Active Directory Disaster Recovery

Posted by

1. Single object recovery – active directory recycle bin

Single object recovery is achieved through use of the Active Directory Recycle Bin. This is enabled throughout the domain. Each object can be restored from the recycle bin for a period of 180 days. After this time the object will remain in a permanently deleted state which can no longer be restored. The object remains in active directory for 180 days after which point the object will be purged out of active directory.

To restore an object from the recycle bin you can use either PowerShell command line interface or the Active Directory Administrative Centre.

1.1 PowerShell

This command will query AD to list all deleted objects and their attributes

Get-ADObject -filter ‘isdeleted -eq $true -and name -ne “Deleted Objects”‘ -includeDeletedObjects -property *

This command will list all deleted objects and a subset of the more useful attributes

Get-ADObject -filter ‘isdeleted -eq $true -and name -ne “Deleted Objects”‘ -includeDeletedObjects -property * | Format-List samAccountName,displayName,lastknownParent

This command will restore the object with the username matching SaraDavis back to the original container.

Get-ADObject -Filter ‘samaccountname -eq “SaraDavis”‘ -IncludeDeletedObjects | Restore-ADObject

1.2 Active Directory Administration Centre

You can use the ADAC to restore deleted objects. Open ADAC from a Windows 8 client computer under the account of a privileged user. Locate the Deleted Objects container in the tree and search for the object you wish to restore. From the tasks menu select Restore or Restore To and select the container to restore the object.


2. compare previous versions – active directory snapshots

Active directory snapshots can be used to compare the current Active Directory database to a previous version of the database. This can be useful to view inadvertently changed attributes which can then be restored if required.

Two scheduled tasks are configured to run on DC1.DOMAIN.INT and DC2.DOMAIN.INT to take a weekly snapshot every Sunday and then a further task to delete earlier versions of snapshots so that the most recent four snapshots are kept. Two domain controllers are used in disparate sites to cover in the event of DC failure. Snapshots are kept locally on the DC the snapshot was taken on and do not replicate.

Name AD Snapshot
Schedule At 22:15 every Sunday of every week, starting 08/09/2013
Action Start a program

C:\Windows\System32\ntdsutil.exe ntdsutil “activate instance ntds” snapshot create quit quit

Account Domain\svcAD.Backup
Name Delete AD Snapshot
Schedule At 22:45 every Sunday of every week, starting 06/10/2013
Action Start a program

C:\Windows\System32\ntdsutil.exe ntdsutil “activate instance ntds” snapshot delete 1 quit quit

Account domain\svcAD.Backup

To mount a snapshot the following steps must be taken from one of the domain controllers where snapshots are taken.

1. Log on to a domain controller as a member Enterprise Admins groups or the Domain Admins group.

2. Click Start, right-click Command Prompt, and then click Run as administrator.

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

4. At the elevated command prompt, type the following command, and then press ENTER.

Ntdsutil.exe ntdsutil “activate instance ntds” snapshot “list all”

5. You should see all the snapshots on the domain controller and the date / time they were taken. To mount the snapshot type the following command, and then press ENTER.

Mount x

Where x is the snapshot number you want to mount (listed in step 4 the row prefixed with the date)

6. Quit out of NTDSUTIL by typing quit twice

7. At the elevated command prompt, type the following command, and then press ENTER. Be sure to include a space between the name of the parameter and the value that you specify.

dsamain /dbpath <path_to_database_file> /ldapport <port_#>

If you plan to view the snapshot data on a domain controller, specify ports that are different from the ports that the domain controller will use. For example, type:

dsamain /dbpath C:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit /ldapport 51389

A message indicates that Active Directory Domain Services startup is complete.

8. Launch Active Directory Users and Computers

9. Right click the domain and select change domain controller

10. Enter localhost:51389 and click OK


Active Directory Users and Computers will now be focused on the snapshot of AD.

2.1 Unmounting the snapshot

When you are ready to disconnect and unmounts the snapshot the following steps should be taken:

1. From the dsamain command window press CTRL+C to close the connection, you should get confirmation the domain services was shut down successfully

2. Type the following command and press ENTER

ntdsutil.exe ntdsutil “activate instance ntds” snapshot “list all” “unmount

1” quit quit

3. GPO Restore and compare

All group policies are backed up on a weekly basis using a PowerShell scheduled task that runs on DC1.DOMAIN.INT detailed below. The backup can be used to view previous settings in group policies to identify which changes have been made. You can also recover an entire GPO to a previous version.

Name GPO Backup
Schedule At 15:29 every Sunday of every week, starting 27/03/2013
Action Start a program


Account domain\svcAD.Backup

The PowerShell script called from the run.bat file is gpobackup.ps1 in the same folder

import-module ActiveDirectory

import-module grouppolicy

$foldername = (Get-Date).tostring(“dd-MM-yy”)

New-Item -ItemType Directory -path \\\services$\ad\gpobackup -name $foldername

Backup-GPO -All -Path “\\\services$\ad\gpobackup\$foldername”

The script creates a copy of all the group policies and stores them under a subfolder of \\\services$\ad\gpobackup with the date the backup was taken. Looking in the folder you will only see the GUID of each group policy.

3.1 To restore a gpo

1. Launch Group Policy Management Console

2. From the tree right click Group Policy Objects and select Manage Backups

3. From the backup location point the path to the backup folder that contains the GPO backup you want to restore

4. You can now restore, delete or view the settings of the backed up GPO


4. FSMO recovery

The five FSMO roles are set to run on a single domain controller, In the event of the catastrophic failure of this domain controller the roles will need to be manually seized by another domain controller. Do to this follow these steps from another domain controller.

1. Open an administrative command prompt from the domain controller you are seizing the roles to

2. Type the following commands, pressing ENTER after each command




Connect to server XXXX (xxxx is the server you are seizing the roles too)


Seize schema master

Seize infrastructure master

Seize naming master

Seize PDC

Seize RID master



3. The FSMO roles will now have transferred to the new domain controller

5. Active Directory Restore

5.1 Active Directory Restore Password

The Active Directory restore account is used whenever an AD restore needs to be performed. To keep all domain controllers in sync with the most up to date DSRM Password a scheduled task is assigned to each domain controller through a group policy linked to the domain controllers OU. The scheduled task runs the command line to sync the password from a disabled active directory account. The account used is svcDSRM.Password and the password for the account is stored in the password database. Task details are specified below:

Name DSRM Password Sync
Schedule Every day at 2200
Action Start a program



“set dsrm password” “sync from domain account svcDSRM.Password” q q

Account domain\svcAD.Backup

5.2 Non-authoritative restore

A non-authoritative restore is normally done in the event that a change was inadvertently made to a domain controller that you need to role that domain controller back to the state before the change occurred. This only works if the change hasn’t replicated to any other domain controller. For example an OU was accidently deleted on DC1 and that change hadn’t replicated to any other DC you would perform a non-authoritative restore.

All domain controllers’ run a full system backup including system state using DPM on a daily basis. Follow these steps to perform a non-authoritative restore of Active Directory.

5.3 DPM Restore process

1. Log into the DPM Console from the DPM server with a privileged account

2. Select the restore tab and locate the server backup you want to restore by selecting the server and the date the backup was taken then click recover

3. Click Next on ‘review recovery selection’ and then select copy to a network folder

4. Click browse and select a network path to restore the backup to – this can be any server with a share that DPM can restore the flat files to

5. Select Apply the security settings of the recovery point version and click next

6. Confirm the settings and click recover

Boot to directory restore mode

1. Boot the server to be recovered in Directory Restore Mode by pressing F8 at start-up

2. Login with the DSRM password for that domain controller

7. Launch Windows Backup from the domain controller you booted into restore mode and select to recover from the actions pane

8. Select Backup stored on another location and then select remote shared folder and browse to the restored backup location you saved the restore to in step 4

9. Select the restore point from the backup you selected and then select to restore the system state

10. Select original location and not to perform an authoritative restore

11. Click OK to both warnings that occur and wait for the restore process to complete

12. Once prompted restart the computer

13. Once the server has rebooted you should see a confirmation of the successful restore operation and the domain controller will start to synchronise data back from other domain controllers in the domain

5.4 Full and partial Authoritative restore

You may need to perform a partial authoritative restore of Active Directory to restore objects that were accidently deleted or corrupt or to revert to a previous version of AD after a configuration change. You cannot revert back to a previous version of the schema without doing a full active directory forest recovery. If the entire directory is corrupt you would need to do a full authoritative restore.

There are two options to do a partial authoritative restore.

a. Find a domain controller that still has the objects you want to restore (ie that has not replicated with the domain controller where the objects were delete / corrupt)

b. Restore from a backup

Both options need the domain controller to be started in directory restore mode. If you are restoring from a backup follow the steps in the non-authoritative section of this document but do not restart the server once the restore is complete.

Once the domain controller is in DSRM and has been restored from backup if required the following steps need to be taken.

Type the following at an administrative command prompt, pressing ENTER after each command:


Activate Instance ntds

Authoritative restore

Restore object OU=users,dc=domain,dc=int

To perform a full authoritative restore of the domain controller database you need to run the following commands pressing ENTER after each command (note this is not a preferred option and where possible the partial authoritative restore should be used)


Activate Instance ntds

Authoritative restore

Restore database

5.5 full forest recovery

A full forest recovery needs to be performed when you have no working domain controller and the entire forest is corrupt. You must ensure that all other possible recovery avenues have been covered before commencing with a forest restore. You should also ensure you understand what the cause of the issue was prior to commencing the restore process.

This process only covers the restore of key Active Directory services – AD and DNS and will not cover the restore process of any other services running on DC’s such as DHCP. This also does not cover any specific steps to recover from a compromised forest where password hashes may have been compromised.

Since Windows Server 2008 it is not supported to recover a system state to a new installation of windows on the same or different hardware.

You need to select a backup which is recent enough but that does not contain any corruption that has led to the restore.

It is recommended that the restore process is completed in an isolated environment where network connectivity can’t reach the production networks. This is especially important if your AD is still working but you need to roll back a failed schema change.

You need to perform a full non-authoritative restore of Active Directory and then mark the sysvol as authoritative. The domain controller being restored must be a fully writable DC and it is preferable not to be a FSMO role holder. If it is a global catalog it will need be removed and reinstated after restore.

5.6 Restore from DPM

1. Follow the recovery process specified in the DPM restore process above

2. Share the restore folder making the parent folder of the WindowsImageBackup the shared folder

3. Boot the server you will be restoring the backup to with the respective OS DVD and select to repair the computer – these needs to be an identical server in terms of hardware – if using Hyper-V ensure the initial NIC used to boot the server is a legacy NIC – you can change this to a normal NIC once the restore process is complete

4. Select restore your computer using a system image that you created earlier and click next

5. Click cancel at the Windows cannot find a system image on this computer warning

6. Click select system image then click the Advanced button to Search for a system image on the network clicking yes to any warnings and then typing in the UNC path to the shared location the backup was restored to and put in a username and password that can access the share.

7. You can now select the correct backup from the backups located and wait for the system to restore

8. You now need to perform an non-authoritative restore of the system state following the steps in section 4.2 and 4.3

5.7 Reconfigure the restored domain controller

Once the restore process is complete you need to reconfigure the domain controller.

1. If the domain controller that was restored was also a FSMO role holder then you will need to add the following registry key to the server and restart it once added.

HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Repl Perform Initial Syncronizations

RegDword: Value 0

You can change this back to 1 once the restore process is fully complete.

2. If you believe the restore was necessary due to the active directory being compromised by malicious attack all the administrator credentials should be reset

3. You need to seize all the FSMO roles to the newly restored domain controller – follow steps in section 4 to accomplish this

4. Clean up all the metadata relating to other DC’s in the environment following the steps in metadata cleanup section below

5. Delete name server entries to the other domain controllers following metadata cleanup from DNS _msdcs zone and esnure all srv records to the other DC’s have been removed

6. Raise the RID pool by 100,000 using the steps in Increase RID Pool section

7. Reset the computer account password and the krbtgt password twice using the steps in Resetting Key Passwords section

8. Remove the DC Is Global Catalog attribute from Active Directory Sites and Services, you can re-enable this once the restore process is complete

9. Reboot the domain controller and verify Active Directory has restarted correctly and the server is advertising as a domain controller

10. (DO NOT DO THIS STEP IN A TEST SCENARIO) Reconnect the server to the production network and verify server and client communication with active directory

11. Promote new domain controllers to provide the correct site topology

5.8 Metadata cleanup

You can use Active Directory Users and Computers to delete the AD DC object from the Domain Controllers OU. This will clear up all the associated metadata for that domain controller.

5.9 Increase RID Pool

  1. Start LDP with administrative rights
  2. -> Connection -> Connect
  3. Enter the FQDN of the RID Master FSMO or leave it blank if LDP is run on the RID Master FSMO
  4. Port = 389, Connectionless = unchecked, SSL = unchecked
  5. Click OK
  6. -> Connection -> Bind
  7. Enter a user account with at least domain admin permission and its password and its domain OR leave all blank if the logged on credentials have domain admins permissions
  8. Click OK
  9. -> View -> Tree
  10. Enter the DN of the domain NC for which you want to increase the domain RID pool OR leave blank to use the DN of the domain you are logged on to
  11. Click OK
  12. Navigate to CN=RID Manager$,CN=System,DC=<DOMAIN>,DC=<TLD>
  13. Doubleclick on CN=RID Manager$,CN=System,DC=<DOMAIN>,DC=<TLD>
  14. Rightclikc on CN=RID Manager$,CN=System,DC=<DOMAIN>,DC=<TLD> and select modify
  15. In the right screen copy the NAME of the attribute called rIDAvailablePool and insert that into field called “attribute:”
  16. In the right screen copy the VALUE of the attribute called rIDAvailablePool (e.g. 4611686014132422714) ADD the value YOU want to increase (e.g. 100000) and insert the total result (e.g. 4611686014132522714) into the field called “values:” (NB: if you are using windows calculator make sure it is in scientific mode)
  17. For the operation check REPLACE
  18. Click on ENTER
  19. On the “Entry List” you should see something like: “[Replace]rIDAvailablePool: 4611686014132522714″ (without quotes)
  20. Check “Synchronous”
  21. Uncheck “Extended”
  22. Click on RUN
  23. Click on CLOSE
  24. Check the result on the right window. You should see something like:

***Call Modify…
ldap_modify_s(ld, ‘CN=RID Manager$,CN=System,DC=<DOMAIN>,DC=<TLD>’,[1] attrs);
Modified “CN=RID Manager$,CN=System,DC=<DOMAIN>,DC=<TLD>”.

* Close LDP

The rIDAvailablePool is now increased

5.10 Resetting Key Passwords

To reset the computer account password of the domain controller

netdom resetpwd /server:domain controller name /userD:administrator /passwordd:*

Where domain controller name is the local DC that you are recovering.

You should run this command twice.

To reset the krbtgt account password, locate the account in AD users and computers under the user’s container. Right click and reset the password. The password you set is irrelevant as it will automatically generate a strong password independently of the password you set. You should perform this operation twice.