Restoring Virtualized Domain Controllers

Article:TECH155176  |  Created: 2011-03-09  |  Updated: 2014-02-06  |  Article URL http://www.symantec.com/docs/TECH155176
Article Type
Technical Solution


Environment

Subject

Issue



A secondary domain controller becomes unusable and must be restored from an virtual machine backup using either the Agent for Microsoft Hyper-V or Agent for VMWare Virtual Infrastructure (AVVI), with or without the application GRT component for Active Directory Recovery Option.


Environment



The machine to be restored is one of at least two domain controllers.

The original machine has been deleted or will be overwritten by the restore.

The other domain controller is still in production and is healthy.


Cause



When backing up the virtual machine using a VM backup, the image becomes stale as soon as Active Directory replicates. So then, if the recovered virtual machine is started in normal mode, there might be a divergence of replication data in the forest.


Solution



Follow the steps outlined in Microsoft's TechNet article to boot the recovered VM in Directory Services Restore Mode (DSRM) and configure the registry to rollback the update sequence numbers (USN) and re-syncronize the Active Directory databases.


1. Restore the .vmdk to the original location or to an alternate location

2. Do not allow the virtual machine to power on after the restore job completes

3. Monitor the boot up and force the machine into DSRM. Do not allow the domain controller to start in normal mode. If the Windows Boot Manager screen is missed and the domain controller begins to start in normal mode, turn off the virtual machine to prevent it from completing startup.

    a. Start the machine and press F5 to access the Windows Boot Manager screen.
    b. In the Windows Boot Manager screen, press F8 to access advanced boot options.
    c. In the Advanced Boot Options screen, select Directory Services Restore Mode, and then press ENTER.

4. Open Registry Editor and expand the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. Look for a value named DSA Previous Restore Count. If the value is there, make a note of the setting. If the value is not there, the setting is equal to the default, which is zero. Do not add a value if it is blank. 

5. Right-click the Parameters key, click New, and then click DWORD (32-bit) Value.

6. Type the new name Database restored from backup, and then press ENTER.

7. Double-click that value to open the Edit DWORD (32-bit) Value dialog box, and then type 1 in the Value data box.

8. Restart the domain controller in normal mode.

9. When the domain controller restarts, open Event Viewer.

10. Right-click the Directory Services log and search for Event ID 1109 stating that the InvocationID attribute was changed.

11. Use Registry Editor to verify that the value in DSA Previous Restore Count is equal to the previous value plus one.

If steps 10 and /or 11 are not correct, verify that the recovered DC's service packs are current. This procedure cannot be tried again on this virtual machine. Start over by overwriting this virtual machine with a saved backup file which has not booted into normal mode.

 





Article URL http://www.symantec.com/docs/TECH155176


Terms of use for this information are found in Legal Notices