A guide to performing domain controller restoration using RecoveryManager Plus

What is domain controller recovery?

Domain controller recovery is the process of restoring a domain controller from scratch in the event of a complete breakdown. Without a potent disaster recovery plan, unforeseen events such as hardware failure or ransomware attacks can impede routine IT work and business processes.

In this guide, we'll explain how you can configure a domain controller for backup and the steps you can take to perform its restoration.

Domain controllers have two modes of restoration:

• Non-authoritative restoration: This method just restores the file from a backup. All changes made to AD after the backup point will be synchronized to the restored domain controller from the other domain controllers in the domain via replication.
• Authoritative restoration: In this method, the restored domain controller replicates and overwrites the AD database of all other domain controllers in the domain, erasing all AD changes made after the backup.

A domain controller can only be authoritatively restored after non-authoritative restoration is complete.

Performing domain controller restorations using RecoveryManager Plus

Prerequisites:

You will need at least one valid domain controller backup to perform a successful domain controller restoration. Refer to this guide to learn how you can configure a domain controller for backup using RecoveryManager Plus.

Creating a domain controller backup and performing restoration is a two-step process:

1. Creating a bootable recovery media
2. Performing the restoration

After configuring the backup setting, the backup agent will be installed in the selected servers and domain controllers. A backup of the selected domain controller will be made at the time specified in the configuration.

Once you’ve created a domain controller backup, you can use that to perform a domain controller restoration.

Creating a bootable recovery media

A recovery media is a minimal OS with limited functionalities that contains all data required to boot your machine and run RecoveryManager Plus' restoration wizard. Once created, it can be used to restore multiple domain controllers. Irrespective of the physical machine's version, you will only need one recovery media for all the domain controllers in your environment.

Prerequisite: Make sure you have the Windows Assessment and Deployment Kit (Windows ADK) and Windows PE installed. If not, download them here.

1. Log in to the RecoveryManager Plus web console as an administrator.
2. Navigate to the Active Directory tab > Domain Controllers > Restore.
3. In the Recovery Media Path field, select Click here to create one to create a recovery media.

   Figure 1: Creating recovery media.

4. In the pop-up that appears, enter the location (local or shared path) where Windows ADK is installed and click Create Recovery Media.

   Figure 2: Providing the Windows ADK path.

   Note: If the entered location is a shared path, select Authentication and provide the credentials of a user who can access the location.

5. The recovery media will be created with the name RMP.iso and can be found in the <Installation_directory>\bin.

   Figure 3: Recovery media created.

Performing the restoration

RecoveryManager Plus can restore the backup of a domain controller to the same or a different physical machine. You can also use the product to restore the backup of a domain controller to a virtual machine.

Once the recovery media is created, follow the steps below for non-authoritative restoration of domain controllers.

1. Log in to RecoveryManager Plus as an administrator.
2. Navigate to the Active Directory tab > Domain Controllers > Restore.
3. From the Select Domain Controller drop-down, select the domain controller that has to be restored.
4. Select the restore point to which you wish to restore from the Restore Point drop-down menu.
5. Once you boot the server to be restored using the recovery media, the RecoveryManager Plus Domain Controller Restoration Wizard (see Fig. 8 below) will start. Click Next.

   Figure 4: The Domain Controller Restoration Wizard.

6. Provide the location of the full backup in the Backup Location field. The location of the full backup can be stored in the local machine or in shared network storage. If the backup is in a shared network, provide the credentials of a user who has permission to access the location and click Next.

   Figure 5: Providing the location of your full backup (local path).

   Figure 6: Providing the location of your full backup (network share).

7. Enter the User Name and Password for accessing the network location.

   Figure 7: Providing the credentials for accessing the network location.

8. If you configured your backups to be encrypted, you’ll be prompted to provide a decryption password. Click Next.

   Figure 8: Providing the decryption password.

9. Select Yes and click Next on the Confirm Restoration screen to begin the restoration. The domain controller has now been restored to its backed-up state.

   Figure 9: Confirming the domain controller restoration process.

   

   

   Figure 10: Domain controller restoration process completion and Restoration Summary.

10. Clicking Finish will reboot the restored domain controller. All other domain controllers in the domain will replicate all the AD changes made since the backup to the restored domain controller.

    Figure 11: Domain controller restoration complete.

To stop the restored domain controller from receiving changes via replication, and to make all the other domain controllers in the domain have the same state as the restored domain controller, perform an authoritative restoration by following the steps listed below.

Authoritative restoration of a domain controller

Note: A domain controller can be authoritatively restored only after non-authoritative restoration is complete. Follow the steps listed in the previous section to complete non-authoritative restoration before proceeding with authoritative restoration.

1. Once non-authoritative restoration is complete, manually boot the domain controller in Directory Services Restore Mode (DSRM) by repeatedly pressing the F8 key immediately after the BIOS POST screen. In the text menu that appears, use the up or down arrow keys to select Directory Services Restore Mode or DS Restore Mode.
2. Log in with the DSRM account and password.
3. Open a Command Prompt and type ntdsutil.
4. Type activate instance ntds.
5. Type authoritative restore.
6. Determine the distinguished name of the domain, the subtree of objects, or the object that you wish to authoritatively restore.

   Syntax: CN=value,OU=value,DC=value,DC=value.

   • To authoritatively restore an entire domain, enter: restore subtree <distinguished name of the domain>
   • To authoritatively restore a subtree of objects, enter: restore subtree <distinguished name of the subtree>
   • To authoritatively restore a single object, enter: restore object <distinguished name of the object>
7. Click Yes to confirm.
8. Reboot the domain in normal mode to complete authoritative restoration.

Once restoration is complete, all domain controllers in the domain will be in the same state as the restored domain controller.