried to replicate your steps on my vm and i did everything exactly the same as you.But when i tried to restore my Backup with Wbadmin after typing two times Yes for continuing it prompts me a “Windows Backup cant find the backup set directory on the media”
Any Idea whats the problem? I thought maybe its because the backup path is a network path but on the C:// ..
But when i did the WBadmin get versions it shows me the right backup files
thank you for helping
Interesting. Let me try it in a lab to give you a better answer
Horst Bornschein-Grolms
Hi, I follow the steps on recovery and when machine running up I could not login. System did not want to accept CTRL+ALT+DELETE command, so I could not login again to check if I made it. Every time I pressed CTRL+ALT+DELETE the screen was flashing…
Hi
Miroslav Ristic
If it is not responding to your commands you can try from the menu on VirtualBox selecting Input > Keyboard > Insert Ctrl-Alt-Del.
Ricardo
If there is a big server, for e.g. 600 TB which is almost full, but something happen and it brakes down. Lets say that we do have a backup, is there any shortcut to restore that amount of data again to the server or not? If not, that means that business have to suffer until everything is back. Or there is a shrotcut?
Hi
Miroslav Ristic
Interesting question you ask, and might be the #1 concern of every sysadmin.
There might be different recovery options depending on the environment where that server sits. Restoring can take a significant amount of time. Having a high-bandwidth connections to move the data quickly can help. But with High Availability you can have the database replicated to another AD so if one crashes you can be up an running with a new one and once joined to the domain and promoted to AD the replication will take place.
In the worst case the business suffers the time you take to restore. The business takes into account these unexpected failures with Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Disaster Recovery (DR) and High Availability (HA) can reduce the failure of the server breaking down.
Ricardo
I tried all the steps to Restore an active directory backup but once the computer restarts I don’t have internet connection, and I get a message saying “We can’t sign you in with these credentials because your domain isn’t available.”
Hi
Ashi 3D,
If you used the msconfig option to boot it might be going back to DSRM. In this mode networking gets disabled and you get that message when signing in to the domain without the local account.