Active Directory 2008 : Proactive Directory Maintenance and Data Store Protection (part 4) - Performing Proactive Restores

9/15/2011 5:00:25 PM

5. Performing Proactive Restores

Backup data sets are only as good as the restores and recoveries they support. This is why it is essential for you to test the restoration procedure and to test as many scenarios as possible to ensure that when you do face a disaster, you can recover the data or systems you lost by relying on your backups.

When working with a DC, there are several restoration scenarios:

Restoring nonauthoritative data to the directory to reduce the replication required to update a DC that has been off for some time
Restoring authoritative data because the data in the directory has been destroyed
Restoring a complete DC from a backup

When you need to restore data to a system, you cannot do so when the DC is running, despite the fact that in Windows Server 2008 R2 you can control the AD DS service as you would other services. In fact, you must restart the server and run WinRE, or you must restart the server in Directory Services Restore Mode (DSRM). Each method supports different restoration procedures. DSRM supports data restores to the directory; WinRE supports recovery of the entire system.

5.1. Restarting in DSRM

There are two ways to launch a server into DSRM. The first relies on a server reboot and, during the reboot process, pressing F8 to view startup options. Note that if you are running the DC in a virtual machine on Hyper-V, you must press the F5 key while the machine is starting to access the Windows Boot Manager screen first, then press F8 to access Advanced Boot Options. This allows you to choose the Directory Services Restore Mode. Remember that you need to have access to the DSRM password to use this mode.

You can also force the reboot directly into DSRM by changing the boot order in the boot file of the OS. This is done with the Bcdedit.exe command. To use the command line to change the boot order, type the following command in an elevated command prompt:

bcdedit /set safeboot dsrepair

Then, when you need to restart the server normally, use the following command:

bcdedit /deletevalue safeboot

If you need to perform the operation only once, it might be best simply to rely on the F8 key at system startup.

Warning:

IMPORTANT RESETTING THE DSRM PASSWORD

To reset the DSRM password—an activity you should perform on a regular basis—you must first boot into DSRM and then use the standard password changing methods.

Note:

MORE INFO RUNNING DCS AS VMS

For more information on working with DCs as VMs, go to http://technet.microsoft.com/pt-pt/library/dd363545%28WS.10%29.aspx.

5.2. Identifying the Appropriate Backup Data Set

One of the challenges faced by organizations who used AD DS in previous versions of Windows was the ability to identify properly whether the data they required was located in a particular backup data set. In Windows Server 2008 R2, you can rely on the AD DS database mounting tool to view the contents of a data set before you perform a recovery operation. This prevents the previous hit-or-miss approach that system administrators needed to rely on.

The mounting tool works with database snapshots. Snapshots can easily be created with the Ntdsutil.exe tool. For example, to generate regular snapshots of a directory, you would use the following command:

ntdsutil "activate instance NTDS" snapshot create quit quit

This generates a snapshot on the same volume as the database. Be careful how you use this command, because it will quickly fill up the disk on which the Ntds.dit database file is located.

Perform the following steps to view backup data set or snapshot contents:

Launch an elevated command prompt by right-clicking Command Prompt in the Start menu and choosing Run As Administrator.
Begin by listing the available snapshots. Snapshots are created each time a backup is run or through the Ntdsutil.exe create subcommand, but you need to have the snapshot GUID to mount it. Use the following command to pipe all snapshot GUIDs into a text file.
Code View: Scroll / Show All
```
ntdsutil "activate instance NTDS" snapshot "list all" quit quit >snapshot.txt

					  
```
Now, look into the text file to locate and copy the GUID you need:
```
notepad snapshot.txt
```
Locate the GUID you need and copy it to the clipboard. The snapshot GUID is always preceded by the date and time you created the snapshot. Remember to include the brackets in the selection. Minimize Notepad in case you need a different GUID.
Mount the snapshot you need to use. Remember to right-click and then click Paste to paste the GUID at the mount command.
```
ntdsutil
activate instance NTDS
snapshot
mount guid
quit
quit
```
Note the path listed for the mounted database.
Use the AD DS database mounting tool to load the snapshot as an LDAP server.
```
dsamain -dbpath c:\$SNAP_datetime_VOLUMEC$\windows\ntds\ntds.dit
   -ldapport portnumber
```
Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the -ldapport value to ensure that you do not conflict with AD DS. Also note that you can use the minus (–) sign or the slash (/) for the options in the command. The database is mounted and will stay mounted until you have completed your operations. Do not close the command prompt. In fact, you might want to use two command prompts, one for mounting the snapshot in Ntdsutil.exe and one for the Dsamain.exe command. Then you can mount and unmount different snapshots until you locate the one that contains the information you need to recover.
Note that if the dsamain command gives you errors, you must restart the server to clear reserved TCP ports. After the server is restarted, the operation should work properly.
Now use Ldp.exe or Active Directory Users And Computers to access the instance. For example, launch Active Directory Users And Computers from the Administrative Tools program group.
Right-click Active Directory Users And Computers and click Change Domain Controller.
In the Change Directory Server dialog box, click <Type A Directory Server Name[:Port] Here>, type the servername:portnumber, such as Server10:40000, and press Enter. (Use the port number you specified in step 6.) The status column should indicate that the server is online. Click OK.
Search the loaded instance to locate the information you need and view its properties. If it is the instance you need, make note of its name. Close Active Directory Users And Computers.
Return to the dsamain command prompt and press Ctrl+C to stop Dsamain.exe.
Unmount the database snapshot. Use the following command. Remember to paste in the GUID from the clipboard.
```
ntdsutil
activate instance NTDS
snapshot
unmount guid
quit
quit
```
Close the command prompt.

If the selected database snapshot was not the one you were looking for, repeat the procedure. If it was, proceed to a restore.

Warning:

IMPORTANT USING ARROW KEYS IN COMMAND PROMPTS

You can use the up and down arrow keys when you are in a command prompt to return to previous commands. Also, note that there are different buffers in the command prompt. For example, there is a buffer in the command prompt itself and a different buffer in the Ntdsutil.exe command. You can use both to return to previous commands and save typing.

5.3. Performing Nonauthoritative or Authoritative Restores

As mentioned earlier, performing a restore requires that you restart the directory in DSRM. This means shutting down the DC. Remember that you can perform either nonauthoritative or authoritative restores on both the full installation and Server Core. A nonauthoritative restore addresses a DC rebuild when no data was lost because it is still found on other DCs. An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers. You can use the same procedure for both types of restores, but you can also perform authoritative restores without using DSRM. Make sure you have connected the removable media on which you stored the backup that you want to restore.

Repair the server, if required, and start it. During startup, press F8 to view the startup modes. Remember that if you are using a virtual machine, you must press F5 before you can press F8.
Select Directory Services Restore Mode and press Enter.
This will boot into Windows. Press Ctrl+Alt+Delete, and then log on with the DSRM account using the servername\accountname format and password. You will need to switch users to log on because the last logged on user account will be displayed by default. Use the DSRM password you set when you created the DC.
You can restore the data either through the command line or with Windows Server Backup. Note, however, that when you want to restore directory data, you must perform a System State restore and, to do so, you must use the command line.
Launch an elevated command prompt by right-clicking Command Prompt on the Start menu and choosing Run As Administrator.
Type the following command:
```
wbadmin get versions -backuptarget:drive -machine:servername
```
For example, to list the available backups located on D drive on SERVER10, type:
```
wbadmin get versions -backuptarget:d: -machine:server10
```
Note the version identifier information, because you need the exact name for the next command.
To recover system state information, type the following command:
```
wbadmin start systemstaterecovery -version:datetime -backuptarget:drive
   -machine:servername -quiet
```
For example, to recover the system state from a backup dated February 15, 2008, from D drive on SERVER10, type:
```
wbadmin start systemstaterecovery -version:02/15/2008-19:38
   -backuptarget:d: -machine:server10 -quiet
```
You use the -quiet option to avoid having to confirm the backup operation. Note that the restore takes time to complete.
When prompted, press Y to restart the DC in its normal operating mode. When you restart the server, AD DS knows that it has recovered from a restore and performs an integrity check of the database as it starts.

If you are performing a nonauthoritative restore, you are finished. AD DS replication will bring this server up to date when the restart is complete.

Note:

IMPORTANT USING DFS REPLICATION

If your forest is in Windows Server 2008 R2 functional level, you will be using DFS replication. In this case, the restore creates a nonauthoritative version of the SYSVOL share. If you want to avoid additional replication, add the authsysvol switch to the Wbadmin.exe command.

If you are performing an authoritative restore, you must mark the restored data as authoritative. The best approach is to perform this restore with an online DC. Use the following steps:

With the server restarted in normal mode, log on with domain administrator credentials. Launch Server Manager, expand the Configuration node, and click Services. Locate the Active Directory Domain Services service, select it, and then click Stop in the details pane. Click Yes when prompted to stop dependent services.
Launch Command Prompt as an administrator and type the following commands:
```
ntdsutil
activate instance NTDS
authoritative restore
restore object database
quit
quit
```
The restore object database subcommand marks all the data in the Ntds.dit database of this DC as authoritative. When you use this command, you are prompted to confirm the restore. Click Yes to do so.
If you want to restore only a portion of the directory, use the restore subtree subcommand in Ntdsutil.exe, as follows:
```
restore subtree ou=ouname,dc=dcname,dc=dcname
```
where you must supply the distinguished name of the OU or object that you want to restore.
Close the command prompt and restart the AD DS service.

After the service is restarted, the replication process starts and the restored information that has been marked as authoritative is replicated to all other DCs. AD DS replication brings the server up to date when the service is restarted by replicating data from this DC to others because the restore was authoritative.

Tip:

TIP

Performing an authoritative or nonauthoritative Active Directory restore, working with the restartable AD DS service, and working in Directory Services Recovery Mode are important parts of this topic on the exam.

5.4. Restoring from a Complete Backup

When the DC is completely down and needs to be rebuilt, but you have access to a full server backup, you can perform a complete system restore. You need access to the full server backup files. If they are on a removable drive, make sure this drive is connected to the server before you begin the restore; otherwise, you must restart the server. If the files are on a network drive, make note of the path. Also, obtain the Windows Installation Media DVD or, if your new DC is a virtual machine, link its DVD drive to an ISO file containing the Windows Installation Media.

Full server recoveries can be performed through the graphical interface or the command line.

5.4.1. Performing a Graphical Full Server Recovery

Performing a Graphical Full Server Recovery

To perform a full server recovery with the graphical interface, use the following procedure. This procedure applies to both the full installation and Server Core.

Insert or connect the Windows Server 2008 R2 installation DVD, restart the computer, and, when prompted, press a key to start from the DVD.
On the initial Windows screen, accept or select the language to install, the time and currency format, and a keyboard layout, and then click Next.
In the Install Now window, click the Repair Your Computer link.
In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair and click Next.
Under Choose A Recovery Tool, click System Image Recovery.
If the backup is stored on a remote server, click Cancel on the warning message.
Choose Select A System Image and click Next.
In the Select The Location Of The Backup page, perform the following steps, depending on whether the backup is stored locally or on a network share:
1. If the backup is stored on the local computer, select the location of the backup and click Next. Proceed to step 9.
2. If the backup is stored on a network share, click Advanced, and then click Search For A System Image On The Network. Click Yes to confirm.
3. In the Network Folder, type the path for the network share and click OK.
4. Type the appropriate credentials and click OK.
5. In the Select The Location Of The Backup page, select the backup image and click Next.
Select the date and time of the image to restore and click Next.
If you want to replace all data on all volumes, on the Choose Additional Restore Options page, select Format And Repartition Disks.
To prevent volumes that are not included in the restore from being deleted and re-created, click Exclude Disks, select each disk you want to exclude, and then click OK.
Click Next, and then click Finish. Click Yes to confirm that all selected disks will be reformatted and replaced with the data in the image backup.
When the restore is complete, the server should restart as a new image of the server you restored in the backup set you used.

Performing a Command-Line Full Server Recovery

To perform a full server recovery with the command line, use the following procedure. This procedure applies to both the full installation and Server Core.

Insert or connect the Windows Server 2008 R2 installation DVD, restart the DC, and, when prompted, press a key to start from the DVD.
On the initial Windows screen, accept or select the language to install, the time and currency format, and a keyboard layout, and then click Next.
In the Install Now window, click the Repair Your Computer link.
In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair and click Next.
Under Choose A Recovery Tool, select Command Prompt.
At the command prompt, type diskpart and press Enter.
At the diskpart prompt, type list vol and press Enter.
Identify from the list the drive letter for the volume that corresponds to the location of the full server backup you want to restore. The drive letters in WinRE do not necessarily match the volumes as they appeared in Windows Server 2008 R2.
Type exit and press Enter.
At the Sources prompt, type the following command and press Enter:
```
wbadmin get versions -backuptarget:drive -machine:servername
```
For example, to list the available backups located on the D drive on SERVER10, type:
```
wbadmin get versions -backuptarget:D: -machine:SERVER10
```
Note the version identifier information, because you need the exact name for the next command.
At the command prompt, type the following command and press Enter:
```
wbadmin start sysrecovery -version:datetime -backuptarget:drive
   -machine:servername -quiet
```
For example, to recover the system state from a backup dated February 15, 2009, from D drive on SERVER10, type:
```
wbadmin start sysrecovery -version:02/15/2009-19:38 -backuptarget:d:
   -machine:server10 -quiet
```
You use the -quiet option to avoid having to confirm the backup operation.
After the recovery operation has completed, minimize the command window and, in the System Recovery Options dialog box, click Restart.
The server should restart and operate normally.