Challenge
Application Aware Image Processing is required to be enabled and working as per Microsoft in order to functionally restore from a DC.Please refer to this Microsoft Page for more information:
https://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#backup_and_restore_considerations_for_virtualized_domain_controllers
Since Active Directory implements multi-master replication, where multiple domain controllers sync changes with each other, one of the key challenges is the DC recovery process. This article outlines different DC restore scenarios and goes into some specifics of when and why this or that type of restore is required as well as gives instructions on the manual steps to perform proper DC recovery from backup created with Veeam B&R.
Before going into details, it is worth stressing that by default Veeam B&R performs automated non-authoritative restore of domain controller and in most cases when you need to recover failed DC, authoritative restore is not required.
The following situations are possible:
- Restoring single lost DC in a multi-DC environment
- Restoring entire AD infrastructure (AKA “all DC’s are lost”)
- Restoring from Active Directory corruption
Depending on the scenario, different steps (or no steps at all) are required to perform DC restore. All of the scenarios assume application-aware image processing was enabled in the backup job that backed up the DC being restored.
Solution
Restoring entire AD infrastructure (AKA “all DC’s are lost”)As mentioned above, the automatic recovery process performs a non-authoritative restore, where the DC reboots and starts looking for other DC’s to sync up. However, in a scenario where all DC’s are gone, there are no other partners available and replication may take quite long (15-30 minutes) to start. To avoid wasting the time attempting to contact replication partners, it is recommended to the primary domain controller, power it on, wait for it to reboot, and force it to become authoritative for SYSVOL, so that it can start replicating. Then restoring other DC’s will be similar to the previous scenario, i.e. will be 100% automatic.
Note: During the restore procedure, make sure the restored DC’s DNS records point to available DNS servers (i.e. to itself).
The procedure for designating DC as authoritative for SYSVOL varies based on whether FRS or DFS-R is used for SYSVOL replication. To determine if you are using FRS or DFSR for SYSVOL in the production environment check the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey. If this registry subkey exists and its value is set to 3 (ELIMINATED), DFS-R is being used. If the subkey does not exist, or if it has a different value, FRS is being used.
Once you have determined which method is being used for SYSVOL replication, perform the following to designate the restored DC as authoritative:
For DFS-R:
1. When booted the second time, navigate to HKLM\System\CurrentControlSet\Services\DFSR registry hive, create a key Restore and create SYSVOL string with the value authoritative.
This value is read by the DFSR service. If this value is not set, the SYSVOL restore is performed non-authoritatively by default.
2. Navigate to HKLM\System\CurrentControlSet\Control\BackupRestore, create a key SystemStateRestore and create a LastRestoreId string with any GUID value. (Example: 10000000-0000-0000-0000-000000000000).
3. Restart DFSR service.
For FRS:
1. When booted the second time, navigate to HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup registry hive and change the value of the key Burflag to 000000D4 (hex) or 212 (dec).
This effectively forces the Domain Controllers still using the old FRS technology to start the replication in an authoritative mode. More details about FRS recovery.
2. Restart the NTFRS service.
Notes:
• If you’re restoring a DC without certain FSMO roles, you might want to transfer them to it manually after the restore, using the ntdsutil seize command.
• This type of restore is similar to what Veeam B&R performs automatically when restoring DC within SureBackup isolated virtual lab.
The Following should be removed from KB 2119:
For VM’s that use DFRS (Server 2008 Domain functionality level and higher) you'll want to follow the following MS KB:
http://technet.microsoft.com/en-us/library/cc816897(WS.10).aspx
For VM's that use File Replication service (Server 2003 Domain functionality level), this is done by setting the burflags through the registry:
http://support.microsoft.com/kb/290762
More Information
How to recover a Domain Controller: Best practices for AD protection (Part 2)Veeam recovery of a domain controller
Active Directory backup and recovery with Veeam
Recovering Your Active Directory Forest
Windows Server - How to Perform an Authoritative Restore of Active Directory Object
Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 1)
Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 2)
Restoring The SYSVOL (Non-)Authoritatively When Either Using NTFRS Or DFS-R (Part 3)