Restoring Active Directory
There are two ways to restoring a domain controller. The first,and simpler is restoration through reinstallation and replication. Here you are replacing or reinstalling Windows Server completely. Promoting that install to a domain controller causes it to replicate the current directory from another domain controller in the domain. You can also restore Active Directory by restoring the System State data from backup media created with the Windows Server Backup tool.
There are two methods for this restoration process:
Nonauthoritative: A nonauthoritative restore means that after the domain controller is restored from backup media, it relies upon normal replication to bring its directory current with the rest of the domain. Is typically used when a server fails in some capacity and must be restored from backup.
Authoritative: With an authoritative restore the domain controller being restored immediately becomes authoritative and replicates its current state to the other domain controllers on the domain. If the restored data is older than the current replicas, the restored data takes precedence. An authoritative restore is used when you want to bring the directory back to a previously known state. The default method for restoring a directory with the Windows Server Backup tool is nonauthoritative.
If you restore the data using this tool,the domain controller will detect it has not been updated since the backup and start automatically receiving replication updates from its replication partners. Any directory changes that occurred after the backup took place will be applied to the restored domain controller. You cannot restore an Active Directory that is online you must place the domain controller into Directory Services Restore Mode.
To reboot in DSRM:
1. Launch Windows Administrative Tools.
2. Launch the System Configuration tool.
3. Select the Boot tab.
4. In the Boot options section, select the Safe boot box and the Active Directory repair option. Click OK
5. You may be told the computer needs to restart. Click OK or manually restart the server.
6. After the server reboots, on the logon screen select Other user.
7. For the user name type .\Administrator and for the password enter the password chosen when the server was promoted to a domain controller.
8. From the Start Menu launch Server Manager.
9. Click Tools and then Windows Server Backup.
10. Select Local Backup.
11. Right-click Local Backup and select Recover.
12. Select A backup stored on another location and click Next.
13. Choose either Local drives or Remote shared folder depending on where you stored your custom backup in the previous section. Click Next.
14. Choose the location of the backups and click Next.
15. If you chose a remote shared folder, type the fully qualified username and password of a domain user with access to the location and click OK.
16. Select the backup you want to recover based on date and click Next.
17. Select System state to restore Active Directory Domain Services and click Next
18. Select Original Location and click Next.
19. Review the warning and click OK.
20. If you chose a remote shared folder, you receive another warning. Review this warning and click OK.
21. Review the details of the recovery and click Recover.
22. Review the warning and click Yes. Once the recovery is complete, you need to turn off DSRM mode. Repeat the steps to turn it on but uncheck the Safe boot option and restart the server.
An authoritative restore begins similarly to the nonauthoritative restore process.
When you perform an authoritative restore you first perform a recovery from backup media and then designate either the entire directory,
a subtree, or individual objects in the restored directory to take precedence over other instances of those objects elsewhere in the forest,
the recovered directory becomes authoritative for all its replication partners and replicates its version of the data to those partners even if it contains older data.
One common use case for an authoritative restore is to recover objects accidentally deleted from the directory.
After the restore completes but prior to restarting the controller and bringing it online, you designate the deleted objects as authoritative.
Those objects are then replicated from the recovered controller to its replication partners.
To perform an authoritative restore:
1. Follow the steps from the previous section to perform a nonauthoritative restore.
2. Reboot the domain controller while remaining in DSRM. This ensures the domain controller remains offline.
3. Launch a command prompt.
4. Type ntdsutil and press Enter.
5. There are two different types of restore. To authoritatively restore the entire directory type restore database and press Enter.
6. Once the restore completes, at the ntdsutil command prompt type quit and press Enter.
7. Reboot the domain controller in normal mode by following the directions covered previously.
Restoring Objects Using the Active Directory Recycle Bin
Just like the Recycle Bin on Windows file system, the Active Directory Recycle Bin is a area where deleted objects are placed.
If the delete was inadvertent or needs to be reversed, a domain admin can simply view the deleted objects container and restore the object.
To use the AD Recycle Bin, the domain must be at the forest functional level of 2008 R2 or higher. You must also first enable the Recycle Bin:
1. Log on to a writeable domain controller.
2. From the Start Menu launch Server Manager.
3. Select Tools and Active Directory Administrative Center.
4. On the left-hand navigation pane select the domain you want to enable Recycle Bin for.
5. On the right-hand Tasks pane, click Enable Recycle Bin.
6. You get a warning that this process is irreversible. Click OK.
7. You get a notification to refresh AD Administrative Center. Click OK and close and reopen ADAC.
8. Browse to an object, right-click it, and select Delete.
9. Click Yes to confirm.
10. Browse to the Deleted Objects container to see the deleted object.
11. Right-click the object in the container and select Restore.