- Automation for Active Directory, Microsoft 365, and Google Workspace with ManageEngine ADManager Plus - Tue, Sep 20 2022
- New features in Windows 11 22H2 for professional users - Tue, Sep 13 2022
- Recover Active Directory domain controllers with nonauthoritative restore - Wed, Sep 7 2022
What's the difference between an authoritative and a nonauthoritative restore? ^
- Authoritative restore: An Active Directory domain controller is recovered from backup with a special flag that makes the data authoritative. This means that it will be the source of data replicated to all other domain controllers.
- An authoritative restore is a special type of restore that is only used in specific scenarios. For example, all other DCs in the domain have been destroyed, or the NTDS database has been corrupted.
- The restored DC using the authoritative restore is considered the master copy and is replicated to all other DCs in the environment.
- Nonauthoritative restore: The nonauthoritative restore is the much more common restore scenario. It assumes that you have other domain controllers with a healthy Active Directory database. The recovered DC replicates the Active Directory database from healthy domain controllers in the environment.
Back Up an Active Directory domain controller ^
We can use Windows Server Backup to back up the Windows Server hosting the AD DS role. For a domain controller, we select the System state backup. What does it contain?
- Boot files, such as ntldr, ntdetect, all files protected by SFP, and performance counter configuration
- The Active Directory domain controller
- SysVol (domain controller only)
- Certificate server (CA only)
- Cluster database (cluster node only)
- COM+ class registration database
Complete the backup of the domain controller with the System state option selected.
Nonauthoritative restore of DCs ^
To perform a nonauthoritative restore of DCs in your Active Directory environment, you need to restart the domain controller in Directory Services Restore Mode (DSRM) using msconfig.exe. DSRM is a special mode that allows maintenance operations on the Active Directory database.
Here, select where the backup is stored for performing the system state restore. Since we are on the domain controller itself, and the backup is stored locally, we could select either option, and it would be able to restore the Windows Server backup.
During the following steps of the wizard, you have to make the following decisions:
- Select the location type, whether it is a local drive or a remote file share.
- Choose the backup location once you select the backup type.
- Select the server you want to recover. The information is pulled from the metadata contained in the system state backup.
- Pick the backup date from the calendar widget.
- On the Select Recovery Type screen, select System state.
Next, select the location for the recovery of the system state data. For a true production recovery, choose the Original location option. Note the Perform an authoritative restore of Active Directory files option. If you want to perform an authoritative Active Directory restore, use this option.
After selecting the location, you will see the notification displayed below. It details the nonauthoritative restore process that will cause all replicated content on the local server to resynchronize after recovery.
On the confirmation screen, you can choose to reboot the server after the recovery is completed automatically. Choose your reboot option, and then click Recover.
You will see the notification that the system state recovery cannot be paused or canceled once it has started.
After the system state recovery is complete, you will see the message displayed below if you did not select the option to reboot the server automatically. The dialog box notes the need to restart the server.
After rebooting your domain controller, you will see the following command prompt message displayed upon logging back into the domain controller:
The system state recovery operation has successfully completed
Wrapping up ^
Domain controller backups are essential to an organization's disaster recovery plan. Understanding the difference between authoritative and nonauthoritative restores is crucial to correctly recovering on-premises Active Directory Domain Services environments.
Subscribe to 4sysops newsletter!
As shown, you can easily use Windows Server backup to back up and recover your domain controllers and ensure that Active Directory objects are replicated correctly between restored DCs.