How to Perform a Nonauthoritative Restore of Active Directory

A nonauthoritative restore of Active Directory (AD) is the default restore mode for Windows Backup and most third-party backup utilities.

This article applies to Windows Server 2016, Windows Server 2019, and Windows Server 2022

When might a nonauthoritative AD restore be performed?

It is commonly used in cases where there has been a hardware or software failure on the server, or where Active Directory must be restored and then updated by authoritative versions of the AD database running on other domain controllers (DCs) in the forest. Any needed updates to AD on the restored DC are automatically replicated once the restore operation has completed.

Perform a nonauthoritative restore

Log in to the DC that you want to restore with a domain administrator account:

• Open a command prompt using the blue PowerShell icon on the desktop taskbar, or from the Start screen.
• In the PowerShell console window, type bcdedit /set safeboot dsrepair and press Enter.

bcdedit /set safeboot dsrepair

• Reboot the server and it will start in Directory Services Restore Mode (DSRM). You can do this quickly from the command prompt by typing shutdown -t 0 –r and pressing Enter.

shutdown -t 0 –r

Wait a few minutes for the DC to reboot. You can log on locally or remotely, but remember that you will need to supply the DSRM password you set when promoting the server to a DC. The username for DSRM is administrator. If the server is booted in safe mode, ‘safe mode’ will be displayed on the desktop.

• Open a command prompt again using the blue PowerShell icon on the desktop taskbar, or from the Start screen.
• In the PowerShell console, type wbadmin getversions to show the available backups. The latest backup will be shown last in the list. Make a note of the version identifier for the backup you want to use for recovery, as it will be needed in the next step.

wbadmin getversions

• Now type wbadmin start systemstaterecovery –version:12/23/2013-10:40 and press Enter, replacing the date and time with the version identifier for the backup that you want to restore.

wbadmin start systemstaterecovery –version:12/23/2013-10:40

• Answer Yes when prompted to confirm the restore operation.
• You will be prompted to confirm again, answer Yes.

Wait for the recovery process to finish, it may take some time. You’ll be able to see the progress in the PowerShell console.

• Reboot the system when prompted.
• Log back on using the DSRM password and you’ll see a command prompt dialog confirming that the system state recovery operation completed successfully. Press Enter to continue.

• Open a command prompt again using the blue PowerShell icon on the desktop taskbar, or from the Start screen.
• Type bcdedit /deletevalue safeboot and press Enter to remove the DSRM setting from the boot.ini file.

bcdedit /deletevalue safeboot

• Type shutdown –t 0 –r and press Enter to restart the system and boot back to an operational domain controller.

shutdown –t 0 –r