Restore a domain controller from backup using Veeam
We continue to publish a series of articles written by a colleague for a corporate blog and dedicated to backing up and restoring domain controllers and Active Directory itself.
The previous article in this series described the procedure for backing up physical and virtual domain controllers (DC). Today we will talk about their recovery.
I must say that this post is not a guide to restore Active Directory. Its task is to tell about what needs to be considered when restoring AD or a specific domain controller from a backup, and also to show how you can perform these actions using Veeam solutions.
A thorough knowledge of your infrastructure helps a lot when planning AD recovery. Here are just a few of the questions that you need to know the answers to in order to successfully recover the data:
')
Note: Starting with Windows Server 2008, DFSR replication has become the default configuration option for replicating the SYSVOL catalog.
If you are going to restore a domain controller, you must first determine whether the non-authoritative mode will suffice or whether you need to use the authoritative mode.
The difference between these two modes is that with the recovery mode, the non-authoritative domain controller realizes that it has been disabled for some time. Therefore, it allows other controllers to update its database, making the latest changes to it during its absence. And with authoritative recovery, the controller believes that only it has a truly valid database, so it is he who receives the authority to update the databases of other domain controllers based on his data.
In most recovery scenarios, you will need a non-authoritative mode, since there are several domain controllers in the environment. (In addition, authoritative restoration may lead to new problems.)
This is what the Veeam Backup & Replication logic is based on: by default, non-authoritative recovery is performed, since the infrastructure is considered to be redundant and includes several controllers.
To perform authoritative restoration using Veeam, you need to take some additional steps that will be described later.
Useful: Another common option for a domain controller failure is to distribute its roles among other controllers and clear the metadata if recovery is unlikely. In this case, you instruct other DCs to perform the functions of the failed, and you do not need to restore it.
So back to the backup files, the creation of which was described in a previous article. In order to restore a domain controller from a backup copy of Veeam Backup & Replication, you need to:
The most remarkable thing is that due to the processing of data, taking into account the state of the applications when creating a backup, you will not need to do anything else. Veeam recognizes the domain controller in the specified VM and carefully restores it using the following sequence of actions:
The domain controller will be aware of the restoration from the backup and will take the appropriate action: the existing database will be declared invalid, and replication partners will be able to update it with the latest information.
With high probability you do not need this recovery mode. However, let's take a closer look at it, so that you understand why this is so.
This mode can be used, for example, when you are trying to restore a valid copy of a domain controller in an environment with several domain controllers, despite the fact that the entire structure of AD is for some reason damaged (for example, malware, virus, etc.). In this situation, of course, it is preferable that the affected domain controllers accept changes from the newly restored controller.
Note: The actions performed are similar to what happens when using Veeam SureBackup to restore a domain controller in an isolated environment.
To restore a deleted object or container in authoritative mode and force the domain controller to copy the recovered data from this DC to other controllers:
The authoritative SYSVOL recovery procedure (using the DFSR service) is as follows:
The authoritative SYSVOL recovery procedure (using the FRS service):
Now a little about restoring a physical machine from a backup using Veeam Endpoint Backup.
You will need:
Important! Remember that in this case the special logic Veeam Backup & Replication will not be used.
After restoring with Veeam Endpoint Backup, your domain controller will boot into recovery mode. You will need to decide whether you want to change registry keys or immediately restart the VM in normal mode. Perhaps this Veeam Knowledge Base article will be helpful.
Here you can read about restoring a “bare metal” backup using Veeam Endpoint Backup in more detail.
So, we reviewed the recovery of a separate domain controller. However, most often when working with AD, you need to restore an accidentally deleted object, and in this case, restoring the controller entirely is not the most efficient option. Therefore, in the next article I will talk about restoring individual objects in the AD directory using Microsoft’s own tools and the Veeam Explorer utility for Active Directory.
The previous article in this series described the procedure for backing up physical and virtual domain controllers (DC). Today we will talk about their recovery.
I must say that this post is not a guide to restore Active Directory. Its task is to tell about what needs to be considered when restoring AD or a specific domain controller from a backup, and also to show how you can perform these actions using Veeam solutions.
A thorough knowledge of your infrastructure helps a lot when planning AD recovery. Here are just a few of the questions that you need to know the answers to in order to successfully recover the data:
')
- How many domain controllers in your environment - one or more?
- Are these domain controllers readable and writeable (RWDC) or read only (RODC)?
- Only one controller failed, or is the entire AD infrastructure damaged?
- If you have multiple controllers, do you use the File Replication Service (FRS) to synchronize changes between different domain controllers or switched to distributed DFSR to synchronize changes between different domain controllers?
Note: Starting with Windows Server 2008, DFSR replication has become the default configuration option for replicating the SYSVOL catalog.
Restore a virtualized domain controller
If you are going to restore a domain controller, you must first determine whether the non-authoritative mode will suffice or whether you need to use the authoritative mode.
The difference between these two modes is that with the recovery mode, the non-authoritative domain controller realizes that it has been disabled for some time. Therefore, it allows other controllers to update its database, making the latest changes to it during its absence. And with authoritative recovery, the controller believes that only it has a truly valid database, so it is he who receives the authority to update the databases of other domain controllers based on his data.
In most recovery scenarios, you will need a non-authoritative mode, since there are several domain controllers in the environment. (In addition, authoritative restoration may lead to new problems.)
This is what the Veeam Backup & Replication logic is based on: by default, non-authoritative recovery is performed, since the infrastructure is considered to be redundant and includes several controllers.
To perform authoritative restoration using Veeam, you need to take some additional steps that will be described later.
Useful: Another common option for a domain controller failure is to distribute its roles among other controllers and clear the metadata if recovery is unlikely. In this case, you instruct other DCs to perform the functions of the failed, and you do not need to restore it.
Non-authoritative recovery
So back to the backup files, the creation of which was described in a previous article. In order to restore a domain controller from a backup copy of Veeam Backup & Replication, you need to:
- Run the recovery wizard in the Veeam Backup console.
- Find the right domain controller.
- In the restore menu, select the option to restore the entire VM (Restore Entire VM).
- Specify the restore point.
- Select the original or new recovery location.
- Complete the procedure.
The most remarkable thing is that due to the processing of data, taking into account the state of the applications when creating a backup, you will not need to do anything else. Veeam recognizes the domain controller in the specified VM and carefully restores it using the following sequence of actions:
- Recover files and disks VM.
- Booting the OS in a special mode of domain services recovery (DSRM mode).
- Apply settings.
- Restart in normal mode.
The domain controller will be aware of the restoration from the backup and will take the appropriate action: the existing database will be declared invalid, and replication partners will be able to update it with the latest information.
Recovery in the “authoritative” mode
With high probability you do not need this recovery mode. However, let's take a closer look at it, so that you understand why this is so.
This mode can be used, for example, when you are trying to restore a valid copy of a domain controller in an environment with several domain controllers, despite the fact that the entire structure of AD is for some reason damaged (for example, malware, virus, etc.). In this situation, of course, it is preferable that the affected domain controllers accept changes from the newly restored controller.
Note: The actions performed are similar to what happens when using Veeam SureBackup to restore a domain controller in an isolated environment.
To restore a deleted object or container in authoritative mode and force the domain controller to copy the recovered data from this DC to other controllers:
- Select the complete VM recovery operation in Veeam: the program will automatically perform the standard DC recovery in the “non-authoritative” mode (see above).
- On the second DC restart, open the download wizard (press F8), select DSRM and log in with the DSRM account information (the account you specified when you designated this computer as a domain controller).
- Open a command prompt and run the ntdsutil utility .
- Use the following commands:
activate instance ntds;- then
authoritative restore; - then
restore object “distinguishedName”orrestore subtree “distinguishedName”
Example:restore subtree “OU=Branch,DC=dc,DC=lab, DC=local
- Confirm the authoritative restore and restart the server after the operation is completed.
The authoritative SYSVOL recovery procedure (using the DFSR service) is as follows:
- Perform non-authoritative recovery of the domain controller (for example, restore the entire VM in Veeam Backup & Replication).
- On the second boot, navigate to the HKLM \ System \ CurrentControlSet \ Services \ DFSR registry branch , create a Restore key, and then create a SYSVOL string with an authoritative value.
This value will be read by the DFSR service. If not set, defaults to restoring SYSVOL in non-authoritative mode. - Go to HKLM \ System \ CurrentControlSet \ Control \ BackupRestore , create the SystemStateRestore key, then create the LastRestoreId string with any GUID value, for example, 10000000-0000-0000-0000-000000000000 .
- Restart the DFSR service.
The authoritative SYSVOL recovery procedure (using the FRS service):
- Perform non-authoritative recovery of the domain controller (for example, restore the entire VM in Veeam Backup & Replication).
- On the second boot, go to the HKLM \ System \ CurrentControlSet \ Services \ NtFrs \ Parameters \ Backup / Restore \ Process at Startup registry key and change the Burflag key value to 000000D4 (hex) or 212 (dec) .
This will force data to be copied to domain controllers using the old FRS technology in the “authoritative” mode. Read more about restoring FRS here . - Restart the NTFRS service.
Recovering a physical domain controller with Veeam Endpoint Backup
Now a little about restoring a physical machine from a backup using Veeam Endpoint Backup.
You will need:
- Pre-prepared emergency boot disk Veeam.
- Access to the most backup (on USB-drive or network drive).
Important! Remember that in this case the special logic Veeam Backup & Replication will not be used.
After restoring with Veeam Endpoint Backup, your domain controller will boot into recovery mode. You will need to decide whether you want to change registry keys or immediately restart the VM in normal mode. Perhaps this Veeam Knowledge Base article will be helpful.
Here you can read about restoring a “bare metal” backup using Veeam Endpoint Backup in more detail.
So, we reviewed the recovery of a separate domain controller. However, most often when working with AD, you need to restore an accidentally deleted object, and in this case, restoring the controller entirely is not the most efficient option. Therefore, in the next article I will talk about restoring individual objects in the AD directory using Microsoft’s own tools and the Veeam Explorer utility for Active Directory.
Useful links:
Source: https://habr.com/ru/post/313570/
All Articles