These notes
summarize the steps to consider and take when faced with the situation of
having to recover a portion of the Active Directory or a complete Domain
Controller from various degrees of degradation.
They apply to a
domain configuration with two domain controllers.
They are to be
read in conjunction with the information given in the Microsoft TechNet White
Paper “Active Directory Disaster Recovery”, and any relevant operational steps
in the restoration software and procedure adopted. The relevant portions of Microsoft TechNet should be read in
their entirety.
In these notes,
a “corrupted” Active Directory means a directory a portion or subtree of which
is missing, has been deleted inadvertently or simply not working properly. The affected objects could be users, groups
or OU’s.
Before
attempting a restore, consider if there are other more expedient ways to fix
the affected subtree(s).
Scenarios:
There are a couple of possible situations:
1-The operating systems on both Domain Controllers are running fine, but the Active Directory has been corrupted – either on one or both. The chances are both, because recent Active Directory information would normally be quickly replicated to all Domain Controllers.
2-The operating system on one DC is not functioning, but the Active Directory on the surviving DC is running fine.
3-The operating system on one DC is not functioning, and the Active Directory on the surviving DC is corrupted.
Recovery steps:
1-Scenario: Only Active Directory to be recovered
In these situations, you need to perform an authoritative restore of the Active Directory on one Domain Controller. The steps (refer to the detailed steps enumerated in TechNet) are:
a-Using the most recent backup that represents the Active Directory that you want to restore to, firstly perform a non-authoritative restore of the Active Directory (System State) to the “original location”, upon completion do not reboot;
b-Perform another non-authoritative restore of the Active Directory to an “alternate location”, upon completion do not reboot. This puts the information regarding Group memberships that correspond to the time of the backup, into the alternate location.
c-Perform an authoritative restore of the Active Directory components required by going into command-line mode, and using ntdsutil to restore the subtree involved.
d-After this step, the subtree restored onto the Domain Controller has a higher version number than the one on the other DC, and thus will be replicated to (and overriding) the other AD.
e-After the restore has stabilised (SYSVOL has been published – available in Network places), manually copy the group information from the alternate location correponding to the respective information in the AD at the time of backup, to the correct location under the Scripts and Policies folder under SYSVOL.
2-Scenario: Domain Controller is not functioning (surviving AD is fine)
In this case, perform a full restore of the OS first using the same disk configuration as the original system (actual volume sizes can be larger). Then, do a non-authoritative Active Directory restore (normal restore of System State) from the most recent full backup. After this, the good AD on the surviving DC would initiate replication over the slightly older restored version. This should be sufficient to put the DC back in service.
3-Scenario: Domain Controller is not functioning (surviving AD is no good)
In this instance, choose the most recent full backup to which you want or can recover the Active Directory. Firstly, recover the OS to the same disk configuration as the original system (volume sizes can be larger). Then, do an authoritative restore of the AD subtree (that is, restore System State to the original location, then restore to alternate location, and finally authoritatively restore the subtree). The authoritative portion of the AD should replicate to the other DC. Subsequently, the affected SYSVOL sub-folders should be manually copied from the alternate location to override the corresponding folders underneath SYSVOL.
Note: Microsoft warns against performing an Authoritative Restore of the entire Directory. It is advisable that you should be sure that Authoritative Restore of the whole directory is required before carrying out this type of operation.
Reference: Microsoft
TechNet White Paper “Active Directory
Disaster Recovery”
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/howto/default.asp