How to prepare other DCs when doing an Active Directory Authoritative Restore

I have 2 Domain Controllers. I recently used Windows System Backup to restore the system state on the PDC, restoring the Active Directory. I checked the authoritative checkbox. Up came a messagebox that said:

The File Replication Service (FRS) engine was used when the backup was created. Stop the replication engine on other Active Directory domain controllers in the domain and configure them for non-authoritative recovery before proceeding. Do you want to continue?

I just clicked yes and continued. I have done it several times over the years with no apparent problems, but I'm getting nervous.

How do you:

1) Stop the replication engine on an Active Directory domain controller

2) Configure it for non-authoritative recovery

Thanks
MikeBroderickAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick BogersDatacenter platform engineer LindowsCommented:
How to non authoritive restore according to TechNet

Stop the FRS service.
Restore the backed-up data to the SYSVOL folder.
Configure the BurFlags registry key by setting the value of the following registry key to the DWORD value D2.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\BurFlags
Restart the FRS service.
When the FRS service is restarted, the following actions occur:
The value of the BurFlags registry key is reset to zero.
Files in the reinitialized FRS folders are moved to a pre-existing folder.
Event 13565 is logged in the FRS event log to signal that a nonauthoritative restore has started.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DrDave242Commented:
Be aware that selecting this checkbox does not perform an authoritative restore of Active Directory objects (i.e., the process you'd perform if you're trying to recover a deleted object). It performs an authoritative restore of SYSVOL. If that's what you want to do, then Patrick's answer is correct (you'd perform those steps on your other DCs).

More information about this option can be found here.
0
SteveCommented:
It is worth requesting more info here as it may affect our advice, but the notes above are certainly valid.

1) Stop the replication engine on an Active Directory domain controller
Stop the FRS Service on all DCs
2) Configure it for non-authoritative recovery
Follow the steps noted above. Also noted in this good guide with screenshots.
http://kpytko.pl/active-directory-domain-services/authoritative-sysvol-restore-frs/

Please consider advising the following if you'd like more advice on the overall situation:
Why you chose to restore from backup. what was wrong?
Why you didn't utilise the AD/SYSVOL on your working DC instead of restoring form backup? was that not working?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

MaheshArchitectCommented:
basically error is saying that before proceeding with recovery operation, you should stop file replication service on other DC

Then do authoritative restore on PDC the way you are doing by selecting checkbox

After that on other DC set Burgflag registry to D2 and start file replication service

By following above steps, you are telling other DCs that pickup sysvol data from restored Dc

If you don't follow steps mentioned above, other DC will be able to replicate its sysvol data to restored DC and basically the purpose of restoring sysvol authoritatively gets defeated
U have not faced issues as of now, because you have only two DCs and sysvol must be healthy on both servers

Finally as asked by steve already, rightly, why you are restoring AD from backup when you have two DCs

you should use ntdsutil authoritative restore after initial restoration of system state backup only if you have accidently deleted any AD objects and you wanted to recover those from backups
OR
may be your DC os got corrupted, then instead of formatting entire OS and building new DC (most of the times that is wise option), you could simply restore system state backup non authoritatively so tat latest AD updates will get fetched on restored DC from other healthy up to date DC

Otherwise there is no need to restore AD from backup when you have multiple DCs unless your AD got badly corrupted and nobody is able to logon to AD. This is very rare case and that process is called as forest recovery
0
MikeBroderickAuthor Commented:
I should point out that the DCs are Windows 2012 R2, in case it makes a difference. I should also say that I don't work with AD/DC very often, though I have had 2 DCs since Windows 2000/2003 SBS.

Please verify that to stop the FRS service, on the other DC I run the command net stop ntfrs. Then I set the registry setting to D2 (Burflags, not authoritive). Then restore the system state as I have done. Then on the other DC run net start ntfrs. I will try it this weekend.

Thanks for the info DrDave, I will read over it this weekend.

I would like advice on the overall situation, please. The reason I restore the system state is that sometimes I have problems with AD/DC. Please not that the problems occurred some time ago and I don't totally remember what was wrong. I created a problem by restoring (VSphere Deploy OVA) the 2 test DCs in a test environment. Neither systems show SYSVOL or NETLOGON.
0
DrDave242Commented:
Please verify that to stop the FRS service, on the other DC I run the command net stop ntfrs. Then I set the registry setting to D2 (Burflags, not authoritive). Then restore the system state as I have done. Then on the other DC run net start ntfrs. I will try it this weekend.
That is the correct procedure. However...

Neither systems show SYSVOL or NETLOGON.
This may indicate a problem that won't be resolved with this procedure. Check the SYSVOL directory on the DC that you're restoring system state on. Is there anything in there? If not, this procedure won't accomplish much in terms of getting SYSVOL working again.
0
MikeBroderickAuthor Commented:
I'm sorry, I should answer your questions:

• Why you chose to restore from backup. what was wrong?
I don't know what else to do. AD is not working. I'm getting messages saying, for instance, Global catalog cant connect to active directory. Administrative tools AD Sites and Services says cant contact AD.

• Why you didn't utilise the AD/SYSVOL on your working DC instead of restoring form backup? was that not working?
Because I don't know how.
0
MaheshArchitectCommented:
I created a problem by restoring (VSphere Deploy OVA) the 2 test DCs in a test environment. Neither systems show SYSVOL or NETLOGON

have you restored snapshots or restored system state
0
MikeBroderickAuthor Commented:
I have not restored the system state yet. I put it back into the problem state.
0
MaheshArchitectCommented:
Sorry I am unable to understand what you are trying to do

What problem you are facing with AD and Do you have problem in production environment or you are talking about test environment and what problem you are trying to reproduce?
0
MikeBroderickAuthor Commented:
Thank you all for your help. Each response gave me new info to process. I will add that setting the burflags to B4 worked this time. In previous attempts it didn't.  Again, thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.