Restoring an Active Directory 2008 R2 Forest from Windows Bare-Metal Backups
Published:
Browse All Articles > Restoring an Active Directory 2008 R2 Forest from Windows Bare-Metal Backups
Summary
This procedure describes the steps necessary to backup & recover an entire Windows 2008 R2 forest from bare metal backup images. The source machines can be either physical or virtual, however the restored machine will be virtual. The VM technology used is VMware ESX. This example uses a forest design of an empty root domain with three child domains. We use this procedure in a Disaster Recovery test scenario where we need to re-create Active Directory at the test site.
Backup steps:
Issue ‘wbadmin start backup’ command on source DC’s
Recovery steps:
Create a VM with no OS
Boot the new VM off the Win 2008 R2 DVD
Enter the ‘Repair your computer’ environment booted off the Win 2008 DVD
Start networking service and connect to network location containing backup image
Execute the restore via command line
Perform post-recovery steps
Backup steps:
Issue ‘wbadmin start backup’ command on source DC’s
Recovery steps:
Create a VM with no OS
Boot the new VM off the Win 2008 R2 DVD
Enter the ‘Repair your computer’ environment booted off the Win 2008 DVD
Start networking service and connect to network location containing backup image
Execute the restore via command line
Perform post-recovery steps
Backup Procedure
Establish a share on the local LAN of the DC that will receive the bare-metal backup. The share example used below is \\ADBKP.child1.root.com\AD
BKP
Perform a backup on at least 1 DC from each domain in the forest, preferably 2, by issuing the following command on each DC:
wbadmin start backup -backupTarget:\\ADBKP.child1.root.co
m\ADBKP -allCritical -user:USERNAME -password:PASSWORD -quiet
Perform a backup on at least 1 DC from each domain in the forest, preferably 2, by issuing the following command on each DC:
wbadmin start backup -backupTarget:\\ADBKP.chil
Recovery Procedure
Prerequisites
Name of machine you will be restoring
IP of machine you will be restoring
Active Directory Restore Mode password of each DC
Windows 2008R2 iso, and iso containing recovery script available to VM guests on ESX datastore on destination ESX host
Necessary VLAN’s in place
Network route in place to backup files
Local user account and password to access network share containing backup files
IP of machine you will be restoring
Active Directory Restore Mode password of each DC
Windows 2008R2 iso, and iso containing recovery script available to VM guests on ESX datastore on destination ESX host
Necessary VLAN’s in place
Network route in place to backup files
Local user account and password to access network share containing backup files
Create the Virtual Machine Targets
Allocate appropriate vmdk Hard Drive
Allocate appropriate RAM
Place on a network that can reach the backup images
Create a CD drive and attach Windows 2008R2 iso on datastore
Create a CD drive and attach Recovery script iso on datastore
Allocate appropriate RAM
Place on a network that can reach the backup images
Create a CD drive and attach Windows 2008R2 iso on datastore
Create a CD drive and attach Recovery script iso on datastore
Boot in to Repair Environment
Boot target from Win 2008R2 iso or DVD
Click next at language screen
Click ‘Repair your computer’
Select “restore your computer using a system image…..” & click Next
It will be unable to find an image. Click Cancel.
Cancel the repair you computer screens and get to the system recovery options screen
Open Command Prompt
Click next at language screen
Click ‘Repair your computer’
Select “restore your computer using a system image…..” & click Next
It will be unable to find an image. Click Cancel.
Cancel the repair you computer screens and get to the system recovery options screen
Open Command Prompt
Recover Machine
In the command prompt, enter the following:
Start /w wpeinit
(This starts networking, takes a minute or two)
After the network has started enter the following command:
netsh interface ip set address "Local Area Connection" static
Authenticate to share:
Net Use Z: \\ADBKP.child1.root.com\ADBKP /user:
If DNS is not available (which it probably isn’t), substitute the IP address in place of the DNS name ADBKP.child1.root.com.
Supply the password. This will establish an authenticated session to the restore source files.
Get backup versions on share:
wbadmin get versions -backuptarget: \\ADBKP.child1.root.com\ADBKP –machine:<
MACHINENAME>
Again, if DNS is not available (which it probably isn’t), substitute the IP address in place of the DNS name ADBKP.child1.root.com.
Start /w wpeinit
(This starts networking, takes a minute or two)
After the network has started enter the following command:
netsh interface ip set address "Local Area Connection" static
Authenticate to share:
Net Use Z: \\ADBKP.child1.root.com\A
If DNS is not available (which it probably isn’t), substitute the IP address in place of the DNS name ADBKP.child1.root.com.
Supply the password. This will establish an authenticated session to the restore source files.
Get backup versions on share:
wbadmin get versions -backuptarget: \\ADBKP.child1.root.com\AD
Again, if DNS is not available (which it probably isn’t), substitute the IP address in place of the DNS name ADBKP.child1.root.com.
You should output similar to the following
wbadmin 1.0 - Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
The times of the backups displayed are based on the timezone of the current
operating system you have booted into.
The timezone used currently is (GMT -08:00) Pacific Standard Time
Backup time: 1/8/2009 11:20 AM
Backup target: Network Share labeled \\server\share
Version identifier: 01/08/2009-19:20
Can Recover: Volume(s), File(s), Application(s), Bare Metal Recovery
From this we will use the Version Identifier for the next step.
Note this basically wipes the drive so be careful when you use the next command
wbadmin start sysrecovery –backuptarget: \\ADBKP.child1.root.com\Restore –machine: -version: -recreatedisks –restoreallvolumes -quiet
The restore will run for a while. It will give a successful message when complete.
Don’t reboot yet. Read Post-Recovery section.
Troubleshooting
wbadmin 1.0 - Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
The times of the backups displayed are based on the timezone of the current
operating system you have booted into.
The timezone used currently is (GMT -08:00) Pacific Standard Time
Backup time: 1/8/2009 11:20 AM
Backup target: Network Share labeled \\server\share
Version identifier: 01/08/2009-19:20
Can Recover: Volume(s), File(s), Application(s), Bare Metal Recovery
From this we will use the Version Identifier for the next step.
Note this basically wipes the drive so be careful when you use the next command
wbadmin start sysrecovery –backuptarget: \\ADBKP.child1.root.com\Re
The restore will run for a while. It will give a successful message when complete.
Don’t reboot yet. Read Post-Recovery section.
If there are problems applying the IP address run the following command to ensure the network interface names look correct:
'NetSh Interface IPv4 Show Interfaces'
Post-Recovery
Physical to Virtual restore (P2V)
If you’ve done a P2V restore, you will need to re-configure the storage controllers. You will need to edit the SYSTEM registry hive of the restored machine. Do this by locating the restored volume (It may not be C: )
Run regedt32
Highlight HKEY_LOCAL_MACHINE
File > Load Hive
[restored volume]:\Windows\System32\Config\SYS
TEM
Key Name = XXX
Expand XXX\ControlSet001\services
Verify / Change the following Values:
Intelide > Start = 0
LSI_SAS > Start = 0
Msahci > Start = 3
Pciide > Start = 3
Highlight the XXX node, then File > Unload Hive
Reboot
The machine at this point should boot into Windows. You’ll need to log in with the Built in administrator account. Active Directory is not yet fully functional.
If you’ve done a P2V restore, it’s likely you will need to re-configure the network.
If the physical machine had a network team, you’ll need to go into device manager and uninstall the virtual adapter. This is normally done by uninstalling the NIC software in Add/ Remove programs. If prompted to reboot, don’t.
Install VMtools: VM > Guest > Install / Upgrade VMtools
Reboot
Go into network adapter properties and re-add the IP info. The IP will be the machine’s original IP address. DNS servers will be 127.0.0.1 for Primary, and the IP of the PDC emulator for that machine’s domain for secondary.
Virtual to Virtual Recovery (V2V)
V2V restores normally create a new network adapter and leave a remnant of the prior one as a hidden device. This hidden adapter should be removed:
From a command prompt:
set devmgr_show_nonpresent_devices=1
start devmgmt.msc
Device manager will open. From the View pull-down menu, choose ‘show hidden devices’
Expand the network adapters node, locate the grayed-out adapter (normally has a name like vmxnet3 Ethernet Adapter). You can select the checkbox to delete the driver software.
Go into network adapter properties and re-add the IP info. The IP will be the machine’s original IP address. DNS servers will be 127.0.0.1 for Primary, and the IP of the PDC emulator for that machine’s domain for secondary.
Check Date and Time
If you’re restoring from backup more than a few days old, you’ll need to set the BIOS clock to the day of the backup. If not, your DC will blue-screen with the message ‘Can not start directory services’
Restoring NTFRS File replication among Domain controllers
If you’ve done a P2V restore, you will need to re-configure the storage controllers. You will need to edit the SYSTEM registry hive of the restored machine. Do this by locating the restored volume (It may not be C: )
Run regedt32
Highlight HKEY_LOCAL_MACHINE
File > Load Hive
[restored volume]:\Windows\System32\
Key Name = XXX
Expand XXX\ControlSet001\services
Verify / Change the following Values:
Intelide > Start = 0
LSI_SAS > Start = 0
Msahci > Start = 3
Pciide > Start = 3
Highlight the XXX node, then File > Unload Hive
Reboot
The machine at this point should boot into Windows. You’ll need to log in with the Built in administrator account. Active Directory is not yet fully functional.
If you’ve done a P2V restore, it’s likely you will need to re-configure the network.
If the physical machine had a network team, you’ll need to go into device manager and uninstall the virtual adapter. This is normally done by uninstalling the NIC software in Add/ Remove programs. If prompted to reboot, don’t.
Install VMtools: VM > Guest > Install / Upgrade VMtools
Reboot
Go into network adapter properties and re-add the IP info. The IP will be the machine’s original IP address. DNS servers will be 127.0.0.1 for Primary, and the IP of the PDC emulator for that machine’s domain for secondary.
Virtual to Virtual Recovery (V2V)
V2V restores normally create a new network adapter and leave a remnant of the prior one as a hidden device. This hidden adapter should be removed:
From a command prompt:
set devmgr_show_nonpresent_dev
start devmgmt.msc
Device manager will open. From the View pull-down menu, choose ‘show hidden devices’
Expand the network adapters node, locate the grayed-out adapter (normally has a name like vmxnet3 Ethernet Adapter). You can select the checkbox to delete the driver software.
Go into network adapter properties and re-add the IP info. The IP will be the machine’s original IP address. DNS servers will be 127.0.0.1 for Primary, and the IP of the PDC emulator for that machine’s domain for secondary.
Check Date and Time
If you’re restoring from backup more than a few days old, you’ll need to set the BIOS clock to the day of the backup. If not, your DC will blue-screen with the message ‘Can not start directory services’
Restoring NTFRS File replication among Domain controllers
The Hardware DC’s holding the PDC emulator role shall be designated as the master copy of the FRS data.
Stop the File Replication service on all domain controllers.
On the Hardware DC’s holding the master replica, One machine from each of the 4 domains:
Start Registry Editor (Regedt32.exe).
Locate and then click the BurFlags value under the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentCon trolSet\Se rvices\NtF rs\Paramet ers\Backup /Restore\P rocess at Startup
On the Edit menu, click DWORD, click Hex, type D4, and then click OK.
Quit Registry Editor.
Move the folders out ofC:\Windows\SYSVOL\domain\NtFrs_Pre Existing__ _See_Event Log
To C:\Windows\SYSVOL\domain\
Delete the empty NtFrs_PreExisting___See_EventLog folder.
Start the File Replication Service.
Log Name: File Replication Service
Event ID: 13516
Description:
The File Replication Service is no longer preventing the computer ROOT-DC1from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
On the remaining DC’s not designated as master replicas:
Start Registry Editor (Regedt32.exe).
Locate and then click the BurFlags value under the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentCon trolSet\Se rvices\NtF rs\Paramet ers\Backup /Restore\P rocess at Startup
On the Edit menu, click DWORD, click Hex, type D2, and then click OK.
Quit Registry Editor.
Delete the NtFrs_PreExisting___See_EventLog folder.
Start the File Replication Service.
Type "net share" to check for the SYSVOL share.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (1)
Commented: