6
Copyright © Acronis, Inc., 2000-2009
1.
Restore the domain controller from the backup using bare-metal restore.
2.
Reboot the domain controller. Make sure the Active Directory service has started successfully.
No other steps are required. Replicating of AD records will be performed automatically.
So what if the only backup available is older than the tombstone lifetime? If it includes the operating
system, it still may be restored. The AD database from the backup, however, cannot be used. The
tombstone objects are used during the replication – namely, object deletion is replicated through
replication of tombstones. Thus, if the backup is older than the tombstone lifetime, proper replication
will be impossible. If you don’t have a newer backup, recreation of the DC becomes the only possible
way to recover.
4.2.
Domain Controller restore (no other DCs are
available)
If all domain controllers are lost (or there was only one DC in the domain, which has crashed), the AD
service is down. Unless the DC may be recovered by other means (without using backup), the most
up-to-date information available is the one stored in the backup.
Therefore, nonauthoritative restore de facto becomes authoritative: the objects restored from
backup (and their USNs) are the newest available. Other than that, the restore looks similar to the
previous scenario, with the exception that recreation of the AD is not an option anymore, since all the
information will be lost, and even a backup with an expired tombstone lifetime can be used –
although the information loss will be very significant in this case.
To summarize, the following steps should be completed when restoring the last/the only domain
controller:
1.
Make sure the newest available backup is used for restore. This is especially important, since all
the information created since the last backup will be lost. If your domain has only one domain
controller, it is a good idea to create a backup at least daily.
2.
Restore the domain controller from the backup using bare-metal restore.
3.
Reboot the computer. Make sure the Active Directory service has started successfully.
4.3.
Active Directory database restore
If the AD database gets corrupted (on the file level, rather than on the AD logic/schema level) and AD
service on a domain controller refuses to start or crashes, several things may be done that do not
involve restoring data from the backup.
If other domain controllers are available, this domain controller may be demoted and then promoted
again using the dcpromo.exe tool. During this procedure, the data will be replicated and the AD
database will be recovered. The complexity of the entire procedure depends on whether the domain
controller is still able to start in normal mode. If it is, you can simply use the dcpromo /forceremoval
command to remove AD service from the computer. If it is not, a more complex procedure is required
–
detailed instructions can be found in Microsoft KB articles
http://support.microsoft.com/kb/332199/ and http://support.microsoft.com/kb/258062.
If no other domain controllers are available, the data needs to be restored from a backup. One of the
ways to do this is to restore the domain controller completely – like in the scenario described in
