It is without any doubts, one of the most critical tasks that Active Directory administrators forget/ignore !
It is not enough to take backups of your Active Directory (which can be done simply by backing up the domain controller’s System State) , as you also need to verify that the backup can be restored.
Note: Backing up the domain controller’s system state will backup your whole Active Directory, SYSVOL (Your Group Policies) and your[ DNS zones (only if they are integrated in Active Directory).]
Scenario : What is the test scenario
Suppose you have couple of domain controllers at your enterprise. You are taking AD backups in regular basis which you should always do (by taking backup to DC’s system state).
You are asked to verify that the Active Directory backup that you are taking is healthy and can be restored. You may have also been asked to perform regular restores as part of a certain regulations or procedures.
So you want to create a virtual machine, restore the Active Directory backup on it, and have a look to your Active Directory Users and Computers snap in to verify your AD objects are restored, and may be verify all your GPOs are restored. Then you can destroy this VM and you are done.
Let us do it
1. Create a virtual machine
- Virtual Machine name : DOES NOT MATTER
- Virtual Machine network connectivity : it should have a disabled network card at this stage. Never Ever allow this machine to access or route to your live environment in any way.
- Virtual machine domain membership : Not joined to any domain (should be a workgroup)
- It is recommended to have an additional disk on this VM to host the restored files
2. Now go to one of your domain controller and let us start creating a backup job:
- We need to take backup for the domain controller’s system state.
- We will be using the Windows Built in Server Backup software and we are assuming that the domain controller is running Windows 2008 and above
- To use it, you need to go to Add Features, and add (Windows Server Backup) component manually.
- Now open the Windows Server Backup console.
- Click on (Backup Once) to start the backup job.
- In the (Backup Options), click (Different Options)
- In the (Select Backup Configuration), select (Custom)
- In the (Select Items for Backup) click (Add Items) and click the (System State)
- In the (Specify Destination Type), click what fits you
- That’s it. Just wait for the backup to finish, and you will see a folder named (WindowsImageBackup).
- You can also go to the DC Event Log, under Microsoft>Backup>Operational and find the event ID = 4 that indicates successful backup operation.
3. Now, go to you VM, i assume that it has C and D drive, and do the following :
- In a secure and isolated way, move the WindowsImageBackup folder as is , to the root of the D drive D drive of the VM. This should happen without connecting the VM to the network at all.
Note: ALWAYS located the WindowsImageBackup to the root of the data drive of the VM. This will allow the Backup software to locate it easily
4. As the restored files are now located under (BackupDC) folder on the VM D drive, and after ensuring that the VM is isolated and not connected to any network and cannot route traffic to your live environment, perform the following to start the restore:
- Boot the VM on the (Advanced Boot Options) ,most cases by clicking F8 during boot, and click (Directory Services Restore Mode).
Notice that this VM doesn’t have any active directory on it, but still you will this option available .
- Now the VM will boot in the (Directory Services Mode)
- Now from this mode, open the Windows Server Backup console on the VM (install it from the Add Features if it is not installed yet).
- Click on the (recovery) option to start the recovery wizard.
- on the (Getting Started) page, click (A backup stored on another location)
- On the (Specify Location Type) click (Local drives).
- In the (Select Backup Date), leave defaults
- On the (Select Recovery Type) click (System State)
- On the (Select Location for System State Recovery) leave the defaults (which is Original Location)
- You will get an confirmation box, click OK and continue
- Acknowledge the Confirmation box
5. Now after the recovery process is completed, you can go to the VM > C:\Windows\NTDS and confirm that the AD databases are there, and you can go to the SYSVOL directory and confirm that your group policies are there
6. This is the tricky part !! If you try to open the Active Directory Users and Computers or even GPMC.msc console from the VM , you will get an error that the domain does not exist. This is absolutely normal. The reason is that the restored DC in the VM needs to point to itself as a DNS server. So what you should do is to enable the network card on the VM and giving it fake IP and subnet mask, and configure the DNS on its network card to point to itself (to its fake IP). MAKE SURE THAT STILL THE VM CANNOT ROUTE TRAFFIC TO YOUR LIVE ENVIRONMENT.
Now, wait a little bit or restart the VM and then try to browse the Active Directory Users and Computers, and it will work. You can now see all your AD objects. If you open GPMC.MSC , you can see all your group policies.
Note: If you didn’t find the Active Directory Users and Computer console on the VM after the restore, go to run>mmc.msc and add the Active Directory Users and Computers snap-in manually
7. After you have confirmed everything looks fine, destroy the VM and never connect it to your network. Have a nice restore day !!!
- First of all you cannot take backup from a version of Windows and restore to another version. The Windows Backup will give you catalog corrupted error. For example, if you are taking a backup from Windows 2012 DC, you can it restore it using Windows Backup on a Windows 2008 R2 server
- After you finish all the restore, and when you will notice that the DNS may not show you any data because it was Active Directory to do some initial synchronization. On the other hand, the AD cannot start without a DNS. To solve this issue, on the VM add this registry
“Repl Perform Initial Synchronizations”=dword:00000000