5. Backing up and restoring Active Directory
Backing up Active Directory is easy. Recovery of Active Directory
itself, however, is different from recovery for other types of network
services. A key reason for this involves the way Active Directory data
is replicated and restored. Because of this, let’s look at backup and
recovery strategies for Active Directory, and then look at various
restore techniques.
Backup and recovery strategies for Active Directory
Domain controllers have replication
partners with whom they share information. When you have multiple
domain controllers in a domain and one fails, the other domain
controllers automatically detect the failure and change their
replication topology accordingly. You can repair or replace the failed
domain controller from backup. However, the restore doesn’t recover Active Directory information stored on the domain controller.
To restore Active Directory on the failed domain controller, you use either a nonauthoritative or authoritative
approach. A nonauthoritative restore allows the domain controller to
come back online and then get replication updates from other domain
controllers. An authoritative restore makes the restored domain
controller the authority in the domain, and its data is replicated to
other domain controllers.
In most cases, you’ll have multiple domain controllers in a domain,
giving you flexibility in your disaster recovery plan. If one of the
domain controllers fails, you can install a new domain controller, clone
an existing domain controller, or promote an existing member server so
that it can be a domain controller. The directory on the new domain
controller is updated automatically through replication. You could also
recover the failed domain controller, and then perform a
nonauthoritative restore. In this case, you would restore Active
Directory on the domain controller and obtain directory updates from
other domain controllers in the domain.
In some cases, you might need to perform an authoritative restore of
Active Directory. For example, if a large number of objects were deleted
from Active Directory and you are not using Active Directory Recycle
Bin,
the only way to recover those objects would be to use an authoritative
restore. In this case, you would restore Active Directory on a domain
controller and use the recovered data as the master copy of the
directory database. This data is then replicated to all other domain
controllers.
The disaster recovery strategy you choose for Active Directory might depend on whether you have dedicated or nondedicated domain controllers, for the following reasons:
-
When you have dedicated domain controllers that perform no other
domain services, you can implement a very simple disaster recovery
procedure for domain controllers. As long as you have multiple domain
controllers in each domain, you can restore a failed domain controller
by installing a new domain controller or cloning an existing domain
controller and then populating the directory on this new domain
controller. You can do so through replication or by recovering the
domain controller using a nonauthoritative restore. You should always
back up one or more
of the domain controllers and their system state as well so that you
always have a current snapshot of Active Directory in the backup
archives. If you need to recover from a disaster that has caused all
your domain controllers to fail or Active Directory has been corrupted, you can recover using an authoritative restore in the Directory Services Restore mode. -
When you have nondedicated domain controllers, you should back up
the system state whenever you perform a full backup of a domain
controller. This stores a snapshot of Active Directory along with the
other pertinent system information that can be used to fully recover the
domain controller. If a domain controller fails, you can recover the
server the way you recover any server. You then have the option of restoring the system state data and Active Directory to allow the server to resume operating as a domain controller by using a nonauthoritative restore in the Directory
Services Restore mode. If you need to recover from a disaster that has
caused all your domain controllers to fail or Active Directory has been
corrupted, you also have the option of using an authoritative restore in
the Directory Services Restore mode.
When planning backups of Active Directory, you should also remember the tombstone lifetime. Active Directory doesn’t actually delete objects when you
remove them from the directory. Instead, objects are either logically
deleted or tombstoned
(marked for deletion) and this state is replicated to all the other
domain controllers. By default, the deleted object lifetime and the
tombstone lifetime are 60 days, meaning that a deleted object will
remain in the directory for at least 60 days. To ensure that you don’t
accidentally restore objects that have actually been removed from Active
Directory, you are prevented from restoring Active Directory if the
backup archive is older than the tombstone lifetime. This means that, by
default, you cannot restore a backup of Active Directory that is older
than 60 days.
Other system information is contained in the system state besides
Active Directory. So, any restore of Active Directory includes all that
information, and that information will be restored to its previous state
as well. If a server’s configuration changed since the backup, the
configuration changes will be lost.
When a domain controller fails, you can restore it the way you
restore any other server except when it comes to Active Directory. With
this in mind, first fix the problem that caused the server to fail.
After you restore the server, you can then work to restore Active
Directory.
You recover Active Directory by restoring the system state on the
domain controller, using a special recovery mode called Directory
Services Restore mode. If you made changes to Active Directory since the
backup, the system-state backup will not contain those changes.
However, other domain controllers in the domain will have the most
recent changes, and the domain controller will be able to obtain those
changes through the normal replication process.
When you want to restore Active Directory
on a domain controller and have the domain controller get directory
updates from other domain controllers, you perform a nonauthoritative restore. A nonauthoritative
restore allows the domain controller to come back online and then get
replication updates from other domain controllers.
Schedule a full
server backup of a domain controller to ensure the recovery of the
server operating system and application data in the event of a hardware
failure. Schedule a separate backup of critical volumes to ensure timely recovery of Active
Directory. To guard against unforeseen issues, schedule backups on at
least two different domain controllers for each domain and schedule
additional backups on any domain controller with a unique application
partition.
A full server backup is a backup of every volume on the server. You
can use this type of backup to recover a domain controller onto new
hardware. On a domain controller, critical volumes include the boot
volume and the volumes that contain the following data:
You can use critical-volume
backups to restore Active Directory on a domain controller.
Critical-volume backups can also be restored and copied to transferrable
media to install a new domain controller in the same domain.
The procedure to perform a full server or critical-volume recovery of
a domain controller is the same as for any server. When you do this,
you will also be performing a nonauthoritative restore of Active
Directory. After the recovery is complete, restart the domain controller
in the standard operations mode and then verify the installation. When
you restart the domain controller, Active Directory automatically
detects that it has been recovered from a backup. Active Directory will
then perform an integrity check and re-index the database. From that
point on, the server can then act as a domain controller and it has a
directory database that is current as of the date of the backup. The
domain controller then connects to its replication partners and begins
updating the database so that any changes since the backup are
reflected.
After you log on to the server, check Active Directory and verify
that all of the objects that were present in the directory at the time
of the backup are restored. The easiest way to confirm this is to browse
Active Directory Users And Computers, Active Directory Domains And Trusts, and Active Directory Sites And Services.
An authoritative restore is used when you need to recover Active
Directory to a specific point in time and then replicate the restored
data to all other domain controllers. Consider the following example:
John accidentally deleted the Marketing organizational unit (OU) and all
the objects it contained. Because the changes have already been
replicated to all domain controllers in the domain and Recycle Bin is
not enabled, the only way to fully restore the OU and the related
objects would be to use an authoritative restore. Similarly, if Active
Directory were somehow corrupted, the only way to recover Active
Directory fully would be to use an authoritative restore.
When performing authoritative restores, there are several significant issues that you should consider. The first and most important issue has to do with passwords used for computers and Windows NT LAN Manager (NTLM)
trusts. These passwords are changed automatically every seven days. If
you perform an authoritative restore of Active Directory, the restored
data will contain the passwords that were in use when the backup archive
was made. If you monitor the event logs after the restore, you might
see related events or you might hear from users who are experiencing
problems accessing resources in the domain.
Computer account passwords allow computers to authenticate themselves
in a domain using a computer trust. If a computer password has changed,
the computer might not be able to reauthenticate itself in the domain.
In this case, you might need to reset the computer account password by
pressing and holding or right-clicking on the computer account in Active
Directory Users And Computers, and then selecting Reset Account. If the
reset of the password doesn’t work, you might need to remove the
computer account from the domain, and then add it back.
NTLM trusts are trusts between Active Directory domains and Microsoft
Windows NT domains. If a trust password has changed, the trust between
the domains might fail.
Another significant issue when performing an authoritative restore has to do with group membership. Problems with group membership can occur after an authoritative restore for several reasons.
In the first case, an administrator has updated a group object’s
membership on a domain controller that has not yet received the restored
data. In this case, the domain controller might replicate the changes
to other domain controllers, causing a temporary inconsistency. The
changes shouldn’t be permanent, however, because when you perform an authoritative restore, the update sequence number (USN) of all restored objects is incremented by 100,000. This ensures that the restored data is authoritative and overwrites any existing data.
Another problem with group
membership can occur if group objects contain user accounts that do not
currently exist in the domain. In this case, if group objects are
replicated before these user objects are, the user accounts that do not
currently exist in the domain will be seen as invalid user accounts. As a
result, the user accounts will be deleted as group members. When the
user accounts are later replicated, the user accounts will not be added
back to the groups.
Although there is no way to control which objects are replicated
first, there is a way to correct this problem. You must force the domain
controller to replicate the group membership list with the group
object. You can do this by creating a temporary user account and adding
it to each group that contains user accounts that are currently not
valid in the domain. Here’s how this would work: You authoritatively
restore and then restart the domain controller. The domain controller
begins replicating its data to other domain controllers. When this
initial replication process finishes, you create a temporary user
account and add it to the requisite groups. The group membership list
will then be replicated. If any domain controller has removed previously
invalid user accounts as members of these groups, the domain controller
will then return the user accounts to the group.
You can perform an authoritative restore by completing the following steps:
-
Perform a full server or critical-volume recovery
of the domain controller. After you repair or rebuild the server,
restart the server and access the Advanced Boot Options menu. Typically,
to do this you must press F8 before the Windows splash screen appears. -
On the Advanced Boot Options menu, select Directory Services Repair Mode. Windows will then restart in Safe Mode without loading Active Directory components. -
You will next need to choose the operating system you want to start. -
Log on to the server using the Administrator account with the
Directory Services Repair Mode password that was configured on the
domain controller when Active Directory was installed. -
The Desktop prompt warns you that you are running in Safe Mode, which
allows you to fix problems with the server but makes some of your
devices unavailable. Tap or click OK. -
At an elevated command prompt, type ntdsutil. This starts the Directory Services Management Tool. -
At the Ntdsutil prompt, type authoritative restore
. You should now be at the Authoritative Restore prompt, where you have the following options:
-
You can authoritatively restore the entire Active Directory database by typing restore database.
If you restore the entire Active Directory database, there will be a
significant amount of replication traffic generated throughout the
domain and the forest. You should restore the entire database only if
Active Directory has been corrupted or there is some other significant
reason for doing so. -
You can authoritatively restore a container and all its related objects (referred to as a subtree) by typing restore subtree ObjectDN, where ObjectDN
is the distinguished name of the container to restore. For example, if
someone accidentally deleted the Marketing OU in the cpandl.com domain,
you could restore the OU and all the objects it contained by typing the
command restore subtree ou=marketing,dc=cpandl,dc=com. -
You can authoritatively restore an individual object by typing restore object ObjectDN, where ObjectDN
is the distinguished name of the object to restore. For example, if
someone accidentally deleted the Sales group from the default container
for users and groups (cn=users) in the cpandl.com domain, you could
restore the group by typing the command restore object cn=sales,cn=users,dc=cpandl,dc=com.
-
When you type a restore command and press Enter, the Authoritative
Restore Confirmation dialog box appears, which prompts you to tap or
click Yes if you’re sure you want to perform the restore action. Tap or
click Yes to perform the restore operation. -
Type quit twice to exit Ntdsutil, and then restart the server.
Note
Every object that is restored will have its USN incremented by
100,000. When you are restoring the entire database, you cannot override
this behavior, which is necessary to ensure that the data is properly
replicated. For subtree and object restores, you can override this
behavior by setting a different version increment value using the Verinc
option. For example, if you want to restore the Sales group in the
cpandl.com domain and increment the USN by 500 rather than 100,000, you
could do this by typing the command restore object cn=sales,cn=users,dc=cpandl,dc=comverinc 500.
The Sysvol folder is backed up
as part of the system-state information and contains critical domain
information, including GPOs, Group Policy templates, and scripts used
for startup, shutdown, logging on, and logging off. If you restore a
domain controller, the Sysvol data will be replicated from other domain controllers. Unlike Active Directory data, Sysvol data is replicated using the File Replication Service (FRS).
When you perform a nonauthoritative restore of a domain controller,
the domain controller’s Sysvol data is not set as the primary data. This
means that the restored Sysvol would not be replicated and could
instead be overwritten by Sysvol data from other domain controllers.
When you perform an authoritative restore of a domain controller, the
domain controller’s Sysvol data is set as the primary data for the
domain. This means that the restored Sysvol would be replicated to all
other domain controllers. For example, if someone deleted several
scripts used for startup or logon and there were no backups of these
scripts, these could be restored by performing an authoritative restore
and allowing the restored, authoritative domain controller’s Sysvol data
to be replicated.
You can prevent a restored, authoritative domain controller’s Sysvol
data from overwriting the Sysvol on other domain controllers. To do
this, you should back up the Sysvol in the desired state on another
domain controller prior to performing the authoritative restore. After
you complete the authoritative restore, you can then restore the Sysvol
in the desired state to the authoritative domain controller.
Restoring a failed domain controller by installing a new domain controller
Sometimes you won’t be able to or won’t want to repair a failed
domain controller and might instead elect to install a new domain
controller. You can install a new domain controller by promoting an
existing member server so that it is a domain controller, or by
installing a new computer and then promoting it. Either way, the domain
controller will get its directory information from another domain
controller.
Installing a new domain controller is the easy part. When you’ve finished that, you need to clean up references
to the old domain controller so that other computers in the domain
don’t try to connect to it anymore. You need to remove references
to the server in DNS, and you need to examine any roles that the failed
server played. If the failed server was a global catalog server, you
should designate another domain controller as a global catalog server.
If the failed server held an operations master role, you need to seize
the role and give it to another domain controller. Let’s start with DNS
and roles:
-
To clean up DNS,
you need to remove all records for the server in DNS. This includes SRV
records that designate the computer as a domain controller and any
additional records that designate the computer as a global catalog
server or PDC emulator if applicable. -
To designate another server as a global catalog server. -
To transfer operations master roles.
To clean up references to the failed
domain controller in Active Directory, you are going to need to use
Ntdsutil. You must use an account with Administrator privileges in the
domain and should run Ntdsutil on your Windows Server. The cleanup
process is as follows:
-
At an elevated command prompt, type ntdsutil. This starts the Directory Services Management Tool. -
At the Ntdsutil prompt, type metadata cleanup. You should now be at the Metadata Cleanup prompt. -
Access the Server Connections prompt so that you can connect to a domain controller. To do this, type connections and then type connect to server DCName, where DCName is the name of a working domain controller in the same domain as the failed domain controller. -
Exit the Server Connections prompt by typing quit. You should now be back at the Metadata Cleanup prompt. -
Access the Select Operation Target prompt so that you can work your
way through Active Directory from a target domain to a target site to
the actual domain controller you want to remove. Type select operation target. -
List all the sites in the forest by typing list sites and then type select site Number, where Number is the number of the site containing the failed domain controller. -
List all the domains in the site by typing list domains in site and then type select domain Number, where Number is the number of the domain containing the failed domain controller. -
List all the domain controllers in the selected domain and site by typing list servers in site and then type select server Number, where Number is the number of the server that failed. -
Exit the Select Operation Target prompt by typing quit. You should now be back at the Metadata Cleanup prompt. -
Remove the selected server from the directory by typing remove selected server. When prompted, confirm that you want to remove the selected server. -
Type quit twice to exit Ntdsutil. Next, remove the related computer object from the Domain Controllers OU in Active
Directory Users And Computers. Finally, remove the computer object from
the Servers container for the site in which the domain controller was
located, using Active Directory Sites And Services.
6. Troubleshooting startup and shutdown
When you have problems starting a system, think about what has changed recently. If you and other administrators keep a change
log, access the log to see what has changed on the system recently. A
new device driver might have been installed or an application might have
been installed that incorrectly modified the system configuration.
Often you can resolve startup issues using Safe Mode to recover or troubleshoot system problems. In
Safe Mode, Windows Server loads only basic files, services, and
drivers. Because Safe Mode loads a limited set of configuration
information, it can help you troubleshoot problems. You start a system
in Safe Mode by completing the following steps:
-
If the system is currently running and you want to troubleshoot
startup, shut down the server, and then start it again. If the system is
already powered down or has previously failed to start, start the server again. -
If you see a Windows Boot Manager error screen stating that Windows failed to start, press Enter to continue. -
Press F8 during startup to access the Windows Advanced Options menu. You must press F8 before the Windows splash screen appears. -
In the Windows Advanced Options menu, select a startup mode. The key options are as follows:
-
Safe Mode Starts
the computer, and loads only basic files, services, and drivers during
the initialization sequence. The drivers loaded include the mouse,
monitor, keyboard, mass storage, and base video. No networking services or drivers are started. -
Safe Mode With Command Prompt
Starts the
computer, and loads only basic files, services, and drivers, and then
starts a command prompt instead of the graphical interface. No
networking services or drivers are started. -
Safe Mode With Networking
Starts the computer, and loads only basic files, services, drivers, and the services and drivers needed to start networking. -
Enable Boot Logging
Starts the computer with boot logging enabled, which enables you to create a record of all startup events in a boot log. -
Enable Low Resolution Video
Starts the computer in low-resolution 640x480 display mode, which is
useful if the system display is set to a mode that can’t be used with
the current monitor. -
Last Known Good Configuration
Starts the computer normally using registry information that the operating system saved at the last working configuration. -
Debugging Mode
Starts the system in debugging mode, which is useful only for troubleshooting operating system bugs. -
Directory Services Recovery Mode
Starts the system in safe mode, and allows you to restore the directory service. This option is available on domain controllers. -
Disable Automatic Restart On System Failure
Prevents the operating system from automatically restarting after an operating system crash. -
Disable Driver Signature Enforcement
Starts the computer
in safe mode without enforcing digital signature policy settings for
drivers. If a driver with an invalid or missing digital signature is
causing startup
failure, this will resolve the problem temporarily so that you can start
the computer and resolve the problem by either getting a new driver or
changing the driver signature enforcement settings. -
Disable Early Launch Anti-Malware Driver
Starts the computer
in safe mode without initiating an anti-malware driver. This prevents
an anti-malware driver from blocking a critical driver that might be
needed for startup.
-
If a problem doesn’t reappear when you start in
Safe mode, you can eliminate the default settings and basic device
drivers as possible causes. If a newly added device or updated driver is
causing problems, you can use Safe mode to remove the device or roll
back the update. -
Make other changes as necessary to resolve startup problems. If you are still having a problem starting the system, you might need to uninstall recently installed applications or devices to try to correct the problem.
Repairing missing or corrupted system files
Windows Server 2012 enters Windows
Error Recovery mode automatically if Windows fails to start. In this
mode, you have options similar to those you have when working with the
Advanced Boot menu. For troubleshooting,
you can choose from the following options to boot the system: Safe
Mode, Safe Mode With Networking, or Safe Mode With Command Prompt. You
can also choose to use the Last Known Good Configuration or to start
Windows normally.
If you can’t start or recover a system in Safe mode, you can manually run Startup Repair to try to force Windows Server 2012 to resolve the problem. To do this, complete the following steps:
-
Insert the Windows installation or Windows Recovery disc for the
hardware architecture, and then boot from the installation disc by
pressing a key when prompted. If the server does not allow you to boot
from the installation disc, you might need to change firmware options to
allow booting from a CD/DVD-ROM drive. -
With a Windows Recovery disc, select Windows Setup (EMS Enabled) on
the Windows Boot Manager menu to start Windows Setup. With a Windows
installation disc, Windows Setup should start automatically. -
On the Install Windows page, select the language, time, and keyboard layout options that you want to use. Tap or click Next. -
When prompted, do not tap or click Install Now. Instead, tap or click
the Repair Your Computer link in the lower left corner of the Install
Windows page. -
On the Recovery screen, tap or click Troubleshoot. Then, on the
Advanced Options screen, tap or click Command Prompt to access the
MINWINPC environment. -
At the command prompt, change directories to x:\sources\recovery by typing cd recovery. -
Run the Startup Repair Wizard by typing startrep.
Resolving restart or shutdown issues
Normally, you can shut down or restart Windows Server 2012 by tapping
or clicking the Power Options button on the Charms bar and then
selecting Shut Down or Restart as appropriate. Sometimes, however,
Windows Server 2012 won’t shut down or restart normally and you are
forced to take additional actions, such as stopping programs that have
stopped responding when prompted. Telling Windows Server to stop
programs that aren’t responding to the shutdown event won’t always
resolve your problem, however. In these cases, follow these steps:
-
Press Ctrl+Alt+Delete. The Windows Security screen should be displayed. If the Windows Security screen doesn’t appear, skip to step 4. -
Tap or click Task Manager, and then look for an application that is
not responding. If all programs appear to be running normally, skip to
step 4. -
Select the application that is not responding, and then tap or click
End Task. If the application fails to respond to the request, you’ll see
a prompt you can use to end the application immediately or cancel the
end task request. Tap or click End Now. -
Try shutting down or restarting the computer. Press Ctrl+Alt+Delete,
tap or click the Power Options button, and then tap or click Shut Down.
As a last resort, you might be forced to perform a hard shutdown by holding down the physical power button or unplugging the computer. If you do this, run Check
Disk the next time you start the computer to check for errors and
problems that might have been caused by the hard shutdown.
|