How to prepare other DCs when doing an Active Directory Authoritative Restore
I have 2 Domain Controllers. I recently used Windows System Backup to restore the system state on the PDC, restoring the Active Directory. I checked the authoritative checkbox. Up came a messagebox that said:
The File Replication Service (FRS) engine was used when the backup was created. Stop the replication engine on other Active Directory domain controllers in the domain and configure them for non-authoritative recovery before proceeding. Do you want to continue?
I just clicked yes and continued. I have done it several times over the years with no apparent problems, but I'm getting nervous.
How do you:
1) Stop the replication engine on an Active Directory domain controller
2) Configure it for non-authoritative recovery
Thanks
The File Replication Service (FRS) engine was used when the backup was created. Stop the replication engine on other Active Directory domain controllers in the domain and configure them for non-authoritative recovery before proceeding. Do you want to continue?
I just clicked yes and continued. I have done it several times over the years with no apparent problems, but I'm getting nervous.
How do you:
1) Stop the replication engine on an Active Directory domain controller
2) Configure it for non-authoritative recovery
Thanks
basically error is saying that before proceeding with recovery operation, you should stop file replication service on other DC
Then do authoritative restore on PDC the way you are doing by selecting checkbox
After that on other DC set Burgflag registry to D2 and start file replication service
By following above steps, you are telling other DCs that pickup sysvol data from restored Dc
If you don't follow steps mentioned above, other DC will be able to replicate its sysvol data to restored DC and basically the purpose of restoring sysvol authoritatively gets defeated
U have not faced issues as of now, because you have only two DCs and sysvol must be healthy on both servers
Finally as asked by steve already, rightly, why you are restoring AD from backup when you have two DCs
you should use ntdsutil authoritative restore after initial restoration of system state backup only if you have accidently deleted any AD objects and you wanted to recover those from backups
OR
may be your DC os got corrupted, then instead of formatting entire OS and building new DC (most of the times that is wise option), you could simply restore system state backup non authoritatively so tat latest AD updates will get fetched on restored DC from other healthy up to date DC
Otherwise there is no need to restore AD from backup when you have multiple DCs unless your AD got badly corrupted and nobody is able to logon to AD. This is very rare case and that process is called as forest recovery
Then do authoritative restore on PDC the way you are doing by selecting checkbox
After that on other DC set Burgflag registry to D2 and start file replication service
By following above steps, you are telling other DCs that pickup sysvol data from restored Dc
If you don't follow steps mentioned above, other DC will be able to replicate its sysvol data to restored DC and basically the purpose of restoring sysvol authoritatively gets defeated
U have not faced issues as of now, because you have only two DCs and sysvol must be healthy on both servers
Finally as asked by steve already, rightly, why you are restoring AD from backup when you have two DCs
you should use ntdsutil authoritative restore after initial restoration of system state backup only if you have accidently deleted any AD objects and you wanted to recover those from backups
OR
may be your DC os got corrupted, then instead of formatting entire OS and building new DC (most of the times that is wise option), you could simply restore system state backup non authoritatively so tat latest AD updates will get fetched on restored DC from other healthy up to date DC
Otherwise there is no need to restore AD from backup when you have multiple DCs unless your AD got badly corrupted and nobody is able to logon to AD. This is very rare case and that process is called as forest recovery
I should point out that the DCs are Windows 2012 R2, in case it makes a difference. I should also say that I don't work with AD/DC very often, though I have had 2 DCs since Windows 2000/2003 SBS.
Please verify that to stop the FRS service, on the other DC I run the command net stop ntfrs. Then I set the registry setting to D2 (Burflags, not authoritive). Then restore the system state as I have done. Then on the other DC run net start ntfrs. I will try it this weekend.
Thanks for the info DrDave, I will read over it this weekend.
I would like advice on the overall situation, please. The reason I restore the system state is that sometimes I have problems with AD/DC. Please not that the problems occurred some time ago and I don't totally remember what was wrong. I created a problem by restoring (VSphere Deploy OVA) the 2 test DCs in a test environment. Neither systems show SYSVOL or NETLOGON.
Please verify that to stop the FRS service, on the other DC I run the command net stop ntfrs. Then I set the registry setting to D2 (Burflags, not authoritive). Then restore the system state as I have done. Then on the other DC run net start ntfrs. I will try it this weekend.
Thanks for the info DrDave, I will read over it this weekend.
I would like advice on the overall situation, please. The reason I restore the system state is that sometimes I have problems with AD/DC. Please not that the problems occurred some time ago and I don't totally remember what was wrong. I created a problem by restoring (VSphere Deploy OVA) the 2 test DCs in a test environment. Neither systems show SYSVOL or NETLOGON.
Principal Support Engineer
CERTIFIED EXPERT
Please verify that to stop the FRS service, on the other DC I run the command net stop ntfrs. Then I set the registry setting to D2 (Burflags, not authoritive). Then restore the system state as I have done. Then on the other DC run net start ntfrs. I will try it this weekend.That is the correct procedure. However...
Neither systems show SYSVOL or NETLOGON.This may indicate a problem that won't be resolved with this procedure. Check the SYSVOL directory on the DC that you're restoring system state on. Is there anything in there? If not, this procedure won't accomplish much in terms of getting SYSVOL working again.
I'm sorry, I should answer your questions:
• Why you chose to restore from backup. what was wrong?
I don't know what else to do. AD is not working. I'm getting messages saying, for instance, Global catalog cant connect to active directory. Administrative tools AD Sites and Services says cant contact AD.
• Why you didn't utilise the AD/SYSVOL on your working DC instead of restoring form backup? was that not working?
Because I don't know how.
• Why you chose to restore from backup. what was wrong?
I don't know what else to do. AD is not working. I'm getting messages saying, for instance, Global catalog cant connect to active directory. Administrative tools AD Sites and Services says cant contact AD.
• Why you didn't utilise the AD/SYSVOL on your working DC instead of restoring form backup? was that not working?
Because I don't know how.
I created a problem by restoring (VSphere Deploy OVA) the 2 test DCs in a test environment. Neither systems show SYSVOL or NETLOGON
have you restored snapshots or restored system state
Gain unlimited access to on-demand training courses with an Experts Exchange subscription.
Get AccessWhy Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions