How to restore a domain controller from backup in Active Directory

So what is your disaster recovery plan for the failure of a single domain controller?

There are actually two answers to that question:

1. Restore the domain controller from backup (Note: the Active Directory is held in the system state, thus restoration of the system state will restore the Active Directory).
2. Don't restore the domain controller. Reinstall and repromote, or simply demote and repromote.

The first solution, restoring from backup, isn't as simple as it seems. Although the most direct method is to repromote the domain controller as described above, there are cases when a restore from backup is required. For instance, restoring an entire domain or an entire forest where no active domain controller exist is only possible by restoring the system state of one domain controller in the domain, then installing other servers and promoting them to domain controllers. There is no reason to restore other domain controllers from backup. In a multiple domain forest, you must restore the root domain first, followed by child domains.

In restoring a domain controller from backup media, it is important to note the following:

1. It is only necessary to restore a single domain controller in each domain (starting with the root domain if it's a multiple domain, parent-child structure). After the first domain controller is restored, bring additional domain controllers in using DCPromo.
2. In a true disaster recovery plan, you must allow for the fact that the restore will likely take place on different hardware than the original that the backup was made from. Refer to Microsoft KB article 263532 How to perform a disaster recovery restoration of Active Directory on a computer with a different hardware configuration.
3. Backup tapes are only useful for 60 days or whatever the Tombstone lifetime value is set to. (see Microsoft KB 216993 Backup of the Active Directory Has 60-Day Useful Life). Ensure that you have a process to create backup tapes. regularly and validate and store them safely.
4. It is not necessary to restore a domain controller simply because it holds one or more FSMO roles. These roles can be seized to other domain controllers. If you do seize a role, then the original role holder ...
   
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchWindowsServer.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchWindowsServer.com

   As an existing member of the TechTarget network please activate your SearchWindowsServer.com account 

   By joining SearchWindowsServer.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   Digg This!     StumbleUpon     Del.icio.us

   
   
   
   

   RELATED CONTENT Microsoft Active Directory Backup and Restore Utilizing Active Directory snapshots in Windows Server 2008 The Windows Report -- Will AD have your back in Windows 2008 R2? How to build redundancy in Active Directory replication An alternate strategy for DNS server backup Diamonds are forever, but not Active Directory backups How do I add a backup domain controller in Windows NT? Tools for quick recovery of deleted Active Directory objects Active Directory disaster recovery: Protecting the enterprise from the administrator Creating Active Directory replicas from backup tapes How to use Install from Media to restore a domain controller Active Directory Administration Utilizing Active Directory snapshots in Windows Server 2008 Creating Windows taskpad views for Active Directory management When to add new domains to your Windows environment Debugging Windows client logon delays: Narrowing the scope Using Active Directory to manage Macs in a Windows environment Troubleshooting poor Windows logon performance in Active Directory environments Common Active Directory security oversights Scripting domain controller installations: A must for Server Core Taming the LSASS.exe process for Active Directory performance and security Troubleshooting Active Directory database errors

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   should never come back on line (wipe and reload it).

5. Restoring a domain controller in an existing domain from a backup tape automatically makes that domain controller out of date by the number of days since the backup was performed. This will cause a synchronization to take place that will take longer than a normal replication update and have a bigger impact on the network since there will probably be more changes to replicate. This depends on the number of changes made since the backup tape was made.

It's important to note that one of the common reasons for demoting and repromoting a domain controller is because replication is broken. But if replication is broken then demotion via DCPromo is not going to work either.

[IMAGE]
[IMAGE]Disaster Recovery Planning for Active Directory
[IMAGE]
[IMAGE] Part 1: How to create an AD replication lag site to minimize disasters
[IMAGE] Part 2: How to build redundancy in AD replication
[IMAGE] Part 3: How to restore a domain controller from backup in AD
[IMAGE] Part 4: How to use Install from Media to restore a domain controller

Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He wrote Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Olsen is a Microsoft MVP for Windows Server-File Systems.