<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Restoring an Active Directory 2008 R2 Forest from Windows Bare-Metal Backups

Published on
5,028 Points
1,728 Views
3 Endorsements
Last Modified:

Summary


This procedure describes the steps necessary to backup & recover an entire Windows 2008 R2 forest from bare metal backup images. The source machines can be either physical or virtual, however the restored machine will be virtual. The VM technology used is VMware ESX. This example uses a forest design of an empty root domain with three child domains. We use this procedure in a Disaster Recovery test scenario where we need to re-create Active Directory at the test site.
 
Backup steps:
Issue ‘wbadmin start backup’ command on source DC’s
 
Recovery steps:
Create a VM with no OS
Boot the new VM off the Win 2008 R2 DVD
Enter the ‘Repair your computer’ environment booted off the Win 2008 DVD
Start networking service and connect to network location containing backup image
Execute the restore via command line
Perform post-recovery steps
 

Backup Procedure


Establish a share on the local LAN of the DC that will receive the bare-metal backup. The share example used below is \\ADBKP.child1.root.com\ADBKP
 
Perform a backup  on at least 1 DC from each domain in the forest, preferably 2, by issuing the following command on each DC:
 
wbadmin start backup -backupTarget:\\ADBKP.child1.root.com\ADBKP -allCritical -user:USERNAME -password:PASSWORD -quiet

Recovery Procedure


Prerequisites


Name of machine you will be restoring
IP of machine you will be restoring
Active Directory Restore Mode password of each DC
Windows 2008R2 iso, and iso containing recovery script available to VM guests on ESX datastore on destination ESX host
Necessary VLAN’s in place
Network route in place to backup files
Local user account and password to access network share containing backup files

Create the Virtual Machine Targets


Allocate appropriate vmdk Hard Drive
Allocate appropriate RAM
Place on a network that can reach the backup images
Create a CD drive and attach Windows 2008R2 iso on datastore
Create a CD drive and attach Recovery script iso on datastore

Boot in to Repair Environment


Boot target from Win 2008R2 iso or DVD
Click next at language screen
Click ‘Repair your computer’
Select “restore your computer using a system image…..” & click Next
It will be unable to find an image. Click Cancel.
Cancel the repair you computer screens and get to the system recovery options screen
Open Command Prompt

Recover Machine


In the command prompt, enter the following:
Start /w wpeinit
(This starts networking, takes a minute or two)
 
After the network has started enter the following command:
netsh interface ip set address "Local Area Connection" static  
 
Authenticate to share:
Net Use Z:  \\ADBKP.child1.root.com\ADBKP  /user:
 
If DNS is not available (which it probably isn’t), substitute the IP address in place of the DNS name ADBKP.child1.root.com.
 
Supply the password. This will establish an authenticated session to the restore source files.
 
Get backup versions on share:
wbadmin get versions -backuptarget: \\ADBKP.child1.root.com\ADBKP  –machine:<MACHINENAME>
Again, if DNS is not available (which it probably isn’t), substitute the IP address in place of the DNS name ADBKP.child1.root.com.

 You should output similar to the following
 
wbadmin 1.0 - Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
 
The times of the backups displayed are based on the timezone of the current
operating system you have booted into.
The timezone used currently is (GMT -08:00) Pacific Standard Time
 
Backup time: 1/8/2009 11:20 AM
Backup target: Network Share labeled \\server\share
Version identifier: 01/08/2009-19:20
Can Recover: Volume(s), File(s), Application(s), Bare Metal Recovery
 
From this we will use the Version Identifier for the next step.
Note this basically wipes the drive so be careful when you use the next command
 
wbadmin start sysrecovery –backuptarget: \\ADBKP.child1.root.com\Restore  –machine: -version: -recreatedisks –restoreallvolumes -quiet
 
The restore will run for a while. It will give a successful message when complete.
Don’t reboot yet. Read Post-Recovery section.
 
Troubleshooting

 
If there are problems applying the IP address run the following command to ensure the network interface names look correct:
'NetSh Interface IPv4 Show Interfaces'
 

Post-Recovery


Physical to Virtual restore (P2V)
If you’ve done a P2V restore, you will need to re-configure the storage controllers. You will need to edit the SYSTEM registry hive of the restored machine. Do this by locating the restored volume (It may not be C: )
 
Run regedt32
 
 Highlight HKEY_LOCAL_MACHINE
 File > Load Hive
[restored volume]:\Windows\System32\Config\SYSTEM
Key Name = XXX
Expand XXX\ControlSet001\services
Verify / Change the following Values:
Intelide > Start = 0
LSI_SAS > Start = 0
Msahci > Start = 3
Pciide > Start = 3
Highlight the XXX node, then File > Unload Hive
Reboot
 
The machine at this point should boot into Windows. You’ll need to log in with the Built in administrator account. Active Directory is not yet fully functional.
 
If you’ve done a P2V restore, it’s likely you will need to re-configure the network.
If the physical machine had a network team, you’ll need to go into device manager and uninstall the virtual adapter. This is normally done by uninstalling the NIC software in Add/ Remove programs. If prompted to reboot, don’t.
 
Install VMtools: VM > Guest > Install / Upgrade VMtools
 
Reboot
 
Go into network adapter properties and re-add the IP info. The IP will be the machine’s original IP address. DNS servers will be 127.0.0.1 for Primary, and the IP of the PDC emulator for that machine’s domain for secondary.
 
Virtual to Virtual Recovery (V2V)
V2V restores normally create a new network adapter and leave a remnant of the prior one as a hidden device. This hidden adapter should be removed:
From a command prompt:
set devmgr_show_nonpresent_devices=1
start devmgmt.msc
 
Device manager will open. From the View pull-down menu, choose ‘show hidden devices’
Expand the network adapters node, locate the grayed-out adapter (normally has a name like vmxnet3 Ethernet Adapter). You can select the checkbox to delete the driver software.
 
Go into network adapter properties and re-add the IP info. The IP will be the machine’s original IP address. DNS servers will be 127.0.0.1 for Primary, and the IP of the PDC emulator for that machine’s domain for secondary.
 
Check Date and Time
If you’re restoring from backup more than a few days old, you’ll need to set the BIOS clock to the day of the backup. If not, your DC will blue-screen with the message ‘Can not start directory services’
 
Restoring NTFRS File replication among Domain controllers


  1. The Hardware DC’s holding the PDC emulator role shall be designated as the master copy of the FRS data.

  2. Stop the File Replication service on all domain controllers.

  3. On the Hardware DC’s holding the master replica, One machine from each of the 4 domains:

    1. Start Registry Editor (Regedt32.exe).

    2. Locate and then click the BurFlags value under the following key in the registry:

    3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

    4. On the Edit menu, click DWORD, click Hex, type D4, and then click OK.

    5. Quit Registry Editor.

    6. Move the folders out ofC:\Windows\SYSVOL\domain\NtFrs_PreExisting___See_EventLog

    7. To C:\Windows\SYSVOL\domain\

    8. Delete the empty NtFrs_PreExisting___See_EventLog folder.

    9. Start the File Replication Service.
       
      Log Name:      File Replication Service
      Event ID:      13516
      Description:
      The File Replication Service is no longer preventing the computer ROOT-DC1from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
       

  4. On the remaining DC’s not designated as master replicas:

    1. Start Registry Editor (Regedt32.exe).

    2. Locate and then click the BurFlags value under the following key in the registry:

    3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

    4. On the Edit menu, click DWORD, click Hex, type D2, and then click OK.

    5. Quit Registry Editor.

    6. Delete the NtFrs_PreExisting___See_EventLog folder.

    7. Start the File Replication Service.
       
      Type "net share" to check for the SYSVOL share.
3
Comment
Author:Adam Lewis
1 Comment
LVL 4

Expert Comment

by:Felicia King
Per this TechNet article https://technet.microsoft.com/en-us/library/cc730683(v=WS.10).aspx FRS burflags is set by the restore operation. It's nice to know what the keys and values are. Thanks for sharing.
0

Featured Post

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Join & Write a Comment

This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month