Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
How to prepare other DCs when doing an Active Directory Authoritative Restore
I have 2 Domain Controllers. I recently used Windows System Backup to restore the system state on the PDC, restoring the Active Directory. I checked the authoritative checkbox. Up came a messagebox that said:
The File Replication Service (FRS) engine was used when the backup was created. Stop the replication engine on other Active Directory domain controllers in the domain and configure them for non-authoritative recovery before proceeding. Do you want to continue?
I just clicked yes and continued. I have done it several times over the years with no apparent problems, but I'm getting nervous.
How do you:
1) Stop the replication engine on an Active Directory domain controller
2) Configure it for non-authoritative recovery
Thanks
The File Replication Service (FRS) engine was used when the backup was created. Stop the replication engine on other Active Directory domain controllers in the domain and configure them for non-authoritative recovery before proceeding. Do you want to continue?
I just clicked yes and continued. I have done it several times over the years with no apparent problems, but I'm getting nervous.
How do you:
1) Stop the replication engine on an Active Directory domain controller
2) Configure it for non-authoritative recovery
Thanks
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
How to non authoritive restore according to TechNet
Stop the FRS service.
Restore the backed-up data to the SYSVOL folder.
Configure the BurFlags registry key by setting the value of the following registry key to the DWORD value D2.
HKEY_LOCAL_MACHINE\System\
Restart the FRS service.
When the FRS service is restarted, the following actions occur:
The value of the BurFlags registry key is reset to zero.
Files in the reinitialized FRS folders are moved to a pre-existing folder.
Event 13565 is logged in the FRS event log to signal that a nonauthoritative restore has started.
Stop the FRS service.
Restore the backed-up data to the SYSVOL folder.
Configure the BurFlags registry key by setting the value of the following registry key to the DWORD value D2.
HKEY_LOCAL_MACHINE\System\
Restart the FRS service.
When the FRS service is restarted, the following actions occur:
The value of the BurFlags registry key is reset to zero.
Files in the reinitialized FRS folders are moved to a pre-existing folder.
Event 13565 is logged in the FRS event log to signal that a nonauthoritative restore has started.
Be aware that selecting this checkbox does not perform an authoritative restore of Active Directory objects (i.e., the process you'd perform if you're trying to recover a deleted object). It performs an authoritative restore of SYSVOL. If that's what you want to do, then Patrick's answer is correct (you'd perform those steps on your other DCs).
More information about this option can be found here.
More information about this option can be found here.
It is worth requesting more info here as it may affect our advice, but the notes above are certainly valid.
1) Stop the replication engine on an Active Directory domain controller
Stop the FRS Service on all DCs
2) Configure it for non-authoritative recovery
Follow the steps noted above. Also noted in this good guide with screenshots.
http://kpytko.pl/active-directory-domain-services/authoritative-sysvol-restore-frs/
Please consider advising the following if you'd like more advice on the overall situation:
1) Stop the replication engine on an Active Directory domain controller
Stop the FRS Service on all DCs
2) Configure it for non-authoritative recovery
Follow the steps noted above. Also noted in this good guide with screenshots.
http://kpytko.pl/active-directory-domain-services/authoritative-sysvol-restore-frs/
Please consider advising the following if you'd like more advice on the overall situation:
Why you chose to restore from backup. what was wrong?
Why you didn't utilise the AD/SYSVOL on your working DC instead of restoring form backup? was that not working?
basically error is saying that before proceeding with recovery operation, you should stop file replication service on other DC
Then do authoritative restore on PDC the way you are doing by selecting checkbox
After that on other DC set Burgflag registry to D2 and start file replication service
By following above steps, you are telling other DCs that pickup sysvol data from restored Dc
If you don't follow steps mentioned above, other DC will be able to replicate its sysvol data to restored DC and basically the purpose of restoring sysvol authoritatively gets defeated
U have not faced issues as of now, because you have only two DCs and sysvol must be healthy on both servers
Finally as asked by steve already, rightly, why you are restoring AD from backup when you have two DCs
you should use ntdsutil authoritative restore after initial restoration of system state backup only if you have accidently deleted any AD objects and you wanted to recover those from backups
OR
may be your DC os got corrupted, then instead of formatting entire OS and building new DC (most of the times that is wise option), you could simply restore system state backup non authoritatively so tat latest AD updates will get fetched on restored DC from other healthy up to date DC
Otherwise there is no need to restore AD from backup when you have multiple DCs unless your AD got badly corrupted and nobody is able to logon to AD. This is very rare case and that process is called as forest recovery
Then do authoritative restore on PDC the way you are doing by selecting checkbox
After that on other DC set Burgflag registry to D2 and start file replication service
By following above steps, you are telling other DCs that pickup sysvol data from restored Dc
If you don't follow steps mentioned above, other DC will be able to replicate its sysvol data to restored DC and basically the purpose of restoring sysvol authoritatively gets defeated
U have not faced issues as of now, because you have only two DCs and sysvol must be healthy on both servers
Finally as asked by steve already, rightly, why you are restoring AD from backup when you have two DCs
you should use ntdsutil authoritative restore after initial restoration of system state backup only if you have accidently deleted any AD objects and you wanted to recover those from backups
OR
may be your DC os got corrupted, then instead of formatting entire OS and building new DC (most of the times that is wise option), you could simply restore system state backup non authoritatively so tat latest AD updates will get fetched on restored DC from other healthy up to date DC
Otherwise there is no need to restore AD from backup when you have multiple DCs unless your AD got badly corrupted and nobody is able to logon to AD. This is very rare case and that process is called as forest recovery
I should point out that the DCs are Windows 2012 R2, in case it makes a difference. I should also say that I don't work with AD/DC very often, though I have had 2 DCs since Windows 2000/2003 SBS.
Please verify that to stop the FRS service, on the other DC I run the command net stop ntfrs. Then I set the registry setting to D2 (Burflags, not authoritive). Then restore the system state as I have done. Then on the other DC run net start ntfrs. I will try it this weekend.
Thanks for the info DrDave, I will read over it this weekend.
I would like advice on the overall situation, please. The reason I restore the system state is that sometimes I have problems with AD/DC. Please not that the problems occurred some time ago and I don't totally remember what was wrong. I created a problem by restoring (VSphere Deploy OVA) the 2 test DCs in a test environment. Neither systems show SYSVOL or NETLOGON.
Please verify that to stop the FRS service, on the other DC I run the command net stop ntfrs. Then I set the registry setting to D2 (Burflags, not authoritive). Then restore the system state as I have done. Then on the other DC run net start ntfrs. I will try it this weekend.
Thanks for the info DrDave, I will read over it this weekend.
I would like advice on the overall situation, please. The reason I restore the system state is that sometimes I have problems with AD/DC. Please not that the problems occurred some time ago and I don't totally remember what was wrong. I created a problem by restoring (VSphere Deploy OVA) the 2 test DCs in a test environment. Neither systems show SYSVOL or NETLOGON.
Please verify that to stop the FRS service, on the other DC I run the command net stop ntfrs. Then I set the registry setting to D2 (Burflags, not authoritive). Then restore the system state as I have done. Then on the other DC run net start ntfrs. I will try it this weekend.That is the correct procedure. However...
Neither systems show SYSVOL or NETLOGON.This may indicate a problem that won't be resolved with this procedure. Check the SYSVOL directory on the DC that you're restoring system state on. Is there anything in there? If not, this procedure won't accomplish much in terms of getting SYSVOL working again.
I'm sorry, I should answer your questions:
• Why you chose to restore from backup. what was wrong?
I don't know what else to do. AD is not working. I'm getting messages saying, for instance, Global catalog cant connect to active directory. Administrative tools AD Sites and Services says cant contact AD.
• Why you didn't utilise the AD/SYSVOL on your working DC instead of restoring form backup? was that not working?
Because I don't know how.
• Why you chose to restore from backup. what was wrong?
I don't know what else to do. AD is not working. I'm getting messages saying, for instance, Global catalog cant connect to active directory. Administrative tools AD Sites and Services says cant contact AD.
• Why you didn't utilise the AD/SYSVOL on your working DC instead of restoring form backup? was that not working?
Because I don't know how.
I created a problem by restoring (VSphere Deploy OVA) the 2 test DCs in a test environment. Neither systems show SYSVOL or NETLOGON
have you restored snapshots or restored system state
Premium Content
You need an Expert Office subscription to comment.Start Free Trial