How to Restore Domain Controller From Backup?

In a Windows Server environment, domain controllers play a critical role in managing network resources and user authentication. Therefore, ensuring the availability and integrity of domain controller data is essential for maintaining network stability and security.

However, despite best efforts, domain controllers may sometimes experience hardware failures, software corruption, or malicious attacks that require you to restore domain controller from backup.

In this blog post, we will provide a step-by-step guide on how to restore a domain controller from backup using the Windows Server Backup feature. Whether you are an IT professional or a system administrator, this guide will equip you with the knowledge and tools needed to restore your domain controller and minimize downtime.

Have you backed up your Active Directory yet? Visit our article How to Backup Active Directory?.

Domain Controller Recovery Considerations

Just because the title says how to restore a domain controller from backup, it doesn’t mean it is always the best path. So before going trigger-happy with DC recovery from backup, let’s talk about some considerations.

Is there one or more domain controllers still online?

If the domain controller becomes unavailable but other domain controllers remain online, consider doing a replication recovery strategy first. The high-level steps are:

1. If the failed DC had FSMO roles, transfer or seize the FSMO roles to another DC.
2. Install a new Windows Server instance, join it to the domain, and promote it to a domain controller.
3. Wait for the Active Directory replication to happen. The new DC should receive replication data from the other servers.

Note, however, that if the nearest domain controller is on another site, the replication can cause high traffic utilization in your WAN. So be mindful of the timing and workload.

Is this the only domain controller?

If the failed DC is the only one in the network, then you must do a bare-metal server recovery. We’ll cover bare-metal recovery in this tutorial.

Authoritative vs. Non-Authoritative

Another consideration is whether you will perform an authoritative or non-authoritative recovery of the domain controller. What’s the difference?

An authoritative restore will mark the restored objects as the current version. As a result, once recovered, the restored objects will replicate across all domain controllers. In short, this is called push replication.

On the other hand, a non-authoritative restore is used to restore an entire domain controller’s contents to a previous state. However, unlike an authoritative restore, the restored data is not marked as the current version. Instead, the restored data will be overwritten by more recent changes during the next replication cycle.

Restore Domain Controller from Backup (System State)

So the domain controller goes kaput. Now you must recover it from the backup. Don’t worry; let’s walk through how it is done.

1. Install Windows Server (same version) on a new machine.
2. Configure the server’s network settings (IP address, DNS server, subnet, gateway, etc.) Make sure they’re the same as the failed DC.
3. Once the new server is up, do not make any changes, like changing the computer name, installing the AD Domain services role, and joining the domain.
4. Install the Windows Server Backup feature by running the below command in an elevated PowerShell session:

   Install-WindowsFeature -Name Windows-Server-Backup -IncludeAllSubfeature –IncludeManagementTools

   

5. Ensure that the Windows System State Backup is accessible on the server. It may be on a network share or a storage device, whether internal or external. In this example, the Windows System State Backup is in Drive E.
   
6. To restore from backup, we must restart the server in the Directory Services Restore Mode (DSRM). Open the System Configuration by running msconfig command. Click Boot → Safe Mode → Active Directory repair → OK.
   
7. On the next prompt, click Restart.
   
8. Once the server restarted, log in using the local Administrator account.
   
9. Launch the Windows Server Backup console by running wbadmin.msc.
   
10. Once the Windows Backup console is up, click the Recover link.
    
11. On the Getting Started page, select the “A backup stored on another location” option and click Next.
    
12. Depending on where your backup is stored, select the appropriate location option and click Next. I’ll select “Local drive” in this example.
    
13. Choose the backup location from the dropdown list and click Next.
    
14. The Recovery Wizard will scan the drive and discover the backup image. In this example, the Wizard found the backup we made of the W19DC2 Active Directory server. Select the server name and click Next.
    
15. If there are multiple backup instances, select the backup date and time. In this example, we only have one backup. Click Next.
    
16. Select “System State” as the recovery type and click Next.
    
17. On the Select Location for System State Recovery, choose the “Original location” option and click Next. Do not enable the “Perform an authoritative restore of Active Directory files” because we’re performing a non-authoritative recovery in this scenario.
    
18. You’ll see a warning that you’re restoring a backup from a different server. We know that. So click OK.
    
19. On the Confirmation page, enable the “Automatically reboot…” box and click Recover.
    
20. The Recovery Wizard reminds you that the recovery cannot be paused or canceled. When you’re sure to continue, click Yes.
    
21. Now wait for the recovery process to finish.
    
22. Once the recovery is complete, the server restarts automatically, but still in the DSRM. Log in using the local administrator account.
23. You’ll see the message below saying the recovery operation was successful. Press Enter to dismiss the CMD window.
    
24. Now it’s time to restart the server in normal mode. Open the System Configuration utility by running the msconfig command. Click Boot, uncheck “Safe Boot”, and click OK.
    
25. On the confirmation prompt, click Restart.
    
26. Once restarted, log in using your domain account, and the domain controller has been restored from the system state backup.

Restore Domain Controller from Backup (Bare Metal)

Doing a bare metal recovery translates to restoring the backup on a machine without an existing operating system. The supposed system drive, to begin with, is empty. This condition requires the OS installation media to access the Windows Recovery Environment (WinRE) to restore the bare-metal backup image.

1. Provision the new machine (virtual or physical).
2. Insert or attach the installation media (ISO or physical media).
3. Boot the computer into the OS installation media.
4. Once booted, click Repair your computer.
   
5. Click Troubleshoot.
   
6. Click System Image Recovery.
   
7. If you forgot to connect the storage containing the bare metal backup, you will get the following error message.
   So make sure to attach the storage device with the backup and click Retry.
8. Once the recovery wizard scans the device, it will detect the available backup image. In this example, I’ll choose to recover the latest backup and click Next.
   
9. If you wish to exclude specific drives from the recovery process, do so now. Otherwise, all disks that match the backup data will be formatted. Since I only included drive C in my previous backup, I have no other drives to exclude.
   
10. Finally, click Finish to start the re-imaging process.
    
11. As a good measure, you’ll be informed that all disks matching the backup structure will be formatted. Click Yes to confirm.
    
12. Wait for the restoration to finish. The duration depends on the backup size being restored.
    Once the restoration is finished, the server will restart after a 60-second countdown.
    
13. Once restarted, log in using your domain account, and the domain controller should be recovered.

Conclusion

Restoring a domain controller from backup is a crucial process that must be carried out with utmost care and attention to detail. It is important to ensure that all prerequisites have been met before proceeding with the restore process, including verifying the integrity of the backup, ensuring that the backup media is accessible, and ensuring that the restore process is compatible with the current environment.

The steps outlined in this guide provide an overview of the recovery process and can be followed to restore a domain controller from a backup successfully. Remember always to have a backup plan in place and to regularly test and verify the effectiveness of your backups to ensure that they can be relied upon in the event of a disaster.