DOCUMENTATION: Disaster Recovery of a remote Windows 2008 computer (includes both non-authoritative and authoritative restore of Active Directory for a domain controller)

Article:TECH87405  |  Created: 2009-01-03  |  Updated: 2010-01-23  |  Article URL http://www.symantec.com/docs/TECH87405
Article Type
Technical Solution

Product(s)

Environment

Issue



DOCUMENTATION: Disaster Recovery of a remote Windows 2008 computer (includes both non-authoritative and authoritative restore of Active Directory for a domain controller)

Solution



Overview:
A Non-Authoritative restore is a process to recover Active Directory in its entirety in the state it was at the time of backup.  This is commonly the procedure used to recover from a catastrophic failure such as faulty hardware.  After the restore, changes from replication partners that have occurred since the backup can then be replicated automatically to this newly restored domain controller.

An Authoritative restore is a process for restoring corrupt/deleted objects (such as a user account that was deleted and only exists in the backup).  This process is not used for complete recovery of the domain controller and its OS components.  This process does include a full restore of Active Directory, but then one or more objects from this restored backup (the objects that were corrupted/deleted) are marked as authoritative and therefore preserved/replicated to other domain controllers.  Any new or changed objects that occurred since this domain controller was taken offline for restore (that were not marked as authoritative during this process) will be replicated to this controller.

See pages 22-24 in the following document for further information on Authoritative vs. Non-Authoritative.
 http://www.microsoft.com/downloads/details.aspx?FamilyID=84dfe61e-fb7b-4673-89b8-55bcc801b431&displaylang=en

Notes:  
- Please refer to official Microsoft documentation for assistance with restoring Active Directory in complex environments with multiple Domain Controllers.
- To recover a computer that runs Windows Server 2008, it may be necessary to turn on the Windows Bit Locker Drive Encryption option.  Always log on to Windows using the Administrator account or its equivalent during this procedure.
- The native windows utility called ADSIedit can be used to obtain the fully distinguished names of objects in preparation for a disaster.


Steps for Non Authoritative Restore of a Windows 2008 Active Directory Domain Controller from a catastrophic failure:
1. Install Windows 2008 Server on the target client machine.
- Computer name, Windows directory and the file system (NTFS) must be the same as the previous Windows installation. This basic installation will later be overwritten by data from the backup, which will restore the system configuration, application settings, and security settings.
- If the system is being recovered from hard disk failure, use Windows setup to partition and format the new disk during installation. Format the partitions with the same file system as before the failure.
- If the system was in a Domain / Workgroup pre-disaster, then do not join the Domain/Workgroup.

2. Install any OS Hotfixes or Service Packs

3. If the client was running NetBackup 6.5.2 or 6.5.3 at the time of backup, then run and complete dcpromo.  Ensure to specify accordingly if the machine is also a DNS Server. (NetBackup 6.5.4 clients and later do not need to perform this step)

4. Install the NetBackup client. Ensure the client version is at the same level or higher than the time of backup, but not a higher version than the Master or Media Server.

5. Perform a full system restore.
Note: The client does not need to be booted into Directory Services Recovery Mode at this time.

6. Once the restore job is successful reboot the remote computer.

Steps for Non-Authoritative restore are now complete. The computer's operating system is now restored to its pre-disaster state. All data files have been restored, except those protected by NetBackup database agents.

The first boot after doing a full OS restore of Windows 2008 may take 5-10 minutes.  It may show a blank screen during this time.  The machine is not hung.  Do not reboot forcefully during this time, as it may corrupt the OS.  This is due to a bulk file-rename for files which were restored with temporary file names.



Steps for Authoritative Restore of a Windows 2008 Active Directory Domain Controller:
1. Reboot the client. Press <F8> during startup on the reboot and select Directory Services Restore Mode.

2. Launch Backup Archive and Restore on the Master Server. Set the appropriate Source and Destination client names and locate/browse the backup images that need to be restored.

3. Select the entire C:\ drive (or applicable OS drive letter) and the entirety of Shadow Copy Components

4. After selecting Actions > Restore, be sure to select "Restore everything to its original location" and "Overwrite existing files" before clicking "Start Restore"

5. Once the Restore job has finished successfully specific objects can be restored from Active Directory:
To restore specific objects from the Active Directory:
a. Open a CMD prompt and run: ntdsutil
b. Type: activate instance <instance> (usually NTDS)
c. Type: authoritative restore
d. Type: restore subtree / restore object "ou=<OU Name>,dc=<domain name>,dc=<xxx>"

Note: In the above example <OU Name> is the name of the organizational unit, <domain name> is the domain name in which the OU resides, and <xxx> is the top level domain name of the domain controller, such as com, org, or edu. The above step can be used to restore as many objects as one needs to restore.

6. Exit NTDSUTIL once the restore has finished.

7. Restart the computer.



Legacy ID



320503


Article URL http://www.symantec.com/docs/TECH87405


Terms of use for this information are found in Legal Notices