AD 2003 system state restore


I'm running a daily system state backup using the built in version of backup exec on a 2003 server. What I want to be able to do is in the event of a major disaster ie my building burning down and total loss of all hardware, I want to be able to recover my AD from tape.

Currently I run a daily backup of the system state to disk, this is then backed up to tape on a nighly basis by my backup job with the rest of my data.

My question is if I then get a new server, load 2003 onto it how do I then restore AD from the system state backup? I've tried simply restoring the system state onto a new box but the server crashes and won't then boot.



Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

PlaceboC6Connect With a Mentor Commented:
I recommend you have a full backup of C: and the system state.

In the event your server was lost,  reload the OS on the box.  Then launch your backup utility and restore the full C: and check the system state button.  This will automatically restore the AD database and the registry.  Additionally because you restored the C:\windows folder,  all OS updates etc will be included.

After the restore...reboot and the server should come up and function again.

An authoritative restore is only necessary when you want something in your restore to override changes on another DC.  Say you have two DC's and you accidentally delete an OU.  You can do the system state restore on a DC and mark it authoritative so that replication doesn't cause the OU to be deleted again.

If you have a single DC environment,  there is no reason at all to do an authoritative restore.
In restoring a DC from backup media, it is important to note the following:

It is only necessary to restore a single DC in each domain (starting with the root domain if it's a multiple domain, parent-child structure). After the first DC is restored, bring additional DCs in using DCPromo.
In a true disaster recovery plan, you must allow for the fact that the restore will likely take place on different hardware than the original that the backup was made from. Refer to Microsoft KB article 263532 How to perform a disaster recovery restoration of Active Directory on a computer with a different hardware configuration.
Backup tapes are only useful for 60 days or whatever the Tombstone lifetime value is set to. (see Microsoft KB 216993 Backup of the Active Directory Has 60-Day Useful Life). Ensure that you have a process to create backup tapes. regularly and validate and store them safely.
It is not necessary to restore a DC simply because it holds one or more FSMO roles. These roles can be seized to other DCs. If you do seize a role, then the original role holder should never come back on line (wipe and reload it).
Restoring a DC in an existing domain from a backup tape automatically makes that DC out of date by the number of days since the backup was performed. This will cause a synchronization to take place that will take longer than a normal replication update and have a bigger impact on the network since there will probably be more changes to replicate. This depends on the number of changes made since the backup tape was made.
I have worked with administrators who decided to restore a failed DC from backup tape, often with near disastrous results. In one case, two DCs failed and could only be restored using tapes from different days. It took two days to get the system working again, and we did it by doing what they should have done in the first place  manually demote the Domain Controller, clean up the AD, wait for replication then repromote it with the same name.
It's important to note that one of the common reasons for demoting and repromoting a DC is because replication is broken. But if replication is broken then demotion via DCPromo is not going to work either. In the next issue of the Active Directory Disaster Recovery series in March, we will learn how to manually demote a DC, clean up the AD and fix applications like Exchange that get broken by a manual demotion if they are installed on the DC
The new generation of project management tools

With’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

m1ker71Author Commented:

Thanks for responses.

KCTS - I don't think an Authoritative restore works in my scenario, ie I have a backup tape with a system state backup file on it. apologies if I'm missing something?

rexerito - I agree with all of your guidelines but how do I actually restore my ad from the system state backup file?

m1ker71Author Commented:
Hi PlaceboC6,

This is the direction I was going in but just needed somebody to confirm I was going the right way! thanks for your help. Will run a test this week.


No problem.  I always view the C: Drive and System State as an unbreakable team.  If you reload the OS and then only restore the system state....that usually doesn't turn out too well.

Have a good one.
All Courses

From novice to tech pro — start learning today.