One of the most important steps in a recovery strategy for domain controllers is to perform the proper backups while everything is working correctly.
In addition to regular full backups, administrators should perform regular system state backups. Restoring from a system state backup, is faster than restoring from a full server backup.
Be aware of the Windows editions when performing a system state backup:
With Windows Server 2008 R2 you can use Windows Backup (GUI) to take a systemstatebackup.
With Windows Server 2008 you must use wbadmin start systemstatebackup (CMD) to take a system state backup.
The backup can only be saved to a local drive (not the same drive as the system state data), not to a shared folder or a disc.
There is 3 type of restoring Active Directory / AD Objects
A nonauthoritative restore returns the domain controller and the Active Directory database to its state at the time of backup. When the domain controller returns online, Active Directory replicates the database with other DC’s on the domain. Any changes that took place since the backup are replicated to the restored domain controller.
Most common use of a nonauthoritative restore is to bring an entire DC back from a failure.
An authoritative recovery used to restore a designated object or container of objects to its state at the time of the backup. Fx., if an administrator accidentally deletes an OU that contains a large number of users. If you restore the server from backup, the default nonauthoritative process doesn’t restore the deleted OU because the domain controller is updated to the current status of its replication partners, which means that the OU is deleted.
When you perform an authoritative restore, you prevent specific objects from the backup from being overwritten by Active Directory replication. With the authoritative restore, the Update Sequence Number (USN) is incremented so that it is higher than the existing USN of the (deleted) object in the Active Directory replication system.
Use an authoritative restore to restore specific objects in Active Directory.
3. Active Directory Recycle Bin
You can use Active Directory Recycle Bin if your AD DS run with Windows Server 2008 R2 FFL/DFL . AD Recycle Bin helps to minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers.
The following methods are step by step on how to perform a domain controller restore.
If the server boot up but Active Directory is corrupt, you can use dcpromo.
Run dcpromo to remove Active Directory from the domain controller (The server will become a member server)
Run dcpromo again to install Active Directory. The AD data will be copied from another DC on the network.
Run dcpromo /forceremoval if you are unable to remove Active Directory.
The disadvantage of using dcpromo is that the entire Active Directory database must be replicated across the network from another domain controller. However, you can use the Install from Media option to copy the database from media to reduce network traffic.
Restore system state:
If the server boots but Active Directory is corrupt, you can restore the system state data from a recent backup. After the backup is restored, Active Directory replication copies only the changed data to the restored domain controller. To use this method to restore a domain controller:
Reboot the server in Directory Services Restore Mode (DSRM). Use one of the following methods:
Reboot the server. Following the BIOS screen, press F8. Select Directory Services Restore Mode (DSRM) .
At a command prompt, type:
bcdedit /set safeboot disrepair
shutdown -t 0 -r
From Command Prompt (Run as Administrator) Run wbadmin start systemstaterecovery to restore the system state data.
Restart the server in normal mode. If you used bcdedit to start the server in DSRM, type the following at a command prompt:
bcdedit /deletevalue safeboot
shutdown -t 0 -r
Critical volume or full server restore:
If you are unable to reboot the server, you will need to perform a critical volume or full server restore. This restore rebuilds the entire server, along with the Active Directory database. Use the wbadmin start recovery command to start the restore. A full server restore not only restores Active Directory, but data on all other volumes as well.
To enter DSRM, you must supply the recovery mode password. You set this password during the domain controller installation. If you need to set or change the password, use the following steps:
Open an elevated command prompt by clicking Start, then right-clicking Command Prompt and selecting Run as administrator.
Type set dsrm password.
Type reset password on server <dcname>.
Enter the password.
Confirm the password.
Type quit, then quit again.