Home / server / Questions / 1142185
Accepted
David Trevor
Asked: 2023-08-23 13:36:44 +0800 CST

Domain Controller Authorative Restore to a point in time where other domain controller(s) are not present

  • 772

Day 1: Only one Domain Controller (DC1) is present. Windows Server Backup is configured on DC1 to save the system state. Delete an important user from AD.

Day 2: Promote additional Domain Controller (DC2).

Day 3: Boot DC1 into DSRM and revert to Day 1 via System State Recovery (non-authorative). Mark the important user for restore via ntdsutil (authorative). Reboot DC1.

DC1 does not sync with DC2 and DC2 does not know show up in Active Directory Users and Computers on DC1. Active Directory Sites and Services shows the NTDS object of DC2 (synced back to DC1 from other domains in the forest I assume), but we cannot run a metadata cleanup since it cannot find the computer object. At this point because DC1 does not sync with other Domain Controllers, the whole AD was reverted back to Day 1 instead of just restoring the important user.

Can we recover from this situation? Is this expected behavior or was there a prerequisite missing in the environment?

windows

3 Answers

  1. Your mileage may vary, but in Active Directory in my opinion there is no sane way to do single-object restores. Things are way to interconnected and objects are changing all the time (that's probably the "active" in Active Directory).

    I would suggest to enable the Active Directory Recycle Bin for cases like the one you ran into.

    Doing a System State Recovery is almost always only feasible for disaster recovery (i.e. when you've lost all your DCs). However, In such a case you have probably lost a lot more than that, so starting fresh may be the better option in that case.

    • 3

  2. The problem you have is that in your backup (day1) there was no 2nd DC. The method you took would normally work and would allow you to restore just the one object IF DC2 was part of the domain when you did the backup on DC1.

    You kind of have a chicken and egg scenario - When you restore DC1 (as you righly pointed out), it isn't aware of DC2, so it won't trust it (for replication). And DC2 cannot make itself authoritive over DC1 for the same reason. So you end up with 2 separate versions of your AD because the DCs don't trust each other. You can't fix this, you were just unlucky in that you deleted an important object before you had your 2nd DC online.

    • 0
  3. Best Answer

    It is supported to do an authorative restore to any point in time, as long as that backup is not older than the tombstoneLifetime in the Active Directory Forest (180 days). You can also add additional domain controllers to the domain and still restore a backup that was taken when there was only one domain controller present.

    The only thing you must pay attention to is that any newly promoted domain controllers are fully synchronized with Active Directory and they completed their initial SYSVOL sync. Make sure that the NETLOGON and SYSVOL shares are present on all domain controllers in the domain before doing object recovery via authorative restore.

    net share

Share name   Resource                        Remark
-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
NETLOGON     C:\Windows\SYSVOL\sysvol\domain.local\SCRIPTS
                                             Logon server share
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share

The command completed successfully.

    In my scenario with two domain controllers, DC2 was not fully replicated and was awaiting initial SYSVOL sync. DC1 was then restored and after the reboot also in the same state of initial SYSVOL sync. This caused both domain controllers to not replicate anymore and effectively both had their own copy of Active Directory from this point on.

    • 0