Tips for recoverying Active Directory Domain Controller with BMR
For these several weeks, I have struggled with POC of Active Directory Domain Controller recovery using BMR, and found various points to take care of.
I will share here. I hope this helps.
Tips 1: Use NetBackup 22.214.171.124(or later if released)
NetBackup 126.96.36.199 has a fix for SYSVOL restore(ET2896008). Without this fix, SYSVOL contents are not restored. If you are to recover with NetBackup 188.8.131.52 or earlier, please follow this workaround:
- If all the DCs have been lost and you are to recover the first DC in your domain, restart the DC with Directory Service Restore Mode. Otherwise, restart as normal.
Note: You should recover FSMO DC first as it has very important role in AD.
- Create the folders listed below if not exist:
- Create junction points of domain name like below. If same path is already exist as a folder, stop Netlogon service and remove it before running MKLINK.
MKLINK /J "C:¥Windows¥SYSVOL¥staging areas¥mydomain.local" "C:¥Windows¥SYSVOL¥staging"
MKLINK /J "C:¥Windows¥SYSVOL¥sysvol¥mydomain.local" "C:¥Windows¥SYSVOL¥domain"
- If recoverying the first DC in the domain, run Backup, Archive, and Restore(BAR) and restore System State with overwrite option. Then, perform AD authoritative restore procedure using ntdsutil command. Do not restart the system before completing AD authoritative restore.
Please check TECH87405(http://www.symantec.com/docs/TECH87405) for more detail.
Note: If the DC is configured for AD Granular restore, and there are no living DCs, you need to set credentials of NetBackup services as default(LocalSystem) as domain user is not valid in this situation.
Tips 2: Need to promote first DC's SYSVOL as authoritative if all the DCs have been lost
After BMR recovery, Event ID 4614 is logged, and SYSVOL on the DC goes to initial synchronization state. If all the DCs have been lost, all the SYSVOLs recovered goes to this state and can not be used for service. So in this situation, you need to promote the SYSVOL as authoritative on one of the recovered DCs.It is better to do it while recoverying the first DC in the domain as you required to manage only one DC. Other DCs will be synchronized from this DC after recovery.
Follow the instructions named "How to perform an authoritative synchronization of DFSR-replicated SYSVOL" in Microsoft KB 2218556(http://support.microsoft.com/kb/2218556).