Active Directory 2003 Backup & Restore

Active Directory 2003 Backup and Restore

TECHNOLOGY INFRASTRUCTURE SERVICES

Author Selvakumar Palanivel

Date of Creation 02 Dec 2005
Email id Selvakumar.palanivel@wipro.com

Wipro Technologies – TIS Page 1 of 13

 Active Directory 2003 Backup & Restore

Table of content

1. Introduction................................................................................................. 3
2. Overview of Active Directory 2003 ................................................................ 3
3. System Components of Active Directory ....................................................... 3
3.1 Domain Controllers (DCs) ................................................................ 4
3.2 Global Catalogs (GCs) ...................................................................... 4
3.3 Operations Masters (OMs)................................................................ 4
4. Active Directory Backup............................................................................... 5
4.1 Contents............................................................................................. 5
4.2 Age .................................................................................................... 6
4.3 Type of Backup ................................................................................. 6
4.4 To backup a domain controller using the W2K3 backup utility....... 7
5. Active Directory Restore .............................................................................. 7
5.1 Restore through re-installation Procedure ........................................ 7
5.2 Restore from Backup ........................................................................ 7
6. Steps to Recover Active Directory Forest ...................................................... 9
7. Post Recovery Steps – Active Directory Forest Restore ............................... 11
Appendix A … To clean up server metadata ............................................... 12
Appendix B … To disable a Global Catalog ................................................ 13
Appendix C … To seize an Operation Master role ...................................... 13
Appendix D … Useful Links ........................................................................ 13

Wipro Technologies – TIS Page 2 of 13

 Active Directory 2003 Backup & Restore

1. Introduction
This document details best practices and procedures for recovering the Active Directory
2003 after forest wide failure has caused all the Domain Controllers in the forest failed to
function normally.

2. Overview of Active Directory 2003

The Active Directory service is the directory service for Windows Server 2003. It is a core
component of the operating system and provides essential data to both the enterprise
and other components within the OS.
Active Directory provides a central service for administrators to organize network
resources, manage users, computers, and applications.

3. System Components of Active Directory

Although many components make up the Active Directory, this section focuses on the
system components that are relevant when considering the AD restoration plan.

Wipro Technologies – TIS Page 3 of 13

 Active Directory 2003 Backup & Restore

3.1 Domain Controllers (DCs)

Windows 2003 requires domain controllers (DCs) to host a domain database and perform
authentication services. However, under Windows 2003, object changes can be made on
any DC within the environment.
To ensure that all DCs in the environment host a current, synchronized and accurate
version of the directory, DCs are responsible for initiating and performing replication
operations. In addition to this domain information, all of the domain controllers in a
particular forest host a copy of the forest configuration and schema containers.

3.2 Global Catalogs (GCs)

The global catalog’s (GC’s) primary function is to provide fast and efficient searches that
extend across the entire Active Directory forest. A GC holds a full read/write replica of
all objects within the domain for which it is a member, and a partial read-only replica (all
objects but only a partial attribute set) of every other domain within the forest.

3.3 Operations Masters (OMs)

Active Directory supports multi-master updates (each DC hosts a writeable version of its
directory partition), it must allow for the possibility of conflicting changes, that is,
changes that are made simultaneously to the same object within the directory but from
different DCs. The conflicts are resolved eventually and all DCs update to the same
value.
However, in some cases it is better to prevent conflicts than to resolve them after the
event. Operations masters (OMs) in Active Directory prevent conflicts in cases where
conflict resolution is inappropriate.
Active Directory defines five Operations Master (OM) roles:
• Per-Forest Roles: Schema master & Domain naming master
• Per-Domain Roles: Relative IDentifier (RID) master, Primary Domain
Controller (PDC) emulator and Infrastructure master

3.3.1 Schema Master

The DC that holds the schema master role is the only DC that can perform write
operations to the directory schema. Those schema updates are replicated from the schema
master to all other domain controllers in the forest.
3.3.2 Domain Naming Master
The DC that houses the domain naming master role is the only DC that:
• Adds new domains to the forest
• Removes existing domains from the forest
• Adds or removes cross-reference objects in external directories

3.3.3 Relative IDentifier (RID) Master

This operations master manages the allocation of RID pools to other DCs. Only one
server performs this task. When a security principle (for example, user, group, or

Wipro Technologies – TIS Page 4 of 13

 Active Directory 2003 Backup & Restore

computer) is created, it requires that a RID be combined with a domain-wide identifier to

create a unique Security IDentifier (SID).
Every Windows 2003 DC receives a pool of RIDs it can use to create objects. The RID
master ensures unique IDs on every DC by assigning different pools. All object moves
between domains of the same forest are accomplished using the RID master to avoid SID
duplication.
3.3.4 Primary Domain Controller (PDC) Emulator
The PDC emulator provides the following major functions:
• Backward compatibility for clients and servers, allowing NT 4.0 BDCs to
participate in the new Windows 2003 environment.
• Password management. Native Windows 2003 environments replicate password
changes to the PDC emulator first. When a DC fails to authenticate a password
(perhaps as a result of a change that has not yet been replicated to the
authenticating DC), it contacts the PDC emulator to see whether the password can
be authenticated there.
• Time synchronization. The PDCs of the domains within the forest synchronize
with the PDC in the root domain of the forest to ensure accurate time
synchronization.

3.3.5 Infrastructure Master

The infrastructure master ensures the consistency of objects for all inter-domain
operations. When an object from another domain is referenced, the reference contains
the Globally Unique IDentifier (GUID), the Security IDentifier (SID) and the
Distinguished Name (DN) of that object. If the referenced object moves, the DC holding
the infrastructure master role in a domain is responsible for updating the SIDs and DNs in
cross-domain object references.

4. Active Directory Backup

To ensure a successful restore from backup, it is important to know what defines a good
backup. For Active Directory, two things must be considered:

• Contents
• Age

4.1 Contents

The first important aspect of a backup is its contents. A good backup will include at least
the System State, the contents of the system disk, and the SYSVOL folder (if not located
on the system disk).

System State Components

Wipro Technologies – TIS Page 5 of 13

 Active Directory 2003 Backup & Restore

On a Windows 2003 system acting only as a DC (running no services other than those
required for DC operation), system state data encompasses the:
• System Start-up Files (boot files): These are the files required for Windows
Server 2003 to start.
• System registry
• Class registration database of Component Services: The Component Object
Model (COM) is a binary standard for writing component software in a
distributed systems environment.
• SYSVOL: The system volume provides a default Active Directory location for
files that must be shared for common access throughout a domain. The SYSVOL
folder on a domain controller contains:
o NETLOGON shared folders: These usually host user logon scripts and
Group Policy Objects (GPOs).
o User logon scripts: for Windows 2000/XP based clients and clients that
are running Windows 95, Windows 98, or Windows NT 4.0.
o File system junctions
o File Replication Service (FRS): staging directories and files that are
required to be available and synchronized between domain controllers.
• Active Directory: Active Directory includes:
o Ntds.dit: The Active Directory database.
o Edb.chk: The checkpoint file.
o Edb*.log: The transaction logs, each 10 megabytes (MB) in size.
o Res1.log and Res2.log: Reserved transaction logs.

Note: Since Active Directory-integrated DNS is used, the DNS zone data is backed up as
part of the Active Directory database. Also, if Windows Clustering or Certificate Services
are installed on the domain controller, they are also backed up as part of system state.

4.2 Age
If the backup is older than the tombstone age set in Active Directory, then it is not
considered to be a good backup. When an object is deleted in Windows Server 2003, the
DC from which the object was deleted informs the other DCs in the environment about
the deletion by replicating what is known as a tombstone.

A tombstone is a representation of an object that has been deleted but not fully removed
from the directory. The tombstone will eventually be removed based on the tombstone
lifetime setting, which by default is set to 60 days.

4.3 Type of Backup

The only type of backup supported by Active Directory is normal. A normal backup
creates a backup of the entire system while the domain controller is online. When
backing up Active Directory using normal backup, the backup utility will automatically
back up all of the system components and all of the distributed services upon which

Wipro Technologies – TIS Page 6 of 13

 Active Directory 2003 Backup & Restore

Active Directory is dependent. This dependent data, which includes Active Directory, is
known collectively as the system state.

4.4 To backup a domain controller using the W2K3 backup utility

1. Click Start, point to All Programs, point to Accessories, point to System Tools, and
then click Backup to start the Backup Utility Wizard.
2. Click Advanced Mode in the Backup Utility Wizard.
3. On the Backup tab, select the check box for any drive, folder, or file that you want to
back up.
4. Select the System State check box.

This will back up the System State data along with any other data you have selected
for the current backup operation.

5. Active Directory Restore

There are two primary methods for restoring a Windows Server 2003 DC:

• Restore through re-installation.

• Restore from backup.

5.1 Restore through re-installation Procedure

Re-installing a domain controller is equivalent to building a new domain controller. This

method is valid only a healthy domain controller exists in the same domain.

1. Clean up server metadata to remove the NTDS Settings object of the failed
domain controller. Metadata cleanup procedure is explained in Appendix A.
2. Install Windows 2003 Operating System
3. Promote the server to domain controlled in the domain it exists by using
DCPROMO.
4. Verify the active directory installation

5.2 Restore from Backup

When you restore Active Directory from backup, you have three further options:

• Non-Authoritative Restore
• Authoritative Restore
• Primary Restore

Wipro Technologies – TIS Page 7 of 13

 Active Directory 2003 Backup & Restore

Non-Authoritative Restore

What is it?
• Restore to known good point using Ntbackup
• Reboot into Active Directory mode to sync changes

When to use
• Recover from hardware failure
• Return to known good state on single domain controller

Options
• Rebuild server from scratch. Re-run Dcpromo.
• Restore machine to a known good point and sync deltas.

Authoritative Restore

What is it?
• Restore to known good point using Ntbackup
• Make objects on reference domain controller as “master copy” for Active
Directory
When to use
• Accidental deletion or modification of objects or containers in the Active
Directory
• Corruption of objects/attributes in the directory
Options
• Find a good domain controller that has the objects and make it
authoritative
• Restore from a backup that contains the objects and make it authoritative

Primary Restore

What is it?
• Restore to known good point using Ntbackup
• Make objects on reference domain controller as “master copy” for Active
Directory
When to use
• Restoring first of several domain controller
• Restoring DC is the only DC in the Domain
Options
• Mark the restored data as the primary data for all replicas

Wipro Technologies – TIS Page 8 of 13

 Active Directory 2003 Backup & Restore

6. Steps to Recover Active Directory Forest

It is assumed that all the Domain Controllers in the Active Directory forest is not
functional at this point.

1. Determine the roles of the domain controllers in the Domain and select a single
domain controller which has the latest backup.
2. Switch off all other domain controller or disconnect the connectivity to all other
domain controller to avoid replications.
3. Install the operating system windows 2003
4. Reboot the server into Directory Service Mode by pressing the F8 key upon
system startup.
5. Log in as Administrator.
6. Run the Windows 20003 backup utility and select the Restore Wizard button

7. Select the appropriate backup location and ensure that at least the system disk and
system state are checked.

Wipro Technologies – TIS Page 9 of 13

 Active Directory 2003 Backup & Restore

8. Click the advanced button and make sure you are restoring junctions and mark the
restored data as the primary data for all replica, because this is the first DC in the
Domain.

Wipro Technologies – TIS Page 10 of 13

 Active Directory 2003 Backup & Restore

9. Click finish and once complete click NO to restart and close the backup
application.
10. Open a command prompt and type ntdsutil, and press enter
11. At the next prompt, type authoritative restore and press enter
12. At the next prompt, type restore database
13. At the “Authoritative Restore Confirmation Dialog” box, click OK
14. Type “Quit” and restart the server.

7. Post Recovery Steps – Active Directory Forest Restore

1. If the Active Directory has integrated DNS, local DNS service needs to be
installed and running on the restored DC. Server should be configured with its
own IP address as preferred DNS server. This is the first DNS server in the forest.

2. If the restored DC is enabled as global catalog, then disable the global catalog
flag. It is explained in Appendix B.

3. Seize the domain level Operational Master Roles (FSMO) to the restored DC.

4. Starting with the forest root DC, introduce the restored DCs to the network.
5. Install Active Directory on the remaining DCs in the forest using the Active
Directory Installation Wizard.

Wipro Technologies – TIS Page 11 of 13

 Active Directory 2003 Backup & Restore

Appendix A … To clean up server metadata

Open a command prompt.

Type the following command, and then press ENTER:ntdsutil

At the ntdsutil: prompt, type: metadata cleanup

Perform metadata cleanup as follows:

1. At the metadata cleanup: prompt, type:connection

2. At the server connections: prompt, type:connect to serverServer

3. At the server connections: prompt, type:quit

4. At the metadata cleanup: prompt, type:select operation target

5. At the select operation target: prompt, type:list sites.

6. At the select operation target: prompt, type:select siteSiteNumber

7. At the select operation target: prompt, type:list domains in site

8. At the select operation target: prompt, type: select domainDomainNumber

9. At the select operation target: prompt, type:list servers in site

10. At the select operation target: prompt, type: select serverServerNumber

11. At the select operation target: prompt, type: quit

12. At the metadata cleanup: prompt, type: remove selected server

At this point, Active Directory confirms that the domain controller was removed
successfully. If you receive an error message that indicates that the object cannot be
found, Active Directory might have already removed the domain controller.

13. At the metadata cleanup: and ntdsutil: prompts, type quit.

Wipro Technologies – TIS Page 12 of 13

 Active Directory 2003 Backup & Restore

Appendix B … To disable a Global Catalog

1. Click Start, click Control Panel, double-click Administrative Tools, and then
double-click Active Directory Users and Computers.
2. In the console tree, double-click the DC where you want to enable or disable the
global catalog.
3. Right-click NTDS Settings and then click Properties.
4. Clear the Global Catalog check box.

Appendix C … To seize an Operation Master role

1. At a command prompt, type: ntdsutil
2. At the ntdsutil prompt, type: roles
3. At the FSMO maintenance prompt, type :connections
4. At the server connections prompt, type: connect to server ServerFQDN

5. At the server connections prompt, type: quit

6. At the fsmo maintenance prompt, type: seize OperationsMaster

Where OperationsMaster is the type of operations masters you want to seize, for
example: seize schema master

Appendix D … Useful Links

1. http://support.microsoft.com/default.aspx?scid=kb;en-us;839879

2. http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips
/ActiveDirectory/ActiveDirectoryDisasterRecovery.html

3. http://support.microsoft.com/?id=263532

Wipro Technologies – TIS Page 13 of 13