Active Directory Backup and Restoration in Windows Server 2008

Windows Server 2008 Backup tools




How do you backup AD?

Active Directory is backed up as part of system state, a collection of system components that depend on each other. You must back up and restore system state components together.

Components that comprise the system state on a domain controller include:

    • System Start-up Files (boot files). These are the files required for Windows 2000 Server to start.
    • System registry.
    • Class registration database of Component Services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment.
    • SYSVOL. The system volume provides a default Active Directory location for files that must be shared for common access throughout a domain. The SYSVOL folder on a domain controller contains:
      • NETLOGON shared folders. These usually host user logon scripts and Group Policy objects (GPOs) for non-Windows 2000based network clients.
      • User logon scripts for Windows 2000 Professional based clients and clients that are running Windows 95, Windows 98, or Windows NT 4.0.
      • Windows 2000 GPOs.
      • File system junctions.
      • File Replication service (FRS) staging directories and files that are required to be available and synchronized between domain controllers.
    • Active Directory. Active Directory includes:
      • Ntds.dit: The Active Directory database.
      • Edb.chk: The checkpoint file.
      • Edb*.log: The transaction logs, each 10 megabytes (MB) in size.
      • Res1.log and Res2.log: Reserved transaction logs.
Note: If you use Active Directory-integrated DNS, then the zone data is backed up as part of the Active Directory database. If you do not use Active Directory-integrated DNS, you must explicitly back up the zone files. However, if you back up the system disk along with the system state, zone data is backed up as part of the system disk.If you installed Windows Clustering or Certificate Services on your domain controller, they are also backed up as part of system state.

Difference between Authoritative Vs non-authoritative restore.

The term “authoritative” is used to describe a restore in which the domain controller being restored has the master, or authoritative, copy of Active Directory. A non-authoritative restore is a domain controller being restored that does not have an authoritative copy of Active Directory. When a domain controller is started, replication occurs during the boot phase, and Active Directory is synchronized. Whether the restore is authoritative or non-authoritative then specifies the direction of replication. An authoritative restore pushes Active Directory out to other domain controllers, and a non-authoritative restore synchronizes changes to the domain controller being booted.

NOTE Domain controllers use Universal Sequence Numbers (USNs) to keep track of Active Directory data and to determine if an update is available. Each domain controller keeps its own USN, and checks its USN with the USN of other domain controllers on a regular basis. If the USN of the other domain controller is higher, that indicates an update is available, and replication is started. If the USN of the other domain controller is the same or lower, replication is not started. Using USNs is a more accurate method than using time stamps.

To explain further, let’s suppose that a domain controller fails due to hardware failure. It takes several days to obtain a replacement part for the machine and to repair the domain controller. During this time, other domain controllers have continued to function normally, and various changes in the network and Active Directory have taken place. When the failed domain controller is started for the first time after completing the recovery process, replication occurs and the changes in Active Directory are replicated to the previously failed computer. The domain controller is brought up to date with the rest of the network. This is a non-authoritative restore. Now let’s suppose that the failure you suffered was due to human error, and an administrator deletes significant portions of Active Directory. If you follow the normal procedure of restoring Active Directory from yesterday’s backup and rebooting the server, replication will occur, and all the changes and deletions made by the administrator will be replicated back to the domain controller. Performing a normal restore would not bring back the deleted objects. To recover your lost users and OUs, you must perform an authoritative restore and specify the objects that you want to replicate to the rest of the network.


How to run a non-authoritative restore:

just go to Windows server backup and click recover. Use the most recent backup file set that was created before the deletion.

This restore is useful in a scenario let’s say a disk failed and once we restore the entire backup after new disk replacement, the entire AD database will be replicated with other domain partners.

If there was an accidently user or OU deleted, go ahead with Authoritative restore. The reason is if you do a normal restore, the USN of an object will increase by 10,000 and other domain controllers will treat this server as updated server and this information will be replicated to all domain controllers.

How to run authoritative restore:

Let’s assume, an OU was deleted from AD database. Perform the below steps to recover the OU. You must have a system state backup before performing below steps.

1. Restart the DC into directory services recovery mode (Hit F8)


2. Login with ./administrator and the domain recovery mode password you set up while running Dcpromo


3. Type wbadmin get versions from a command prompt


4. This will find out all backups available and Figure out which version you want to restore


5. Type wbadmin start systemrecovery -version:ID – backuptarget:backuplocation


In the above command, since backup is stored locally on disk, we haven’t specified the network location but if the backup is on a SAN or on another server, we need to specify UNC in backuptarget switch.

6. After the restore, type ntdsutil activate instance NTDS

7. Type authoritative restore to get into the right NTDSUTIL context


8. Type restore object “distinguishedName” for a single account or restore subtree “distinguishedName” if you are restoring an entire OU.



9. Reboot normally


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: