How To Restore Active Directory From a Windows Server Backup.
In this article you'll find derailed instructions on how to restore the System State of an Active Directory Domain Controller using a backup image taken with Windows Server Backup.
Active Directory (AD) is the backbone of most Windows networks, user management, computers and resources. For this reason, it is important to often take backups of your Domain Controller(s) system state so that you can easily restore Active Directory. To do this, in a previous article, I showed how to back up Active Directory with Windows Server Backup.
This comprehensive guide will walk you through the process of restoring Active Directory System State from a Windows Server Backup.*
* Note: This guide contains instructions on how to perform an in-place restore of Active Directory services in the same machine if Windows starts normally. If you want to fully restore an Active Directory server if Windows does not start (eg. due to BSOD or hardware failure), on the same or another machine, read the instructions in this tutorial: How to Recover Server 2016 from a System Image Backup if Windows Fails to Boot Normally.
Requirements:
- A Valid Windows Server Backup: Ensure that you own a valid backup that includes the "System State" of your Active Directory Domain Controller (preferably a "Bare Metal Recovery backup).
- LOCAL Administrator's Password (aka "DSRM Password"): You will need the password of the administrator account that was used to promote the server to a domain controller. If you have forgotten this password, follow the instructions in step-1 below to reset it before entering Directory Services Restore Mode (DSRM) (step-2).
How to Restore Active Directory Domain Controller System State from a Windows Server Backup.
To be able to restore the System State of an Active Directory Domain Controller using the "Windows Server Backup" tool, you have to restart the domain controller into Directory Services Restore Mode (DSRM)* and login with the DSRM password.**
* Otherwise, you'll receive the error message "The backup contains Active Directory Domain Services which can be recovered only when the computer is started in Directory Services Restore Mode (DSRM). Retry the system state recovery operation from DSRM".)
** The DSRM password is the password used to promote a Standard Windows Server to a Domain Controller (see step-1 bellow on how to reset it).
Step 1. Reset DSRM Password.
After booting into DSRM mode, there is only one user account that you can use to log on to Windows, and that is the Administrator account with the password that was originally used to promote the server to a domain controller.
Since the password for this account is usually forgotten, the first important step is to reset it using the "ntdsutil" utility. To do this:
1. Open Command Prompt on the DC that you want to restore and type the following command:
-
ntdsutil
2. Then type this command:
-
set dsrm password
3. Now give this command by replacing the "SERVERNAME" with the name of your Server.
-
reset password on server SERVERNAME
4.Type a password and press Enter.
5. Retype the password to confirm it and press Enter.
6. After setting the password press "q" & Enter and then "q" and Enter again to close "ntdsutil".
Step 2. Boot in Directory Services Restore Mode (DSRM).
After resetting the DSRM password, you're ready to start the recovery process.
1a. Press Windows 
+ R keys to load the Run dialog box.
1b. Type "msconfig" and press Enter.
2. Go to Boot tab, select Safe Boot & Active Directory repair and press OK.
3. Then, click Restart to boot the computer in DSRM mode.
4. In login screen type ".\Administrator"* and below type the DSRM password (the password you specified in previous step).
* Note: In DSRM mode, you cannot log in with your domain credentials.
Step 3. Restore Active Directory System State from backup.
Now, lets restore the System State of the domain controller.
1. After entering in Windows, go to Start > Windows Accessories and open Windows Server Backup
2. In Windows Server Backup utility, select Recover from the actions menu.
3. In the "Getting Started" window, specify where the backup is located (e.g. locally on a disk attached to the server (e.g. on a USB drive) or in another location (e.g. on another server or NAS device on the network) and click the Next button.
4. In "Select Backup Date", choose the date of a backup to use for recovery and click Next.
5. For Recovery Type choose: System state and then click Next.
6. In "Select Location for System State Recovery" choose Original location and click Next.
7. Next, in the "Confirmation" screen, select to Automatically reboot the server to complete the recovery process and click Recover.
8. Finally, click Yes to start the system state recovery process.
9. The recovery process will begin. At this point, wait for it to complete. ((it will take some time)
10. At the end of the recovery process the Server will reboot. When this done, login again to Windows using the local ".\Administrator" account and the DSRM password.
11. If everything went well, after logging in you should see a window informing you that the recovery operation was successful. At this point, press ENTER and continue to next step.
Step 4. Exit from Directory Services Restore Mode (DSRM).
1a. Press Windows + R keys to load the Run dialog box.
1b. Type "msconfig.exe" and press Enter.
2a. Go to Boot tab, uncheck "Safe boot" and then click on the 'General' tab.
2b. In the 'General' tab, select Normal Startup and click OK. Then click Restart to reboot the server.
3. After reboot, login to Windows using your domain credentials and proceed to next step.
Step 5. Re-Enable NETLOGON & SYSVOL Shares.
Since after resetting your DC, the NETLOGON and SYSVOL shares will be missing, proceed to re-enable them:
1a. Press Windows + R keys to load the Run dialog box.
1b. Type "regedit" and press Enter.
2. In Registry Editor go to:
-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3a. On the right pane open the SysvolReady REG_DWORD.
3b. Change the value data of "SysvolReady " from "0" to "1" and click OK. Then, close the Registry Editor.
4. Now open command prompt and give these commands to restart the "netlogon" service:
-
net stop netlogon
-
net start netlogon
5. Finally give this command to verify that NETLOGON & SYSVOL shares are available now.
-
net share
Step 6. Run DCDIAG to verify the health of your Active Directory Domain Controller (DC).
The next step is to run the Domain Controller Diagnostic tool, to diagnose the health of the Domain Controller.
1. Open command prompt and give this command:
-
dcdiag
2. View the results and verify that all* tests are passed.
* Note: Some tests like the "DFSREvent" "KccEvent" "SystemLog" may fail, but this is normal.
Step 7. Check Domain Controller Services.
The final steps in this process are to verify that the important Active Directory services on the domain controller are working.
1. Open Server Manager and verify that all services are listed there and working without errors.
2. Then open Active Directory Users and Computers and verify that all computers and users are there.
3. Finally, make sure any other important services (such as "DNS") are working properly and you're good to go!
That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.
Frequently Asked Questions
What is the purpose of taking backups of the Domain Controller's system state?
The system state backup is crucial for restoring Active Directory, which acts as the backbone of most Windows networks, managing users, computers, and resources.
What do I need to perform a system state restore on an Active Directory Domain Controller?
You need a valid Windows Server Backup that includes the system state and the local administrator's password (DSRM password) for the domain controller.
How can I reset the DSRM password if it's forgotten?
To reset the DSRM password, use the 'ntdsutil' utility. Open Command Prompt, type 'ntdsutil', then 'set dsrm password', followed by 'reset password on server SERVERNAME', and provide a new password.
What should I do if Windows does not start and I need to restore Active Directory?
If Windows fails to start, refer to the guide 'How to Recover Server 2016 from a System Image Backup if Windows Fails to Boot Normally' for instructions on restoring the Active Directory server on the same or another machine.
