Restore Active Directory - Spiceworks Community

Restore Active Directory 34

by aprmike
Spiciness

Solution

No administrator likes to think that one day they may have to restore Active Directory from a backup. However it is important that
you plan for such an occasion. Setting up a test server to run through scenarios is a good idea, it is important to make time for
this sort of disaster planning. I learnt this lesson the hard way.

Whilst this guide does not profess to be the oracle on AD recovery it does document my experiences of dealing with a loss of
critical data. Maybe there is a better way to go about this, but my method worked, and will do just fine for me!
Scenario: One of your major AD groups has been deleted, no accounts are functioning other than those in the built-in group, so
just the odd admin has access. You have multiple domain controllers but they have already replicated.

Action: Firstly logon to the server you wish to restore to, you may have to do this locally depending on your account configuration,
this will be the password you specified when promoting the server to a DC. I did not know the local admin password so logged on
with a built in domain account that was still functioning, to change the dsrm password follow these steps:

1. Click, Start, click Run, type:

ntdsutil

2. At the Ntdsutil command prompt, type:

set dsrm password

3. At the DSRM command prompt, type one of the following lines:

To reset the password on the server on which you are working, type:
reset password on server null

The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are
prompted. Note that no characters appear while you type the password.
To reset the password for another server, type

reset password on server <servername>

4. At the DSRM command prompt, type q.

5. At the Ntdsutil command prompt, type q to exit

You will now be able to logon locally to recover the system.

Reboot the server and enter AD recovery mode, to do this press F8 on bootup, this can be tricky as most RAID controllers use F8
for their BIOS. From the start-up screen select Directory Services Restore Mode (DSRM), assuming you are using Server 2003.
The server will start-up in a state that looks just like safe mode.
I was using Veritas Backup Exec v10 and had problems with the job running correctly. This was due to the fact that the services
were trying to start as a network account that was no longer available. At this stage it is worth checking your system accounts.
Click on Start > Run then type services.msc and press ok. Sort the logon as column and change any services that use deleted
account to the local system account (the one you just logged on as). It is good practice to leave them this way should the same
thing ever happen again.
The next step was to locate the most recent successful system state backup and ready the tape in the server. I could only restore
onto the server that the tape drive was in (fortunately a domain controller), as the remote agent would not start-up for some
reason. By selecting the system state all the servers settings, such as registry entries and our all-important Active Directory will
be restored. Allow the restore to run and check for any error on completion, be patient as this may take some time.
DO NOT REBOOT WHEN YOU ARE TOLD TO!
Backup Exec will notify you that you must reboot after a system state restore, do not do this yet as the Active Directory is not
ready for use so after a restart it will be just the same as before! We first need to recover the database so that it is ready for use
again:

1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.

2. At the Ntdsutil command prompt, type files, and then press ENTER.

3. At the file maintenance command prompt, type recover, and then press ENTER.

4. Type quit, and then press ENTER.

http://community.spiceworks.com/how_to/show/27[23-03-2010 22:08:36]
Restore Active Directory - Spiceworks Community
5. Restart the computer.

NOTE: You can also use Esentutl.exe to perform database recovery when the procedure described earlier in this article fails (for
example, the procedure may fail when the database is inconsistent). To use Esentutl.exe to perform database recovery, follow
these steps:

1. Click Start, click Run, type cmd in the Open box, and then press ENTER.

2. Type esentutl /r path\ntds.dit, and then press ENTER. path refers to the current location of the Ntds.dit file.

3. Delete the database log files (.log) from the WINDOWS\Ntds folder.

4. Restart the computer.

For additional information about the esentutl.exe utility, at the command prompt, type esentutl /?, and then press ENTER.

NOTE: This procedure involves transaction logs to recover data. Transaction logs are used to make sure that committed
transactions are not lost if your computer fails or if it experiences unexpected power loss. Transaction data is written first to a log
file, and then it is written to the data file. After you restart the computer after it fails, you can rerun the log to reproduce the
transactions that were committed but that were not recorded to the data file.
After rebooting I found that the active directory had been restored correctly, I was then able to force replication to my other
servers. The only slight problem I had was that most users had lost their group memberships. However this was easily manually
remedied so I did not spend any time working out why this had happened, but may be worth bearing in mind for your scenario.

Another point worth noting is that your dsrm password will also have been restored so it will be worth changing that again to make
the job easier next time.

http://community.spiceworks.com/how_to/show/27[23-03-2010 22:08:36]