Test your Active Directory Backups on an isolated VM

It is without any doubts, one of the most critical tasks that Active Directory administrators forget/ignore !

It is not enough to take backups of your Active Directory (which can be done simply by backing up the domain controller’s System State) , as you also need to verify that the backup can be restored.

Note: Backing up the domain controller’s system state will backup your whole Active Directory, SYSVOL (Your Group Policies) and your[ DNS zones (only if they are integrated in Active Directory).]

Scenario : What is the test scenario 

Suppose you have couple of domain controllers at your enterprise. You are taking AD backups in regular basis which you should always do (by taking backup to DC’s system state).

You are asked to verify that the Active Directory backup that you are taking is healthy and can be restored. You may have also been asked to perform regular restores as part of a certain regulations or procedures.

So you want to create a virtual machine, restore the Active Directory backup on it, and have a look to your Active Directory Users and Computers snap in to verify your AD objects are restored, and may be verify all your GPOs are restored. Then you can destroy this VM and you are done.

Let us do it

1.  Create a virtual machine

  • Virtual Machine name : DOES NOT MATTER
  • Virtual Machine network connectivity : it should have a disabled network card at this stage. Never Ever allow this machine to access or route to your live environment in any way.
  • Virtual machine domain membership : Not joined to any domain (should be a workgroup)
  • It is recommended to have an additional disk on this VM to host the restored files

2.  Now go to one of your domain controller and let us start creating a backup job:

  • We need to take backup for the domain controller’s system state.
  • We will be using the Windows Built in Server Backup software and we are assuming that the domain controller is running Windows 2008 and above
  • To use it, you need to go to Add Features, and add (Windows Server Backup) component manually.
  • Now open the Windows Server Backup console.

ADRestore__2211

  • Click on (Backup Once) to start the backup job.
  • In the (Backup Options), click (Different Options)

a1

  • In the (Select Backup Configuration), select (Custom)

a2

  • In the (Select Items for Backup) click (Add Items) and click the (System State)

a3

  • In the (Specify Destination Type), click what fits you

a4

  • That’s it. Just wait for the backup to finish, and you will see a folder named (WindowsImageBackup).
  • You can also go to the DC Event Log, under Microsoft>Backup>Operational and find the event ID = 4 that indicates successful backup operation.

3.  Now, go to you VM, i assume that it has C and D drive, and do the following :

  • In a secure and isolated way, move the WindowsImageBackup folder as is , to the root of the D drive D drive of the VM. This should happen without connecting the VM to the network at all.

Note: ALWAYS located the WindowsImageBackup to the root of the data drive of the VM. This will allow the Backup software to locate it easily

4.  As the restored files are now located under (BackupDC) folder on the VM D drive, and after ensuring that the VM is isolated and not connected to any network and cannot route traffic to your live environment, perform the following to start the restore:

  • Boot the VM on the (Advanced Boot Options) ,most cases by clicking F8 during boot, and click (Directory Services Restore Mode).

Notice that this VM doesn’t have any active directory on it, but still you will this option available .

ADRestore__5211

  • Now the VM will boot in the (Directory Services Mode)

ADRestore__1211

  • Now from this mode, open the Windows Server Backup console on the VM (install it from the Add Features if it is not installed yet).
  • Click on the (recovery) option to start the recovery wizard.
  • on the (Getting Started) page, click (A backup stored on another location)ADRestore__3211
  • On the (Specify Location Type) click (Local drives).

ADRestore__4211

  • In the (Select Backup Date), leave defaults

ADRestore__7211

  • On the (Select Recovery Type) click (System State)

ADRestore__8211

  • On the (Select Location for System State Recovery) leave the defaults (which is Original Location)

ADRestore__9211

  • You will get an confirmation box, click OK and continue

ADRestore__10211

  • Acknowledge the Confirmation box

ADRestore__11211

ADRestore__12211

5.  Now after the recovery process is completed, you can go to the VM > C:\Windows\NTDS and confirm that the AD databases are there, and you can go to the SYSVOL directory and confirm that your group policies are there

6. This is the tricky part !! If you try to open the Active Directory Users and Computers or even GPMC.msc console from the VM , you will get an error that the domain does not exist. This is absolutely normal. The reason is that the restored DC in the VM needs to point to itself as a DNS server. So what you should do is to enable the network card on the VM and giving it fake IP and subnet mask, and configure the DNS on its network card to point to itself (to its fake IP). MAKE SURE THAT STILL THE VM CANNOT ROUTE TRAFFIC TO YOUR LIVE ENVIRONMENT.

Now, wait a little bit or restart the VM and then try to browse the Active Directory Users and Computers, and it will work. You can now see all your AD objects. If you open GPMC.MSC , you can see all your group policies.

Note: If you didn’t find the Active Directory Users and Computer console on the VM after the restore, go to run>mmc.msc and add the Active Directory Users and Computers snap-in manually

7. After you have confirmed everything looks fine, destroy the VM and never connect it to your network. Have a nice restore day !!!

 

Notes:

  • First of all you cannot take backup from a version of Windows and restore to another version. The Windows Backup will give you catalog corrupted error. For example, if you are taking a backup from Windows 2012 DC, you can it restore it using Windows Backup on a Windows 2008 R2 server
  • After you finish all the restore, and when you will notice that the DNS may not show you any data because it was Active Directory to do some initial synchronization. On the other hand, the AD cannot start without a DNS. To solve this issue, on the VM add this registry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]

“Repl Perform Initial Synchronizations”=dword:00000000

12 comments on “Test your Active Directory Backups on an isolated VM

  1. Hi,
    great work and great info, i have a question, what will be the name of the computer ? orginal DC name or some other name ?
    Regards
    movi sajid

  2. Hi,
    thanks for quick rely..i am testing the same by following your method but I have few question.
    1 vm name does not matter ?
    the name of vm will be changed after restore backup on vm to orginal DC ?
    2 Boot into Directory service restore mode not available on fresh vm so i modify MSConfig and start it in AD restore mode
    3 after backup restore i directly restart the server and try to login as an admin but
    i get error (Service not available) is it due to DNS ?
    Regards
    movi

    • In case you still have questions, VM name does not matter.
      For point 2, You can achieve AD restore mode in different ways depending on the version of VM Windows.
      For point 3, when you restore the DC, you have to log on using the cached credentials of the password of a domain admin at the time of taking the backup.

      Let me add to this. Microsoft clearly does not support restoring system state backup to different hardware except if certain conditions apply. So what we are trying to do here is only for piloting or auditing AD backup.

      Second thing, you have to do this couple of time until you get it working and then you will understand all the tricks here. It is not that easy believe me.

      Third, what you should always have is a Full Server backup for a DC and piloting a bare metal recovery using full server backup in an isolated environment. After years of AD recovery, i have found that Bare Metal Recovery ( which is Full Server Backup using Microsoft Windows Backup built in software) is the best way and most flexible way of doing restores and testing them.

  3. Hello Ammar,
    first, congratulations.
    Now, I have some questions:
    * You commented that you can log into cache. Unable to login with cached user. So I had to restart the server in DSRM and enter the user DSRM. After this, I can not open the services because neither the server nor the ADSM DNS services start because one depends on the other.
    What do I do?
    Thank you.

      • Now, when I try to start the management console users, I get the message that the specified domain does not exist or can not be contacted. Note: the DNS settings are pointing to the server itself.

      • Hi… yes for me i faced a lot of such things… i was almost about to give up. I read from Microsoft documentation that you cannot restore system state to another different server except for special conditions.

        Nevertheless, i tried hard to do it, and finally i got this problem that the domain does not exist and cannot be contacted. This is DNS issue. DNS is waiting AD to load and the management tools for Active Directory needs DNS to locate the AD instance installed locally. My blog post has a registry hack that will instruct DNS not to wait for AD to load, and after couple of tweaks and restarts it worked for me. This is also different from version of windows to another version.

        After long discussion with Microsoft and couple of customers, i have concluded that FULL SERVER BACKUP (Bare Metal) recovery is the best way to backup and restore AD to different server, and not to rely on system state only.

        In other words, you have to take system state + full server backup. In your regular testing, you can use the full server backup to do bare metal recovery on a different server or pilot isolated VM.

        I hope this will help.

        Thanks alot for sharing your thoughts.

    • Hello, about the problem of the early services and login already decided. I was always starting the server in DSRM. After starting in normal mode, I managed to log in and the services started. However, when I try to start the management console users, I get the message that the specified domain does not exist or can not be contacted. Note: the DNS settings are pointing to the server itself.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s