Recover Active Directory domain controllers with nonauthoritative restore

Backing up domain controllers is a crucial part of any disaster recovery plan for organizations leveraging Active Directory on-premises. There are two types of restores: authoritative and nonauthoritative. Which one do you use where? We can perform both using Windows Server Backup. Let's look at this process with the nonauthoritative restore.

Contents

What's the difference between an authoritative and a nonauthoritative restore?
Back Up an Active Directory domain controller
Nonauthoritative restore of DCs
Wrapping up

Author
Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

What's the difference between an authoritative and a nonauthoritative restore?

Authoritative restore: An Active Directory domain controller is recovered from backup with a special flag that makes the data authoritative. This means that it will be the source of data replicated to all other domain controllers.
- An authoritative restore is a special type of restore that is only used in specific scenarios. For example, all other DCs in the domain have been destroyed, or the NTDS database has been corrupted.
- The restored DC using the authoritative restore is considered the master copy and is replicated to all other DCs in the environment.
Nonauthoritative restore: The nonauthoritative restore is the much more common restore scenario. It assumes that you have other domain controllers with a healthy Active Directory database. The recovered DC replicates the Active Directory database from healthy domain controllers in the environment.

Back Up an Active Directory domain controller

We can use Windows Server Backup to back up the Windows Server hosting the AD DS role. For a domain controller, we select the System state backup. What does it contain?

Boot files, such as ntldr, ntdetect, all files protected by SFP, and performance counter configuration
The Active Directory domain controller
SysVol (domain controller only)
Certificate server (CA only)
Cluster database (cluster node only)
Registry
COM+ class registration database

Selecting System state backup for the domain controller

Complete the backup of the domain controller with the System state option selected.

Nonauthoritative restore of DCs

To perform a nonauthoritative restore of DCs in your Active Directory environment, you need to restart the domain controller in Directory Services Restore Mode (DSRM) using msconfig.exe. DSRM is a special mode that allows maintenance operations on the Active Directory database.

Restart your domain controller in Directory Services Restore Mode

Here, select where the backup is stored for performing the system state restore. Since we are on the domain controller itself, and the backup is stored locally, we could select either option, and it would be able to restore the Windows Server backup.

Beginning the nonauthoritative restore of a domain controller

During the following steps of the wizard, you have to make the following decisions:

Select the location type, whether it is a local drive or a remote file share.
Choose the backup location once you select the backup type.
Select the server you want to recover. The information is pulled from the metadata contained in the system state backup.
Pick the backup date from the calendar widget.
On the Select Recovery Type screen, select System state.

Select the recovery type

Next, select the location for the recovery of the system state data. For a true production recovery, choose the Original location option. Note the Perform an authoritative restore of Active Directory files option. If you want to perform an authoritative Active Directory restore, use this option.

Select the location for system state recovery

After selecting the location, you will see the notification displayed below. It details the nonauthoritative restore process that will cause all replicated content on the local server to resynchronize after recovery.

Informational message about the nonauthoritative restore

On the confirmation screen, you can choose to reboot the server after the recovery is completed automatically. Choose your reboot option, and then click Recover.

Confirm the system state restore

You will see the notification that the system state recovery cannot be paused or canceled once it has started.

After the system state recovery is complete, you will see the message displayed below if you did not select the option to reboot the server automatically. The dialog box notes the need to restart the server.

The domain controller needs to be restarted to finish the system state recovery

After rebooting your domain controller, you will see the following command prompt message displayed upon logging back into the domain controller:

The system state recovery operation has successfully completed

Wrapping up

Domain controller backups are essential to an organization's disaster recovery plan. Understanding the difference between authoritative and nonauthoritative restores is crucial to correctly recovering on-premises Active Directory Domain Services environments.

Subscribe to 4sysops newsletter!

As shown, you can easily use Windows Server backup to back up and recover your domain controllers and ensure that Active Directory objects are replicated correctly between restored DCs.