A guide to performing domain controller restoration using RecoveryManager Plus
What is domain controller recovery?
Domain controller recovery is the process of restoring a domain controller from scratch in the event of a complete breakdown. Without a potent disaster recovery plan, unforeseen events such as hardware failure or ransomware attacks can impede routine IT work and business processes.
In this guide, we'll explain how you can configure a domain controller for backup and the steps you can take to perform its restoration.
Domain controllers have two modes of restoration:
- Non-authoritative restoration: This method just restores the file from a backup. All changes made to AD after the backup point will be synchronized to the restored domain controller from the other domain controllers in the domain via replication.
- Authoritative restoration: In this method, the restored domain controller replicates and overwrites the AD database of all other domain controllers in the domain, erasing all AD changes made after the backup.
A domain controller can only be authoritatively restored after non-authoritative restoration is complete.
Performing domain controller backups and restorations using RecoveryManager Plus
Creating a domain controller backup and performing restoration is a three-step process:
- Configuring a backup schedule
- Creating a bootable recovery media
- Performing the restoration
Configuring a backup schedule
To perform a successful domain controller restoration, the backup should contain all parts of the domain controller, including the system state (sysvol folder), boot volume, and the AD database (Ntds.dit); all data in the domain controller must also be backed up.
To perform domain controller restoration, you’ll need at least one valid domain controller backup. The following steps illustrate how you can configure a domain controller for backup using RecoveryManager Plus.
- Log in to RecoveryManager Plus as an administrator.
- Navigate to the Active Directory tab > Settings > Backup Settings > Domain Controllers.
Figure 1: The domain controller's backup settings page in RecoveryManager Plus.
- Click Add Domain Controller in the top-right corner.
Figure 2: Adding domain controllers.
- A list of all domain controllers present in the selected domain will be listed in the pop-up.
- Select the domain controller(s) that you wish to configure for backup and click Next.
Figure 3: Selecting domain controllers for backup.
- Configure the backup settings for the selected domain controllers in the Configure Backup Settings section.
- From the Select Backup Repository drop-down menu, select the backup repository from the list of all available repositories. If no repositories are available, click the icon to add a new repository. In the pop-up that appears, click Yes to proceed to add a new repository.
- Select NAS/Shared and click Add Repository in the top-right corner.
- In the Repository Name field, enter a name for the repository.
- In the Repository Path field, enter the path of the location where you wish to save the backups.
- Enter the User Name and Password of a user that can read and write the content in the specified storage location and click Save.
- In the Full Backup Frequency field, specify the frequency (monthly or weekly) at which full backups must be made.
- In the Retain backups for field, enter how long backup data should be retained.
- Select Encryption if you wish to encrypt your backups. Enter and confirm the password for your encryption.
- Click Save to complete setting up the domain controller for backup.
Figure 4: Configuring backup settings for domain controllers.
The backup agent will now be installed in the selected servers and domain controllers.
A backup of the selected domain controller will be made at the time specified in the configuration. To manually trigger the creation of a backup of the server as soon as the configuration has been set, click the icon under the Actions column of the configured backup schedule.
Once you’ve created a domain controller backup, you can use that to perform a domain controller restoration.
Creating a bootable recovery media
A recovery media e is a minimal OS with limited functionalities that contains all data required to boot your machine and run RecoveryManager Plus' restoration wizard. Once created, it can be used to restore multiple domain controllers. Irrespective of the physical machine's version, you will only need one recovery media for all the domain controllers in your environment.
Prerequisite: Make sure you have the Windows Assessment and Deployment Kit (Windows ADK) and Windows PE installed. If not, download them here.
- Log in to the RecoveryManager Plus web console as an administrator.
- Navigate to the Active Directory tab > Domain Controllers > Restore.
- In the Recovery Media Path field, select Click here to create one to create a recovery media
Figure 5: Creating recovery media.
- In the pop-up that appears, enter the location (local or shared path) where Windows ADK is installed and click Create Recovery Media.
Figure 6: Providing the Windows ADK path.
Note: If the entered location is a shared path, select Authentication and provide the credentials of a user who can access the location.
- The recovery media will be created with the name RMP.iso and can be found in the <Installation_directory>\bin.
Figure 7: Recovery media created.
RecoveryManager Plus can restore the backup of a domain controller to the same or a different physical machine. You can also use the product to restore the backup of a domain controller to a virtual machine.
Once the recovery media is created, follow the steps below for non-authoritative restoration of domain controllers.
- Log in to RecoveryManager Plus as an administrator.
- Navigate to the Active Directory tab > Domain Controllers > Restore.
- From the Select Domain Controller drop-down, select the domain controller that has to be restored.
- Select the restore point to which you wish to restore from the Restore Point drop-down menu.
- Once you boot the server to be restored using the recovery media, the RecoveryManager Plus Domain Controller Restoration Wizard (see Fig. 8 below) will start. Click Next.
Figure 8: The Domain Controller Restoration Wizard.
- Provide the location of the full backup in the Backup Location field. The location of the full backup can be stored in the local machine or in shared network storage. If the backup is in a shared network, provide the credentials of a user who has permission to access the location and click Next.
Figure 9: Providing the location of your full backup (local path).
Figure 10: Providing the location of your full backup (network share).
- Enter the User Name and Password for accessing the network location.
Figure 11: Providing the credentials for accessing the network location.
- If you configured your backups to be encrypted, you’ll be prompted to provide a decryption password. Click Next.
Figure 12: Providing the decryption password.
- Select Yes and click Next on the Confirm Restoration screen to begin the restoration. The domain controller has now been restored to its backed-up state.
Figure 13: Confirming the domain controller restoration process.
Figure 14: Domain controller restoration process completion and Restoration Summary.
- Clicking Finish will reboot the restored domain controller. All other domain controllers in the domain will replicate all the AD changes made since the backup to the restored domain controller.
Figure 15: Domain controller restoration complete.
To stop the restored domain controller from receiving changes via replication, and to make all the other domain controllers in the domain have the same state as the restored domain controller, perform an authoritative restoration by following the steps listed below.
Authoritative restoration of a domain controller
Note: A domain controller can be authoritatively restored only after non-authoritative restoration is complete. Follow the steps listed in the previous section to complete non-authoritative restoration before proceeding with authoritative restoration.
- Once non-authoritative restoration is complete, manually boot the domain controller in Directory Services Restore Mode (DSRM) by repeatedly pressing the F8 key immediately after the BIOS POST screen. In the text menu that appears, use the up or down arrow keys to select Directory Services Restore Mode or DS Restore Mode.
- Log in with the DSRM account and password.
- Open a Command Prompt and type ntdsutil.
- Type activate instance ntds.
- Type authoritative restore.
- Determine the distinguished name of the domain, the subtree of objects, or the object that you wish to authoritatively restore.
Syntax: CN=value,OU=value,DC=value,DC=value.
- To authoritatively restore an entire domain, enter:
restore subtree <distinguished name of the domain>
- To authoritatively restore a subtree of objects, enter:
restore subtree <distinguished name of the subtree>
- To authoritatively restore a single object, enter:
restore object <distinguished name of the object>
- Click Yes to confirm.
- Reboot the domain in normal mode to complete authoritative restoration.
Once restoration is complete, all domain controllers in the domain will be in the same state as the restored domain controller.