Restore Active Directory from backup

Are you trying to restore the active directory from backup?

This guide is for you.

You can restore active directory partitions. However, while restoring the objects and attributes within a Schema partition, keep in mind the restrictions on the schema extension.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to Windows related tasks.

In this context, we shall look into steps to restore the active directory from backup.

How to Restore a Domain Controller using Replication ?

DC recovery through standard AD replication doesn't exactly involve a process of restoring a DC from a backup. We use this scenario if we have multiple domain controllers in our enterprise network, and all of them are operable. This scenario involves new server installation with its further promotion to a new ADDS domain controller on the same site. The old DC is simply removed from AD.

It is the easiest way that is not related to any irreversible AD changes. In this scenario, the ntds.dit database, GPO files, and the contents of the SYSVOL folder will be automatically replicated to the new domain controller from the DCs that have stayed online.

In case, if the ADDS database is small and another DC is available over a high-speed network link, then the method described above is faster than to restore a DC from a backup copy.

Active Directory Restore Types

There are two types of Active Directory DC restore from a backup i.e. Authoritative & Non-Authoritative.

Authoritative Restore 

After restoring the AD objects, the replication is performed from the restored DC to all other domain controllers. This restore type is used in the scenarios when a single DC or all DCs have failed at the same time (for example, after a virus attack).

In this mode, the USN (Update Sequence Number) value of all restored AD objects will increase by 100,000. Thus, DCs will see all restored objects as newer ones and they will be replicated in the domain.

At the Authoritative Restore, you will lose most AD changes made after you have created your backup.

Non-authoritative Restore 

After restoring the AD database, the controller informs other DCs that it has been restored from a backup and needs the latest AD changes. We can make use of this recovery method on remote sites when it is hard to quickly replicate a large AD database through a slow WAN channel.

Restore Active Directory Domain Controller from a System State Backup

Suppose, we have only one DC in our domain. Due to some reason the physical server it was running on failed.

We have a recent System State of our domain controller. Also, we want to restore Active Directory on a brand new server using Authoritative Restore.

i. To start the DC restore, we must install the same Windows Server version we had on a failed DC.

ii. We install the ADDS role and the Windows Server Backup feature in the Windows Server we have just installed.

iii. In order to restore the Active Directory, we must boot the server in the DSRM. To do it, we run MSConfig and select the option Safe Boot >> Active Directory repair in the Boot tab.

iv. Then we restart the server. It will boot in the DSRM. Then we run the Windows Server Backup (wbadmin) and select Recover in the right menu.

v. In the Recovery Wizard, we check 'A backup stored on another location'.

vi. Then we select the disk, on which the backup of the old AD domain controller is stored, and select the date of the backup for recovery.

vii. After that, we check the ‘System State’ option to restore it.

viii. Next, we select ‘Original location’ and check 'Perform an authoritative restore of Active Directory files'.

ix. The system will show a warning that it is another server backup and if recovered on a different server it may not work. Click OK.

x. After that, another warning message appears. We agree with that as well.

xi. Finally, the process of AD domain controller recovery on a new server will start. Once the process completes, the server will require a reboot.

So we boot the server in normal mode.

We then login to the server using an account with the domain administrator privileges.

When we ran the Active Directory Users and Computers (ADUC) console for the first time, we got the following error:

Active Directory Domain Services
Naming information cannot be located for the following reason:
The server is not operational.

We found that there were no SYSVOL and NETLOGON folders on the restored domain controller.

So to fix the error, we followed the below steps.

1. First, we run the regedit.exe;

2. Next, we go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters;

3. Here, we change the SysvolReady value from 0 to 1;

4. Finally, we restart the NetLogon service: net stop netlogon & net start netlogon

Then we try to open ADUC again. We were able to see our domain structure.

So we have successfully recovered our AD domain controller in the Authoritative Restore mode.

How to Restore Separate AD Objects from a Backup ?

Here are the steps our Support Engineers follow to restore specific AD objects.

For restoring specific AD objects, we use the ‘Active Directory Recycle Bin’. If the tombstone lifetime has already expired or Active Directory Recycle Bin is not enabled, we can recover separate AD objects using the Authoritative Restore mode.

This procedure has the following steps:

i. First, we boot the DC in the DSRM mode;

ii. Next, we display the list of available backups:

wbadmin get versions

iii. We start the recovery of the selected backup:

wbadmin start systemstaterecovery –version:[your_version]

iv. Then we confirm the DC restore (in the Non-Authoritative mode)

v. After the restart, we run the below commands

activate instance ntds
authoritative restore

We then specify the full LDAPl path to the object we want to restore. We can also restore the entire OU:

restore subtree ″OU=Users,DC=bobcares,DC=com″

Or a single AD object:

restore object “cn=Test,OU=Users,DC=bobcares,DC=com”

This command will deny the replication of the specified objects (paths) from other domain controllers and increase the object USN by 100,000.

Exit ntdsutil: quit

Finally, we boot the DC in the normal mode and make sure that the object has been restored.

[Need urgent assistance in restoring the active directory from backup? – We are here to help you. ]


This article will guide you on how to restore active directory from backup. Back up Active Directory on a regular basis

You should back up your Active Directory regularly with an interval that doesn't exceed 60 days. #AD services presume that the age of the Active #Directory backup cannot be more than the lifetime of AD tombstone objects, which by default is 60 days.