Save to My DOJO
Active Directory objects missing. Well-meaning administrators have accidents. Not-so-well-meaning administrators cause havoc. Occasionally, some ailing hardware or management tool run amok causes widespread corruption throughout the directory. The oldest technique for dealing with such problems is called an “Authoritative Restore”. In the past, this process involved restoration of the System State of a domain controller. If your domain controllers are virtualized and you’re using a hypervisor-level backup tool like Altaro, restoring just the System State is not an option. Fortunately, that can’t stop you.
What is Active Directory Authoritative Restore
Active Directory is, at its core, a database. In Windows NT 4.0 and earlier, the domain had a single writeable copy of the database which lived on a designated Primary Domain Controller (PDC). All other domain controllers were set as Backup Domain Controllers (BDC). Changes could only be made directly to the PDC, which would then send copies out to all the BDCs. Damage in this environment almost always meant a restore of the PDC.
When Windows 2000 Server brought us Active Directory, the database became “multi-master”. Every domain controller was writable (until the introduction of the Read-Only Domain Controller in 2008, which is effectively a BDC). Now that any domain controller can process a directory update, multiple domain controllers can potentially make contradictory updates to the same object. To address this, Active Directory has a conflict resolution technique that involves local Update Sequence Numbers and activity timestamps. During replication, domain services use this information to determine which change was made most recently; except for object deletion, the newest change prevails. You can read more about the process in this TechNet article.
With this model in mind, the non-authoritative restore is easiest to understand. It brings back the database on a domain controller in the state that it was in at the time of the backup. If at least one replication cycle has passed since that backup occurred, other domain controllers already know that they processed the USNs on the restored DC’s objects, so they’re ignored. The purpose of a non-authoritative restore is mainly to repair a domain controller that has become damaged in some way without rebuilding it entirely.
In comparison, an authoritative restore marks the entire Active Directory database or specific objects in a way that causes them to override any other replication changes in the directory. In case you’re curious, that method does not involve any high-tech solutions. The domain controller simply says, “I’m going to add a gigantic number to my local USN so that there’s just no way anyone else has a higher one!” Whatever we might think of that, it gets the job done. Domain services can use this technique to recover deleted items, repair a completely corrupted Active Directory topology, or return an incorrectly modified object to an earlier state.
Authoritative Restore in a Single Domain Controller Environment
When there is only one domain controller, any restore is authoritative. It has no replication partners, so no conflicting USNs exist. Restoring a domain controller virtual machine from backup (or just its system state) recovers the NTDS.DIT file that contains the database in its entirety. Without any incoming replication activity with newer information, all changes newer than the restore are simply lost.
The quick version: if your environment has only one domain controller, then your standard restore process will return you to the functional state as of the most recent backup. You do not need to perform any special steps to make the data “authoritative”.
The implication: if a multi-domain controller environment has suffered catastrophic loss, corruption, or failure – such as ransomware – then you might get the best results from a complete teardown.
-
- Takedown all running domain controllers.
- Choose a backup for one domain controller that held a global catalog and restore it.
- Seize FSMO roles as necessary.
- Clean out all records of all other domain controllers from the restored domain.
- Deploy new domain controllers into the restored domain.
- Once you have sufficient operational domain controllers to ensure success in continued rollouts, delete/decommission all of the previous domain controllers.
The single restored DC will act as a seed for the replanting of your domain. You will not need to do anything “authoritative”.
Take note that step one says to “takedown” those old domain controllers, not demolish them. If you encounter any problems during steps 2-4, you’ll want to have something available as a fallback.
Active Directory Recycle Bin
Your first, best option for recovering deleted Active Directory objects is the Active Directory Recycle Bin. This was introduced without much fanfare in Windows Server 2008 R2. Many administrators still haven’t heard of it today. Some only learn of it after they need it, which is not helpful because it is disabled by default. It doesn’t entirely save you from the need to perform an Active Directory restore, though, because it can only restore deleted items. If you just want to undo a change, it can’t help. If your directory has suffered corruption or other catastrophic failures, it likely can’t help with that, either.
If you are reading this for information purposes and haven’t yet enabled your AD recycle bin, you might want to think about doing that now.
Active Directory Recycle Bin in 2008/R2. Remember that these operating systems have passed end-of-life and using them to operate your organization’s directory constitutes an extreme security risk.
Active Directory Recycle Bin in 2012+. 2012 and later are functionally the same, but they provide a user interface to make it a bit smoother.
Of course, I wrote this article for those times that the AD Recycle Bin won’t help you. Let’s move along to that.
How to Perform an Authoritative Restore of Active Directory Using Altaro VM Backup
As I mentioned in the opening text, you can restore the entire directory or individual objects. There is only one point of deviation between the two tasks, so I will show you everything in a single list of steps. Take care to choose the correct option or you’ll have a fully restored database when you may not want one. Also, I’m showing how to do this with the Hyper-V version of Altaro VM Backup. It works just as well on VMware. The difference will be in the cleanup routine.
The nice thing about performing domain restore in a virtual environment is that you can do it a lot more safely and quickly than you can in a physical environment. I did some testing with the old system state restore steps, and that took over three hours with my hardware. On the same systems using Altaro VM Backup, I was able to perform the same process in less than an hour. Since I’m assuming you have much better hardware than my test lab, you can probably do all this in a half-hour or less.
Prerequisites
Before you can start, you need to know the Distinguished Name (DN) of the object that you want to restore. This is a fancy term that means “the entire LDAP form of the object”, sort of like a fully-qualified DNS name, only in LDAP. If you don’t know this but can guess at it, go ahead and try these steps. If you have never used the LDAP name structure before, then time for a crash course — don’t worry, it’s fairly simple. There are several two-character type labels: CN for Canonical Name (in Active Directory Users and Computers, this is the Name field as it appears in the list), OU for Organizational Unit, DC for each separate component of the domain name. The different components are separated by commas. They are ordered like DNS, which means that they appear in the exact opposite order of the way you drill down to them in ADUC. For example, my non-administrative user account in my lab in LDAP format is:
CN=Eric Siron,OU=Users: Standard,DC=sironic,DC=life
Now that you’ve seen the “hard way”, PowerShell provides a simpler way. A few examples:
Get-ADUser ‘eric’
Get-ADOrganizationalUnit -Filter ‘Name -like “*Human Resources*”‘
Get-ADGroup ‘Research’
If you use a valid identity, these will all return a list of objects, the first of which is the DistinguishedName:
You can pipe to select if you want to narrow it down right away:
Of course, this won’t show you the name of a deleted object (because it’s deleted), but you can run it on the most similar object that you know of to get the pattern. If you just don’t know the object, the instructions can help you to find it.
Aside from that and a good backup, you don’t need anything else. It’s very nice to have the Directory Services Repair/Restore Mode password for the domain controller that you’ll be working with, the directions show how to get around not having it.
1. Open Altaro VM Backup and go to the Restore tab on the lower left. Expand that and click Restore VM as Clone.
2. In the center pane, check the box for the location that contains the restore data and click Next.
3. Choose the virtual domain controller that you want to restore. Click Next.
4. The software will scan the location for viable backups. Once that completes, select which version of the VM to restore. If you don’t have a copy that pre-dates the deletion, then there isn’t anything else you can do. If there is, choose it.
5. Here, we encounter the first point of deviation. If you want, you can stop and delete the original DC and then restore this with the same name. I chose to restore a clone instead. I strongly recommend that you do the same: use the power of virtualization any time you can. This allows the domain controller to stay online for the maximum possible amount of time which gives you plenty of breathing room if you need to guess. It ensures that you don’t have to rebuild backup jobs or anything else that refers to the VM by GUID. If you clone and can’t find the object or anything else goes wrong in the clone, then the worst-case scenario is that the object just isn’t recovered. Whatever you choose to do, you must check the box near the bottom to Disable network card or you’ll have all kinds of horrible problems that are much worse than a little IP conflict. I will list the rest of these directions as though you are working from a clone. After you accept the options on this screen, the restore proceeds.
6. You can follow the progress of the restore on the dashboard.
7. Once Altaro VM Backup creates your clone VM, your next step depends on whether you have access to the Directory Services Restore/Repair Mode password for this domain controller. If you have it and you have the DN of the object(s) to recover – good job! Jump to step 5. Otherwise, be happy that you didn’t attach the restored VM to the network and follow these substeps:
-
-
- Connect to the VM’s console and boot it up normally. Log in as a domain administrator using an account/password combination that was valid when the backup was taken.
- Remember how I said I could help you find the DN of the deleted item(s)? Well, you’re working with a copy of the AD database as it was when this backup was taken and it’s not replicating since it can’t connect to any other DCs. Go ahead and poke around in Active Directory Users and Computers or PowerShell until you get the name(s) of the object(s) that you’re looking for. If you’re working in PowerShell, you can even copy/paste the DN to a text file that you save right on that system for easy copy/paste access later.
- Open an elevated command or PowerShell prompt.
- Type ntdsutil and press Enter.
- Type set dsrm password and press Enter.
- Type reset password on server null and press Enter. You actually type the word “null”. If you’d rather type in the actual hostname, OK.
- You’ll be prompted to enter the new password twice. Try to remember it this time. The domain admin password might be what’s wrecked next time.
- Type quit and press Enter twice.
- Shut down the VM and proceed to step 5.
-
8. Open the restore VM’s console directly and power it on. Start pressing F8 as soon as the Hyper-V splash appears. If done correctly, you’ll be greeted with the following menu where you’ll want to select Directory Services Repair Mode (Directory Services Restore Mode in earlier versions). If you’re not lucky and miss it, first be really happy that you didn’t allow it to connect to the network. Second, go to step 8.1.
-
-
- If you can’t get F8 to work, allow the domain controller to boot and login with a domain administrator account.
- At an elevated prompt, type bcdedit /set safeboot dsrepair
-
3. Type shutdown /r /t 0 and press [Enter].
9. When the machine boots up in Directory Services Repair Mode, you cannot log in as a regular domain administrator.
You need to change the user name that you log in with. On the 2012+ GUI, click the white back arrow with the white circle around it, then click Other User. I believe that, on 2008 R2 and earlier, the user name field was there for you to type into, but feel free to leave a comment to correct me. On Windows Server Core, press [ESC] twice to get to the user selection field and select Other user. In the username field, type “Administrator”. For the password, use your DSRM password.
10. When the system boots, you’ll know all is as it should be if it has the old all-black background with Safe Mode emblazoned on it.
11. Open an elevated command prompt (Core starts with one) and type the following:
-
-
- ntdsutil
- activate instance ntds
- authoritative restore
-
12. What you do next depends on what you want to restore.
-
-
- To restore the entire database, type: restore database. Press OK. You can’t do anything else, so proceed to step 10 (or shut the VM down and go back to step 1 if you didn’t mean to restore the whole database).
- To restore a single object (not an OU), use its Distinguished Name: restore object “CN=Eric Siron,OU=Standard,DC=sironic,DC=life” You can keep typing lines to restore multiple objects. You can also proceed to sub-step 3 if you need to restore OUs. Note that encapsulating the name in single quotes instead of double quotes will cause syntax errors.
- To restore an OU: restore subtree “OU=Users: Service Accounts,DC=siron,DC=int”
-
-
13. It will first ask if you’re sure, then you should see some cryptic output such as the following that includes the word “Successfully” at least once. If not, either you mistyped something or the object is not in this backup set.
14. Type quit until you get back to the command prompt. Shut down the VM with shutdown /s /t 0
15. Pause here and take stock. If you followed me straight through, then you have an active, running copy of the domain controller without the deleted object. You have an offline clone of the same domain controller that contains an authoritative copy of the object(s) that you want. There is at least one other functioning domain controller. If you don’t have all these things, then STOP. Do not proceed until you have an offline domain controller with an authoritative copy of the items to restore and one other domain controller.
16. Perform a graceful shutdown of the original non-clone domain controller. It should replicate any pending information before shutting down, but feel free to use Active Directory Sites and Services to force it to replicate before shutting down if you like.
17. Replace the live VM’s virtual hard disks with those of the clone. For Hyper-V, it’s a quick process using Hyper-V Manager and Windows Explorer that you can probably figure out on your own (remove the old, add the new). I don’t work with VMware enough to be able to give you its process, but as I recall, it isn’t difficult either. Here are PowerShell versions for Hyper-V:
-
-
- First, run Get-VMHardDiskDrive -VM svdc01 and keep the output on-screen (by not closing the screen) or copy it to notepad (which works just fine even in Core/Hyper-V Server). You need to know the ControllerType, ControllerNumber, ControllerLocation, and Path. If the Path is truncated, run Get-VMHardDiskDrive | select ControllerType, ControllerNumber, ControllerLocation, Path | fl.
- Detach the hard drives from the VM: Get-VMHardDiskDrive -VMName svdc01 | Remove-VMHardDiskDrive.
- Rename the file(s) that you detached (use the items from step 1), ex: ren ‘C:\LocalVMs\Virtual Hard Disks\svdc01_os.vhdx‘ svdc01_os.vhdx.prerestore
- Copy in the same file(s) from the restored VM, ex: cp ‘C:\AltaroRestored\svdc1 (30-08-2015 04h39m23 Clone)*.vhdx’ ‘C:\LocalVMs\Virtual Hard Disks’
- Using the information from step 1, attach the restored file(s) to the VM: Add-VMHardDiskDrive -VMName svdc01 -ControllerType SCSI -ControllerNumber 0 -ControllerLocation 0 -Path ‘C:\LocalVMs\Virtual Hard Disks\svdc1_os.vhdx’
-
18. Turn the original virtual machine on. Allow it to boot normally. Verify that the item(s) that you recovered look as you expect. You can force replication to get the changes out quickly if you’d like.
If everything is as you expect, get rid of the clone. The disks that it came with and the backup files that you created are mostly harmless, but they should still be removed as soon as you’re certain that everything is OK.
Check Your Work
After the restored domain controller has been replicated, check other domain controllers for the restored object(s). You can repeat this entire process if you need to retrieve other items.
These instructions take time to follow and any work on domain services can be harrowing. Go slowly and deliberately, always remembering that you gain more time with careful work done slowly than with hurried mistakes.
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!
3 thoughts on "How To Use Altaro VM Backup for an Authoritative Restore"
Hi Eric,
Thank you very much for this detailed description. We just had to perform this for some accidentially deleted users on a 2012 R2 DC.
There is one tiny part missing in step 8. You need to add the command “activate instance ntds” before the authoritative restore…
Thanks again and best regards
Michael
Hi Michael, glad to hear it helped you out!
I didn’t have to enter that command that I recall, but I’ll add it to the notes. Thanks for the tip!
Hi Eric,
Thank you very much for this detailed description. We just had to perform this for some accidentially deleted users on a 2012 R2 DC.
There is one tiny part missing in step 8. You need to add the command “activate instance ntds” before the authoritative restore…
Thanks again and best regards
Michael