Three types of Active Directory restores exist: Authoritative, Non-Authoritative, and Primary.
Authoritative restore – Running NTDSUTIL after the restore updates the USN (Updated Sequence Numbers) to be greater than any other member domain controller to which the machine formerly replicated. This will cause the restored domain controller to replicate its Active Directory information to all other domain controllers.
Non-Authoritative restore – A restore overwriting the System State to the point at which it was backed up. A Non-Authoritative System State restore is usually done when there are other domain controllers on the network responsible for replicating the Active Directory changes to systems with older Updated Sequence Numbers.
Primary restore – A Primary restore is performed when no other domain controllers are present on the network. This type of restore can also be used when the machine is the only functioning server in a replicated data set.
A base installation of Windows Server will have four subobjects under "System State" in a File-by-File Agent set. These objects are seen when a local or remote file-by-file set is loaded, assuming the File-by-File Agent has been installed on the system being backed up. The subcomponents of the System State are the following:
Event Logs
Registry Hives
Boot Files
COM+ Database
The System State of an Active Directory host contains more subcomponents under the "System State" icon seen in the UltraBac interface:
Event Logs
Registry Hives
Active Directory
Boot Files
COM+ Database
Sys Vol
|
NOTE: The Windows Service Pack at the restore target must be the same as that of the machine at the time of backup. |
|
NOTE: When pushing the restore to a remote system booted into Directory Services Mode, be sure that full version of UltraBac is installed on the restore target. |
The restore target must be booted into Directory Services Restore Repair mode.
The Windows name and OS version of the restore target must match the original system.
The OS on the restore target must be installed to the same path as the original system. WINDOWS is the default name for the %SYSTEMROOT% path.
All of the latest OS service packs must be applied to the restore target.
Install the full version of UltraBac on the restore target.
Any new hardware should be matched to the original hardware as closely as possible.
If the restore is being performed remotely, ensure the default UltraBac account has enough authority on the restore target to perform an OS restore.
You must know what functional level your domain/forest is in (2003 / 2008 / 2008 R2 / 2012 / 2012 R2 / 2016 / 2019) as the restore steps are different depending upon the Active Directory Schema and the Operating System of the Domain Controller.
|
NOTE: When attempting to restore an Active Directory host to a new installation of Windows, a base version of Active Directory, using only the default components, must be installed before attempting the restore. |
|
NOTE: In previous versions of Windows Server, the preferred method of reaching the Advanced Boot Options menu was to press F8 immediately after the power-on self-test (POST) process completed. This often required numerous attempts and rapid pressing of the F8 key. Windows Server 2012 and later boots significantly more quickly than previous versions, making it difficult to press F8 at the correct time. You can use one of the methods in this article to boot to the Advanced Boot Options menu instead of pressing F8. |
Start the domain controller in "Directory Services Restore" mode before restoring the System State:
Reboot the system.
Press F8 immediately after the power-on self-test (POST) process.
Log in using the Administrator account and password stored in the SAM (Security Accounts Manager), created when Active Directory was installed. For the domain use the local computer name.
Select "OK" within the "Desktop" dialog box.
|
NOTE: Active Directory/domain administrator accounts are not available, as the Active Directory is offline. The SAM account must also be defined in UltraBac before attempting restore. |
With the domain controller in “Directory Services Restore” mode before restoring the System State:
Install UltraBac with local authentication credentials.
If UltraBac is already installed using domain credentials, change the credentials to the Administrator account and password in the SAM.
Enter the local administrator account when prompted by UltraBac.
Fig. 1 - Authentication Options.
Once the installation of UltraBac is completed, open the UltraBac Management Console.
Select the Manage tab and click on the "Storage Devices" icon and define where your backup is stored and then click "Close.".
Fig. 2 - Define Storage Device Location of Backup.
From the Restore tab select "Media" to pull up and load the backup and then click OK.
Fig. 3 - Load Backup Index.
A prompt will open asking for the Restore Target. Select your Restore Target and click OK
Fig. 4 Restore Target
Choose both System State and the OS partition for restore.
Fig. 5 - Select OS and System State for Restore.
|
NOTE: When restoring the System State/Active Directory, all System State components must be restored. If one component is excluded from the restore, all objects will be excluded. |
Select the "Action" icon and "Restore this Backup".
Fig. 6 - Select Restore this Backup.
On the Restore Options screen "Restore in-use files" and "Overwrite Always" must be selected. Click Next.
Fig. 7 - Restore Options.
On the second Restore Options screen, make sure to select "Run unattended" and then click Restore..
Fig. 8 - Restore Options second screen
Once the restore is finished, you will get a "Confirm Reboot" screen.
Fig. 9 - Confirm Reboot
Click "No" or "Cancel" and an NTDSUTIL command window will open.
|
NOTE: There is a known bug that the NTDSUTIL command window will open no matter which choice you choose. |
If you are going to do an Authoritative Restore then you will need to leave the NTDSUTIL command window open, otherwise you can type"q" in the command window to close it.
|
NOTE: It is highly recommended to do the authoritative restore from an existing domain controller and not the one you are restoring, this way you will not lose any AD objects and changes since the last backup. |
A Reboot Request window will open, and click "OK".
Fig 10 - Reboot Request
Before going further, the next steps depend upon what level the Active Directory Schema is at, and what Operating System the Domain Controller is running.
2012/2012 R2/2016/2019 Active Directory Schema with Multiple Domain Controllers
2012/2012 R2/2016/2019 Active Directory Schema with a Single Domain Controller
2008/2008 R2 Active Directory Schema with Multiple Domain Controllers
2008/2008 R2 Active Directory Schema with a Single Domain Controller