AD 2003 system state restore


I'm running a daily system state backup using the built in version of backup exec on a 2003 server. What I want to be able to do is in the event of a major disaster ie my building burning down and total loss of all hardware, I want to be able to recover my AD from tape.

Currently I run a daily backup of the system state to disk, this is then backed up to tape on a nighly basis by my backup job with the rest of my data.

My question is if I then get a new server, load 2003 onto it how do I then restore AD from the system state backup? I've tried simply restoring the system state onto a new box but the server crashes and won't then boot.



Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
In restoring a DC from backup media, it is important to note the following:

It is only necessary to restore a single DC in each domain (starting with the root domain if it's a multiple domain, parent-child structure). After the first DC is restored, bring additional DCs in using DCPromo.
In a true disaster recovery plan, you must allow for the fact that the restore will likely take place on different hardware than the original that the backup was made from. Refer to Microsoft KB article 263532 How to perform a disaster recovery restoration of Active Directory on a computer with a different hardware configuration.
Backup tapes are only useful for 60 days or whatever the Tombstone lifetime value is set to. (see Microsoft KB 216993 Backup of the Active Directory Has 60-Day Useful Life). Ensure that you have a process to create backup tapes. regularly and validate and store them safely.
It is not necessary to restore a DC simply because it holds one or more FSMO roles. These roles can be seized to other DCs. If you do seize a role, then the original role holder should never come back on line (wipe and reload it).
Restoring a DC in an existing domain from a backup tape automatically makes that DC out of date by the number of days since the backup was performed. This will cause a synchronization to take place that will take longer than a normal replication update and have a bigger impact on the network since there will probably be more changes to replicate. This depends on the number of changes made since the backup tape was made.
I have worked with administrators who decided to restore a failed DC from backup tape, often with near disastrous results. In one case, two DCs failed and could only be restored using tapes from different days. It took two days to get the system working again, and we did it by doing what they should have done in the first place  manually demote the Domain Controller, clean up the AD, wait for replication then repromote it with the same name.
It's important to note that one of the common reasons for demoting and repromoting a DC is because replication is broken. But if replication is broken then demotion via DCPromo is not going to work either. In the next issue of the Active Directory Disaster Recovery series in March, we will learn how to manually demote a DC, clean up the AD and fix applications like Exchange that get broken by a manual demotion if they are installed on the DC
m1ker71Author Commented:

Thanks for responses.

KCTS - I don't think an Authoritative restore works in my scenario, ie I have a backup tape with a system state backup file on it. apologies if I'm missing something?

rexerito - I agree with all of your guidelines but how do I actually restore my ad from the system state backup file?

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

I recommend you have a full backup of C: and the system state.

In the event your server was lost,  reload the OS on the box.  Then launch your backup utility and restore the full C: and check the system state button.  This will automatically restore the AD database and the registry.  Additionally because you restored the C:\windows folder,  all OS updates etc will be included.

After the restore...reboot and the server should come up and function again.

An authoritative restore is only necessary when you want something in your restore to override changes on another DC.  Say you have two DC's and you accidentally delete an OU.  You can do the system state restore on a DC and mark it authoritative so that replication doesn't cause the OU to be deleted again.

If you have a single DC environment,  there is no reason at all to do an authoritative restore.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
m1ker71Author Commented:
Hi PlaceboC6,

This is the direction I was going in but just needed somebody to confirm I was going the right way! thanks for your help. Will run a test this week.


No problem.  I always view the C: Drive and System State as an unbreakable team.  If you reload the OS and then only restore the system state....that usually doesn't turn out too well.

Have a good one.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage Software

From novice to tech pro — start learning today.