Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

How to Restore Active Directory

After you’ve built a solid, robust, and redundant Active Directory infrastructure, it is critical that you know how to restore Active Directory to prevent any possible interruptions to your environment. As an IT pro, it’s your job to prepare for the unexpected and to know how to get back on your feet.

In this guide, we’ll give you a step-by-step guide for restoring your Active Directory environment. I will walk you through the most common method(s) of restoring system state backups — these include all the authoritative objects of Active Directory.

First, I’ll show you how to boot one of our domain controllers (DCs) into what’s called ‘Directory Services Restore Mode’ and restore a recent Active Directory backup made with Windows Server Backup. Let’s get started!

How to restore Active Directory

There are many scenarios that require you to restore your Active Directory environment. Of course, hopefully, you never run into any of them. But it is always best to be prepared.

Where we are – current state

In case you haven’t read my previous post about how to back up Active Directory, let me get you up to my current state. I installed the ‘Windows Server Backup‘ feature using Server Manager on one of my four domain controllers in my Windows Server 2022 Active Directory Hyper-V lab environment.

In my previous post, I also demonstrated how to perform full backups and system state backups. Using a recent system state recovery point, we’ll be able to choose the ‘Recover...’ option in the Windows Server Backup GUI and start the process to get back on our feet.

Windows Server Backup - showing recent backup activity — Windows Server Backup – showing recent backup activity

As you can see above, we had a successful backup earlier today. If I drill into the details of the backup, I can verify the system state was saved as part of the process.

The system state was completed successfully. We'll be able to use this to restore from. — The system state was completed successfully. We’ll be able to use this to restore from.

Starting the system state recovery process

Let’s start the recovery process by clicking the ‘Recover…‘ link on the right under the Actions menu. The Windows Server Backup Recovery Wizard opens on the Getting Started page.

Initiating the recovery process... — Initiating the recovery process…

The backup location is this server. I will click Next.

Next, I’ll show you how to boot one of our domain controllers (DCs) into what’s called ‘Directory Services Restore Mode’ and restore a recent Active Directory backup made with Windows Server Backup.

Choosing the right backup

On the Select Backup Date page, we can choose which backup we want to restore from. Please use caution here!

Here, on the Select Backup Date, we choose which recovery point to restore from

There is potentially a good deal of planning and analysis you must go through to decide which backup to choose. Because I have a lab environment, the timing of which recovery point is not as critical.

However, I did recently write a post about adding a domain controller to an existing domain. One of those scenarios was adding a 4th domain controller to this domain (WS22-DC4).

So, I need to be careful not to choose a backup prior to that time. That would incite a lot (!) of headaches no one should have to deal with. Having replication issues, a discrepancy of AD data, etc. is the last thing you want to have on your plate!

Now, in your production environments, this needs to be scrutinized with a fine-tooth comb. As soon as you perform an authoritative system state restore, and do an authoritative system volume (SYSVOL) replication to the rest of your domain controllers, you will need to be aware that ALL changes you’ve made after your restore point will be lost, gone!

OK, with all the potential scariness aside, let’s move forward. I will use this morning’s backup time and click Next.

On the Select Recovery Type page, I will choose ‘System state‘ and click Next.

Next, we’re on the Select Location for System State Recovery page. We want to restore onto this server, so I will keep ‘Original location‘ selected and click Next.

Well, we are nearing the point of no return, here. 🙂 On the Confirmation page, we will keep the defaults. Notice the checkbox – ‘Automatically reboot the server to complete the recovery process.’ This should boot us directly into Directory Services Restore Mode and allow us to get back on our feet. Click Recover!

We're on the Confirmation page - Here we go! — We’re on the confirmation page – Here we go!

This is it. There’s no turning back from this point. Click Yes.

This is the point of no return before the recovery operation starts

As it turns out, the system state recovery failed to complete. Because we are restoring the Active Directory Domain Services role, we need to directly boot into Safe Mode ourselves. So, let’s do that.

We're starting the recovery operation — Well, I guess we have some time to ponder our decision…

Booting into Directory Services Restore Mode

To boot into Safe Mode, the most direct route you can take is rebooting your server, pressing F8 to interrupt the normal Windows boot phase, and selecting Directory Services Restore Mode from the menu. Here, I’ll make things a little easier for you. Let’s add a small level of automation.

Click Start, Run… and type in ‘msconfig.’ Click the Boot tab on top, select the Safe boot checkbox, then select Active Directory repair. Click OK.

Choosing to boot to repair Active Directory

We are presented with one more prompt informing us we need to reboot in order to boot this way. Kind of obvious, but, again, Microsoft….thorough. 🙂 Click Restart.

Ready to Restart into Directory Services Restore Mode... — Ready to Restart into Directory Services Restore Mode…

The server rebooted and I logged in as the Administrator. We are here with the lovely black desktop and Windows Safe Mode. Let’s start Windows Server Backup from the Start Menu.

After opening Windows Server Backup, I clicked the Recover… option on the right.

We choose the recover option in Windows Server Backup — Let’s do this again…Take Two…

Here, I’ll proceed through all the screens as we did before.

The Restore of Active Directory has begun... — The Restore of Active Directory has begun…

After all the information was gathered, the actual restoration started…

Restoring the System State onto itself from a backup 3 days ago — Restoring the system state onto itself from a backup 3 days ago

After the process was completed, the server automatically rebooted. I logged in again, I was still in Safe Mode with this prompt showing success!

The Restore was successful! — The system state restore was successful!

Press Enter to continue. Next, go ahead and run ‘msconfig’ again, click the ‘Boot‘ tab on top, and uncheck the ‘Safe boot‘ checkbox so we can boot normally again. Press OK and reboot!

I opened Windows Server Backup again to verify our successful recovery operation. As you can see, everything ran perfectly!

Our System state recovery operation completed successfully! — Our System state recovery operation was completed successfully!

How to bare metal restore a server using a system state backup

The second major topic I will cover is how to use a backup that includes bare metal recovery to restore a domain controller fully. In case you forgot, I have 4 DCs (in my lab). The most recent one I added in the last few weeks (WS22-DC4) is a good guinea pig… er, candidate.

I performed a full backup of this server, copied the backup data to an alternate location, and then powered down the server, simulating its failure. Now, I will build a new VM running the same Windows version, Windows Server 2022, and start the recovery process.

Initial steps and configuration

So, the first steps are to build a new virtual machine or stage a new physical server. As I’m using my Windows Server 2022 Hyper-V lab environment, I will create a new VM running Windows Server 2022 Datacenter.

Here, the computer name is unimportant as we will be restoring all the server’s configurations later. Plus, we don’t need to join it to our domain or even add the Active Directory Domain Services role as all of that is included in the backup we performed on the existing DC (WS22-DC4).

Here is where we’ll start.

Our candidate to restore one of our domain controllers

The next step is to install the Windows Server Backup application from Server Manager. You can browse my previous post for instructions about how to install the feature.

Starting the restore process from Windows Server Manager

Next, per our previous steps above, let’s press the Windows Key + ‘R’ to open the ‘Run…‘ dialog. Type in msconfig and click OK.

Here, click on the ‘Boot‘ tab on top. Select Safe boot, then select Active Directory repair. Click OK and restart!

Getting ready to bare metal restore our DC

After I logged in, I opened Windows Server Backup from the Start Menu. Click ‘Recover…‘ under the Actions menu on the right.

Running Windows Server Backup to restore our precious 'WS22-DC4' server — Running Windows Server Backup to restore our precious ‘WS22-DC4’ server

On the Getting Started screen, choose ‘A backup stored on another location‘ and click Next.

We will choose an alternate location to find the backup

On the Specify Location Type screen, I’ll choose ‘Remote shared folder‘ and click Next. If you already copied the backup data to the server’s hard drive, you can choose ‘Local drives‘ and the software will find it for you.

Choosing a remote location to find our backup... — Choosing a remote location to find our backup…

Here, you will enter the UNC path of your saved backup. This can be somewhere on the network, on a USB flash drive, or even on an external hard drive, whichever works for you. Click Next.

Typing in the UNC path for our backup location

Excellent, it discovered the Full backup I performed earlier today. Click Next.

Because we want to restore the entirety of the server, we choose the System state option. This includes everything that has to do with Windows, including the AD DS role, Active Directory, SYSVOL, and everything else. Click Next.

We're choosing the System state restore option — We’re choosing the System state restore option

Alright. At this point, you have a major decision to make. Thankfully, the scenario you’re in dictates what option to choose. Because we are restoring this server, we choose the ‘Original location’ below. However, do we check the box to ‘Perform an authoritative restore of Active Directory files‘? Well, in this case, we don’t. I’ll explain why next.

This is an interesting section of the recovery - The location of the files and choosing authoritative or not — This is an interesting section of the recovery – The location of the files and choosing authoritative or not

Choosing between an authoritative or non-authoritative restore of AD files

The authoritative meaning here signifies who is the king of the castle, the holder of the keys, the holder of the Sacred Chalice of Rixx…ahem. Well, you get the idea. It is the ultimate ‘authority’ of the Active Directory database, the SYSVOL folder, and all the aspects of AD.

If we choose to perform an authoritative restore of Active Directory files, the process will run and will inherit the authority to push out and update the other databases on the other domain controllers. Any changes made to Active Directory since this server’s backup job ran will be lost!

The non-authoritative option, which we are choosing, assumes we are simply replacing the domain controller, and we’ll allow it to wait to pull replicated changes to Active Directory after the restore is complete. This is the easier option. A lot of thought needs to go into the choice to do the authoritative restoration.

Performing a restore and reboot of our domain controller

Let’s move forward. I’ll click Next on the Select Location for System State Recovery screen.

You will receive a few warning screens here, depending on your situation. This is something that comes up every time you restore from another server’s backup. Which, by design, is included when you restore from a Bare Metal Recovery backup. Click OK.

Second to last warning... — Second to last warning…

Here is our last warning. Because we are choosing the non-authoritative option, Windows is just letting us know that replication times, especially on larger AD databases, or over high-latency WAN links, may take an extended amount of time. It may also cause noticeable delays for helpdesk engineers or end users trying to log in or access network resources.

We're choosing the non-authoritative option - warning — We’re choosing the non-authoritative option – warning

The recovery process has now begun. This may take a considerable amount of time. Again, the larger your enterprise environment, or the more intricate the logical layout of your LAN/WAN can add considerable time to this operation. This type of process is best handled after business hours.

The Recovery process has finally begun — The recovery process has finally begun

Tip: If you can, copy the backup data to the server’s hard drive. It will speed up processing and avoid any delays/issues from potential network issues.

After the restore was completed, the server automatically rebooted.

the server automatically rebooted after the restore was completed — After the recovery completed

Note — I needed to log in as the local DSRM Administrator and its password. Next, I will run MSConfig, and reset it to normal so we can boot the restored server in its full glory.

After rebooting, I noticed the bootup process was certainly longer than normal. Then, I had a revelation… I realized I forgot to assign this server the same IP Address and DNS settings as the original server (WS22-DC4). I made those changes and rebooted the server again.

You need to assign this server the same IP Address and DNS settings as the original server — We are back!

It worked! We are back, doing business as ‘WS22-DC4’.

Conclusion

Well, there you have it. Two prevalent scenarios you’re bound to run into when working with Active Directory, backing it up, restoring it, and handling disaster recovery scenarios with a clear head, and calm nerves. I hope this post assists you in your endeavors. Good luck!

Table of contents

by Michael Reinders
Sep 19, 2022

Michael has been an 'IT Pro' since 1998. He has worked predominantly in the Windows world including client and server operating systems, on-prem systems engineering (AD, DNS, etc.), and over the last ten years or so has embraced and immersed himself ...

Petri.com’s New Active Directory Outage and Disaster Recovery Survey

Feb 15, 2024
Apr 16, 2024
Essential Guide to Mastering Get-ADGroupMember (AD User Management)

Oct 12, 2023
Get-ADComputer: The PowerShell Command for Managing Active Directory Computers

Nov 15, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.