Professional Documents
Culture Documents
Windows Server Restore Active Directory
Windows Server Restore Active Directory
Windows Server Restore Active Directory
Solution
No administrator likes to think that one day they may have to restore Active Directory from a backup. However it is important that
you plan for such an occasion. Setting up a test server to run through scenarios is a good idea, it is important to make time for
this sort of disaster planning. I learnt this lesson the hard way.
Whilst this guide does not profess to be the oracle on AD recovery it does document my experiences of dealing with a loss of
critical data. Maybe there is a better way to go about this, but my method worked, and will do just fine for me!
Scenario: One of your major AD groups has been deleted, no accounts are functioning other than those in the built-in group, so
just the odd admin has access. You have multiple domain controllers but they have already replicated.
Action: Firstly logon to the server you wish to restore to, you may have to do this locally depending on your account configuration,
this will be the password you specified when promoting the server to a DC. I did not know the local admin password so logged on
with a built in domain account that was still functioning, to change the dsrm password follow these steps:
The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are
prompted. Note that no characters appear while you type the password.
To reset the password for another server, type
1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then press ENTER.
3. At the file maintenance command prompt, type recover, and then press ENTER.
http://community.spiceworks.com/how_to/show/27[23-03-2010 22:08:36]
Restore Active Directory - Spiceworks Community
5. Restart the computer.
NOTE: You can also use Esentutl.exe to perform database recovery when the procedure described earlier in this article fails (for
example, the procedure may fail when the database is inconsistent). To use Esentutl.exe to perform database recovery, follow
these steps:
1. Click Start, click Run, type cmd in the Open box, and then press ENTER.
2. Type esentutl /r path\ntds.dit, and then press ENTER. path refers to the current location of the Ntds.dit file.
3. Delete the database log files (.log) from the WINDOWS\Ntds folder.
For additional information about the esentutl.exe utility, at the command prompt, type esentutl /?, and then press ENTER.
NOTE: This procedure involves transaction logs to recover data. Transaction logs are used to make sure that committed
transactions are not lost if your computer fails or if it experiences unexpected power loss. Transaction data is written first to a log
file, and then it is written to the data file. After you restart the computer after it fails, you can rerun the log to reproduce the
transactions that were committed but that were not recorded to the data file.
After rebooting I found that the active directory had been restored correctly, I was then able to force replication to my other
servers. The only slight problem I had was that most users had lost their group memberships. However this was easily manually
remedied so I did not spend any time working out why this had happened, but may be worth bearing in mind for your scenario.
Another point worth noting is that your dsrm password will also have been restored so it will be worth changing that again to make
the job easier next time.
http://community.spiceworks.com/how_to/show/27[23-03-2010 22:08:36]