7/22/2019 Active-Directory-Backup-and-Restoration-–-Windows-Server-2008

http://slidepdf.com/reader/full/active-directory-backup-and-restoration-windows-server-2008 1/4

1/19/13 Technet Bookmarks » Active Directory Backup and Restoration – Windows Server 2008

www.technetbookmarks.com/62-active-directory-backup-and-restoration-windows-server-2008.shtml 1/4

Technet Bookmarks

Home

« VMware DRS – Introduction

Windows Server 2008 Interview Questions »

Active Directory Backup and Restoration – Windows Server 2008

Windows Server 2008 Backup tools

How do you backup AD?

Active Directory is backed up as part of system state, a collection of system components that depend on each other. You must

 back up and restore system state components together.

Components that comprise the system state on a domain controller include:

7/22/2019 Active-Directory-Backup-and-Restoration-–-Windows-Server-2008

http://slidepdf.com/reader/full/active-directory-backup-and-restoration-windows-server-2008 2/4

1/19/13 Technet Bookmarks » Active Directory Backup and Restoration – Windows Server 2008

www.technetbookmarks.com/62-active-directory-backup-and-restoration-windows-server-2008.shtml 2/4

System Start-up Files (boot files). These are the files required for Windows 2000 Server to start.

System registry.

Class registration database of Component Services.  The Component Object Model (COM) is a binary

standard for writing component software in a distributed systems environment.

SYSVOL. The system volume provides a default Active Directory location for files that must be shared for 

common access throughout a domain. The SYSVOL folder on a domain controller contains:

 NETLOGON shared folders. These usually host user logon scripts and Group Policy objects (GPOs) for 

non-Windows 2000based network clients.

User logon scripts for Windows 2000 Professional based clients and clients that are running Windows 95,Windows 98, or Windows NT 4.0.

Windows 2000 GPOs.

File system junctions.

File Replication service (FRS) staging directories and files that are required to be available and

synchronized between domain controllers.

Active Directory. Active Directory includes:

 Ntds.dit: The Active Directory database.

Edb.chk: The checkpoint file.

Edb*.log: The transaction logs, each 10 megabytes (MB) in size.

Res1.log and Res2.log: Reserved transaction logs.

Note: If you use Active Directory-integrated DNS, then the zone data is backed up as part of the Active Directory database.

If you do not use Active Directory-integrated DNS, you must explicitly back up the zone files. However, if you back up the

system disk along with the system state, zone data is backed up as part of the system disk.If you installed Windows Clustering

or Certificate Services on your domain controller, they are also backed up as part of system state.

Difference between Authoritative Vs non-authoritative restore.

The term “authoritative” is used to describe a restore in which the domain controller being restored has the master, or 

authoritative, copy of Active Directory. A non-authoritative restore is a domain controller being restored that does not have an

authoritative copy of Active Directory. When a domain controller is started, replication occurs during the boot phase, and

Active Directory is synchronized. Whether the restore is authoritative or non-authoritative then specifies the direction of 

replication. An authoritative restore pushes Active Directory out to other domain controllers, and a non-authoritative restore

synchronizes changes to the domain controller being booted.

NOTE Domain controllers use Universal Sequence Numbers (USNs) to keep track of Active Directory data and to

determine if an update is available. Each domain controller keeps its own USN, and checks its USN with the USN of other 

domain controllers on a regular basis. If the USN of the other domain controller is higher, that indicates an update is available,

and replication is started. If the USN of the other domain controller is the same or lower, replication is not started. Using

USNs is a more accurate method than using time stamps.

To explain further, let’s suppose that a domain controller fails due to hardware failure. It takes several days to obtain a

replacement part for the machine and to repair the domain controller. During this time, other domain controllers have continued

to function normally, and various changes in the network and Active Directory have taken place. When the failed domain

controller is started for the first time after completing the recovery process, replication occurs and the changes in ActiveDirectory are replicated to the previously failed computer. The domain controller is brought up to date with the rest of the

network. This is a non-authoritative restore. Now let’s suppose that the failure you suffered was due to human error, and an

administrator deletes significant portions of Active Directory. If you follow the normal procedure of restoring Active Directory

from yesterday’s backup and rebooting the server, replication will occur, and all the changes and deletions made by the

administrator will be replicated back to the domain controller. Performing a normal restore would not bring back the deleted

objects. To recover your lost users and OUs, you must perform an authoritative restore and specify the objects that you want

to replicate to the rest of the network.

How to run a non-authoritative restore:

7/22/2019 Active-Directory-Backup-and-Restoration-–-Windows-Server-2008

http://slidepdf.com/reader/full/active-directory-backup-and-restoration-windows-server-2008 3/4

1/19/13 Technet Bookmarks » Active Directory Backup and Restoration – Windows Server 2008

www.technetbookmarks.com/62-active-directory-backup-and-restoration-windows-server-2008.shtml 3/4

 just go to Windows server backup and click recover. Use the most recent backup file set that was created before the deletion.

This restore is useful in a scenario let’s say a disk failed and once we restore the entire backup after new disk replacement, the

entire AD database will be replicated with other domain partners.

If there was an accidently user or OU deleted, go ahead with Authoritative restore. The reason is if you do a normal restore,

the USN of an object will increase by 10,000 and other domain controllers will treat this server as updated server and this

information will be replicated to all domain controllers.

How to run authoritative restore:

Let’ s assume, an OU was delet ed from AD database. Perform the bel ow st eps to recover the OU. You must h ave a syst em state backu p before performing below steps.

1. Restart the DC into directory services recovery mode (Hit F8)

2. Login with ./administrator and the domain recovery mode password you set up while running Dcpromo

3. Type wbadmin get versions from a command prompt

4. This will find out all backups available and Figure out which version you want to restore

5. Type wbadmin start systemrecovery -version:ID – backuptarget:backuplocation

In the above command, since backup is stored locally on disk, we haven’t specified the network location but if the backup is

on a SAN or on another server, we need to specify UNC in backuptarget switch.

6. After the restore, type ntdsutil activate instance NTDS

7. Type authoritative restore to get into the right NTDSUTIL context

8. Type restore object “distinguishedName” for a single account or restore subtree “distinguishedName” if you are restoring an

entire OU.

7/22/2019 Active-Directory-Backup-and-Restoration-–-Windows-Server-2008

http://slidepdf.com/reader/full/active-directory-backup-and-restoration-windows-server-2008 4/4

1/19/13 Technet Bookmarks » Active Directory Backup and Restoration – Windows Server 2008

www.technetbookmarks.com/62-active-directory-backup-and-restoration-windows-server-2008.shtml 4/4

9. Reboot normally

One Response to “ Active Directory Backup and Restoration – Windows Server 2008 ”

metal stamping jewelry says:

October 9, 2012 at 3:22 pm

This is great content. You’ve loaded this with useful, informative content that any reader can understand. I enjoy reading

articles that are so very well-written.

“The error code is 29506”

Installing Windows Server 2008 R2 Step by Step

Silverlight ListBox, PRISM, MVVM, SelectedItem and MVVM Light

How to Configure iLO on your HP Proliant Server Kolam Masks I

High Quality Free TV

Dialog Against The SpiderMan – Part II

Sony Ericsson W910i review

PROCESSOR / CPU (Central Processing Unit)

Managing Active Directory FSMO Roles

Ports, Cables & Connectors

Kolam Masks II

Army Bus Attacked

Apple event: Coverage of the iPad 3 annoucement

site links

Make sure you visit Market Reach for all your direct mail marketing

For more information on Multimode Fibre Optic Cable from Mainframe Communications

Technet Bookmarks