Restoring the Entire Forest
In rare cases you may have deleted or damaged a critical section of Active Directory that is shared by the entire forest. Changes that affect the entire forest include elevating the Forest Functional Level or an running an application that changes the schema (such as installing Exchange Server).
Restoring the entire forest in a large organization can be difficult. The best approach is to take preventative steps. See our White Paper Active Directory Recovery Planning in Small and Large Organizations and the Microsoft article Planning for Active Directory Forest Recovery.
To restore the whole forest you need to take all of the DCs offline first. Do this before you begin the restore process. Otherwise when you restore a DC one of the bad DCs will immediately attempt to replicate the bad changes to the newly restored DC and “infect” it.
To avoid “infection” of the restored DCs, do one of the following:
- Temporarily disconnect the network cables from the domain controllers, or
- Temporarily disconnect the virtual network adapter from the network, or
- Temporarily stop the Active Directory DS service (NTDS) and the DNS service on each DC, or
- Boot all the DCs into Directory Services Restore Mode (DSRM).
Note: Never disable the network interface controller (NIC) in Device Manager. Doing so will prevent loopback connectivity to AD within the domain controller itself. Instead disconnect the network cable. On a VM change the virtual network adapter so that is it not connected to any network. For example, in Hyper-V Managerright-click on the virtual network adapter's properties and change the Network to Not connected.
- Install the U-Move Agent on each DC. If you previously created a backup with U-Move, then the agent is already installed. Otherwise, on your desktop PC run U-Move and connect to each DC to install the U-Move Agent.
- Ensure that all of the DCs are disconnected from the network, or boot all of the DCs into Directory Services Restore Mode (DSRM), or temporarily stop the Active Directory DS service (NTDS) and the DNS service.
- Verify that no domain controllers are serving Active Directory or DNS.
- On each DC do a simple or comprehensive restore to reload AD. Start first with the Primary Domain Controller (PDC) at the root of the forest. Next reload the Global Catalog (GC) server(s).
- While each DC is rebooting you can reconnect it to the network.
- Clean up and uninstall U-Move.
Microsoft describes a far more complex procedure using the System State backup, Recovering Your Active Directory Forest (Microsoft Docs). The U-Move method is much simpler.
Simple Restore vs Comprehensive Restore
A simple restore will restore only the Active Directory Domain Services (AD DS) database.
A comprehensive will restore other data that, while technically not part of the Active Directory Domain Services, is closely associated with it. This includes the Domain Name Server (DNS) database, the DHCP database, the Active Director Federation Services (AD FS) database, the Active Directory Certificate Services (AD CS) database, the IIS metabase, the WINS database, the computer name, and the IP address.
A comprehensive restore is required to restore any of the databases or settings listed above because they are not part of Active Directory Domain Services.
For more information
For more information see Recovering Your Active Directory Forest (Microsoft Docs).
Alternate procedure: Authoritative Restore
Microsoft provides the option of recovering Active Directory using Ntdsutil (Authoritative Restore). The use of Authoritative Restore is not recommended. It requires that you have expert knowledge of Ntdsutil and the Active Directory tree structure in order to repair duplicate objects and group membership back-links. See Performing Authoritative Restore of Active Directory Objects (Microsoft Docs) and Alternate Procedure: Authoritative restore of one object or one subtree.
|U-Move for Active Directory|