Restoring a Whole Domain
If you deleted or damaged a section of Active Directory, and you have more than one domain controller (DC) for the domain, the damage will have likely replicated to all of the domain controllers (DCs) in the domain.
The main difference between restoring a single DC and restoring the whole domain is that you need to take all of the domain's DCs offline first. Do this before you begin the restore process. Otherwise when you restore a DC one of the bad DCs will immediately attempt to replicate the bad changes to the newly restored DC and “infect” it.
To avoid “infection” of the restored DCs, do one of the following:
- Temporarily disconnect the network cables from the domain controllers, or
- Temporarily stop the Active Directory DS service (NTDS) and the DNS service on each DC, or
- Boot all the DCs into Directory Services Restore Mode (DSRM).
Note: Never disable the network interface controller (NIC) in Device Manager. Doing so will prevent loopback connectivity to AD within the domain controller itself. Instead disconnect the network cable.
- Install the U-Move Agent on each DC. If you previously created a backup with U-Move, then the agent is already installed. Otherwise, on your desktop PC run U-Move and connect to each DC to install the U-Move Agent.
- Ensure that all of the DCs are disconnected from the network, or boot all of the DCs into Directory Services Restore Mode (DSRM), or temporarily stop the Active Directory DS service (NTDS) and the DNS service.
- Verify that no domain controllers for the domain are serving Active Directory or DNS. (You can allow any DCs serving other domains to continue to run normally.)
- On each DC do a simple or comprehensive restore to reload AD. Start first with the Primary Domain Controller (PDC).
- While each DC is rebooting you can reconnect it to the network.
- Clean up and uninstall U-Move.
See also Restoring the Entire Forest.
Simple Restore vs Comprehensive Restore
A simple restore will restore only the Active Directory Domain Services (AD DS) database.
A comprehensive will restore other data that, while technically not part of AD DS, is closely associated with it. The other data includes the Domain Name Server (DNS) database, the DHCP database, the Active Director Federation Services (AD FS) database, the Active Directory Certificate Services (AD CS) database, the IIS metabase, the WINS database, the computer name, and the IP address.
A comprehensive restore is required to restore any of the databases or settings listed above because they are not part of Active Directory Domain Services.
Alternate procedure: Authoritative restore of one object or one subtree
If you do have not a backup snapshot of the other DCs in the domain, Microsoft provides the option of recovering selected objects using Ntdsutil (Authoritative Restore), which can be used if the damage is limited to one subtree (such as an Organizational Unit) or a single leaf object. You can run Ntdsutil to increment the serial number of the selected object(s) on the newly the restored DC. This will make them effectively authoritative and force the restored objects to replicate to the other DCs.
Note: The use of Authoritative Restore is not recommended. It requires that you have expert knowledge of Ntdsutil and the Active Directory tree structure in order to repair duplicate objects and group membership back-links.
The procedure is as follows:
- Run U-Move to create a backup snapshot of AD on every DC. This will give you a safety checkpoint so you can roll back everything if the authoritative restore procedure does not work.
- Select one DC to restore and temporarily disconnect it from the network.
- Use U-Move to restore the AD backup snapshot. The DC will reboot.
- With the network cable still disconnected, go to Active Directory Users and Computers to verify that the object(s) were restored.
- Temporarily stop the NTDS service (NET STOP NTDS) or boot the DC into Directory Services Restore Mode. (DSRM).
- Run Ntdsutil to mark the object or the subtree as authoritative. See Mark an Object or Objects as Authoritative (Microsoft Docs).
- Reconnect the DC to the network and reboot it to bring up AD. This will replicate the authoritatively restored object(s) to the other DC(s).
- Go to Active Directory Users and Computers on each DC to verify that the restored object(s) have replicated successfully.
- If the Ntdsutil restore operation created an .LDF file, run the .LDF file on the newly restored DC to restore the group membership back links. See Run an LDIF File to Recover Back-Links: ldifde -i -k -f filename. Do this as a cleanup step after you have verified that the object(s) have replicated successfully. The target DC will replicate the contents of the .LDF file to the other DCs. In ADUC inspect one of the affected group objects (e.g., Domain Users) and verify that the restored users all appear as members of the group.
For more information on Ntdsutil see Performing Authoritative Restore of Active Directory Objects Recovering Your Active Directory Forest (Microsoft Docs).
After you have completed the above procedure and you are satisfied that everything is working okay, run U-Move on every DC to set up scheduled backups of AD.
|U-Move for Active Directory|