System Admin Guide to Active Directory Backup and Recovery
1. System Admin Labs Sample
1 | P a g e B y : M U H A M M A D I Q B A L
Types of Backup
1- System Backup Or Active Directory Backup
2- Additional Domain Controller (ADC)
3- Active Directory Recycle bin
1- Active Directory Backup & Recovery
Requirements for Backup
Active Directory must exist
Need to install a feature “Windows backup feature”
Requires approximately 30-40min to take backup of an AD
Need dedicated Hard disk, or other media
Why do we need AD / system backup?
Let’s suppose, we have a lot of things in system AD like, 100 OU, and each OU as 1000 users plus each OU has
2000 policies. What happen if any disaster happens? To overcome this, off course we need a backup of either
whole directory or partial backup from where we can restore in case of any disaster.
Note: it is recommended that, you take backup on different HD or other system, not on the same drive.
Advantages of AD backup
Recover deleted objects
Recover crashed system
How to take AD backup
There are two (2) ways to create a system backup
GUI& CMD
OR
Either we use GUI or cmd,following window will open
2. System Admin Labs Sample
2 | P a g e B y : M U H A M M A D I Q B A L
This means, we need to install one feature before we start back up. This feature name is “windows
server backup”.
How to install that feature on GUI and CMD
Once you have installed this feature, you can see
Here there are types of Backup under “windows server backup” on most right top bar.
Types of Backup on GUI
We learn only how to create, but we will do this same process via CMD
3. System Admin Labs Sample
3 | P a g e B y : M U H A M M A D I Q B A L
Backup once option
Next window will be
Next will be to select right location where you want to save this backup
4. System Admin Labs Sample
4 | P a g e B y : M U H A M M A D I Q B A L
On next option you can select the right location
Once you press “Next” the error will generate
This means, the backup drive is also in same system, which is not recommended that is why this
message generates. Still you can back up on same drive.
When you press YES . Next window will be the last option before backup starts
5. System Admin Labs Sample
5 | P a g e B y : M U H A M M A D I Q B A L
After this backup will start
But as I mentioned earlier- we only wanted to discuss and learn how to take the back up on GUI.
That is very simple, so we try to learn backup on CMD.
Backup schedule option
Here we will set the time frame according to requirements
6. System Admin Labs Sample
6 | P a g e B y : M U H A M M A D I Q B A L
Because we don’t have dedicated hard drive so we will select 2nd
option
7. System Admin Labs Sample
7 | P a g e B y : M U H A M M A D I Q B A L
When we add the destination
This way we will create different types of backup using GUI.
Create system state or AD backup using CMD
Similarly, to create backup on cmd, we have to install “windows backup feature” which is already
installed here.
8. System Admin Labs Sample
8 | P a g e B y : M U H A M M A D I Q B A L
On server command line we write this command
This command shows some more commands which can be use here.
For backup we need “start systemstatebackup” command
When we write this command, it will show you some errors or asking for target location; where you
want this back up.
Even it shows the exact syntax for this command(read the example – last line)
9. System Admin Labs Sample
9 | P a g e B y : M U H A M M A D I Q B A L
When we press “yes” – the backup will start. It takes approximately 30-40min.
Back up has been finished
While, the backup is happening
Real life Scenarios for Backup and Recovery
Scenario#1: - to see the solution go to page#20
let’s suppose while the backup is in progress, we add something in AD
Add one OU (mkt)
And some users in that OU
Now the scenario is that, we will check are these new things comes in this backup when we restore
Let suppose, our system has crashed and we have this backup and we created some OU and users
during the backup
Now we learn how to restore this backup using GUI or CMD
10. System Admin Labs Sample
10 | P a g e B y : M U H A M M A D I Q B A L
Restore the system from Backup
Very important:To restore the backup “we need to go Active Directory SAFE MODE”
During installation of Active Directory Domain Services (AD DS), you set the Administrator password
for logging on to the server in DSRM. When you start Windows Server 2008R2 in DSRM, you must
log on by using this DSRM password for the local Administrator account
Following slide shows you- if we recall our memoryduring the installation of active directory
This password is require before you go to “DSRM-Directory services Reset mode”
Let suppose, we have forgot that password- Is this password is recoverable or not ?
Yes it is recoverable– this password is inside “NTDS” folder, so we have to run “ntdsutil” on
command prompt.
Recover DSRM Password - On DC normal mode
Now we will recover the password for DSRM.
We can get some help by using “?”
11. System Admin Labs Sample
11 | P a g e B y : M U H A M M A D I Q B A L
Here we use this option or command to recover DSRM password
How to get help to use this option
Now we use proper command “ reset password on server %s” as we can see that , it says ! “Use NUL
for local machine”
Note: DSRM pw goes in “null” folder or database” while users password goes to “SAM” database.
Then we type null after the command
It prompts for new password
We have seen that password has been reset .
And next prompt is again on “reset DSRM admin password”, we have to come out from this prompt.
You can restart a domain controller in DSRM manually by pressing the F8 key during domain
controller startup
Here we can see, we can’t access Active directory.- we have to use that recovered password to
access DSRM-Select DSRM (Directory Services Restore Mode)
12. System Admin Labs Sample
12 | P a g e B y : M U H A M M A D I Q B A L
but we have to login without DC administrator, where we use recovered PW.
We are now on “DSRM”- can recover DSRM (directory Services restore mode)
Restore the Backup
Before we start recovery of backed up AD, make sure this backup is available on “D-drive”
This verifies that we are on
safe mode- where we can’t
access any service(s).
13. System Admin Labs Sample
13 | P a g e B y : M U H A M M A D I Q B A L
On GUI we can see that
Here we can see that backup is available now we can recover by using this utility.
Here it will show the available backup and time when it happened
14. System Admin Labs Sample
14 | P a g e B y : M U H A M M A D I Q B A L
We have to select which one we want (in case if multiple backups are available)
Here we can select what we want “either whole drive” or “simple folders”
15. System Admin Labs Sample
15 | P a g e B y : M U H A M M A D I Q B A L
Once we press recover, it restoration will start.
Restore Backup using Command Prompt
User the appropriate command
Its mean we have to check the available version of backup.
16. System Admin Labs Sample
16 | P a g e B y : M U H A M M A D I Q B A L
Here we used command “wbadmin get versions” to get available versions, as we can see that
backup time and dates is showing.
Create Additional Domain Controller
Requirments to create ADC
i. Install another Sever2008R2
ii. Create Active driectory or run Dcpromo–using Existing forest
iii. Assign ADC IP and DNS IP of Main Server (DC)- to join with DC
iv. Assign all DC FSMO roles to ADC – one by one
Let’s suppose we have installaed server2008R2 on another system and have installed active direcory.
After that
iii-Assign IP and DNS (DC) IP on ADC
iv-Rundcpromo on ADC
Here try to understand this
statement “add a domiain controller
to an existing domain”- here
add=additional. Which means
system already has one domain,
now we need another domain which
would be addional domain
17. System Admin Labs Sample
17 | P a g e B y : M U H A M M A D I Q B A L
Remmember: we already have a DC that is DC+forest, that is why DC has 5 roles and ADC will be
existing forest on
Here clearly asking, that write the name of forest where the installation will occur.When you press
“Set” will ask Administration password
18. System Admin Labs Sample
18 | P a g e B y : M U H A M M A D I Q B A L
Will show the main sever (DC) name
19. System Admin Labs Sample
19 | P a g e B y : M U H A M M A D I Q B A L
There should be only one DNS server (which is server1) but we can create separate DNS for load
balancing. Also there should be only one global catalog in a network
20. System Admin Labs Sample
20 | P a g e B y : M U H A M M A D I Q B A L
21. System Admin Labs Sample
21 | P a g e B y : M U H A M M A D I Q B A L
Once this has done we can see on server 1
You will notice on startup
22. System Admin Labs Sample
22 | P a g e B y : M U H A M M A D I Q B A L
It is showing that server2 is part of corvit.com
Furthermore we can notice, now what ever we add on server1 it will add on server2 as well and vice
versa
We can also verify by pinging any user
Server1
pinging
successfully
Server2
pinging
successfully
23. System Admin Labs Sample
23 | P a g e B y : M U H A M M A D I Q B A L
Additional Domain Controller is ready
Now we will assign/transfer FSMO roles to ADC which is on main server (DC).First we verify who
have these FSMO roles
First we check on DC (main server)
Here we can see that main server (DC) has those FSMO roles
Now we check ADC
24. System Admin Labs Sample
24 | P a g e B y : M U H A M M A D I Q B A L
Here we notice that FSMO roles are on DC, which proves that “these 5 roles assign to only one
person in a forest
How to check same things on GUI mode
On DC
We can see both servers have GC, it means both servers has global database.
Time to transfer these FSMO roles from Sever (DC) to Server2 (ADC)
Remember: we will do this step by step
1. Transfer three (3) Domain’s roles (RID,PDC and infrastructure) first
2. Transfer two (2) Forest roles (Domain naming master and Schema master)
First we transfer Domain’s roles one by one, as shown in the picture
25. System Admin Labs Sample
25 | P a g e B y : M U H A M M A D I Q B A L
We’ve transferred RID role, as you can read that, only one server on the domain performs this role
Verify
RID role has changed from server.corvit.com to server2.corvit.com
Here we can see PDC still has server.corvit.com role
26. System Admin Labs Sample
26 | P a g e B y : M U H A M M A D I Q B A L
After changing
Now last one infrastructure
Before changing
27. System Admin Labs Sample
27 | P a g e B y : M U H A M M A D I Q B A L
After changing
Up to here all domain roles have been transferred from server(DC) to ADC(server2)
For verification we check FSMO
On ADC
On DC
Schema master and Domain naming
master roles are still on server(DC)
28. System Admin Labs Sample
28 | P a g e B y : M U H A M M A D I Q B A L
Now we transfer other two (2) forest roles
Again we will use ADC computer
Note: as we notice, when we were changing “domain roles” we change under “corvit.com” domain.
Now to change for forest will use “active directory domains and trust”
On ADC (server2)
When we pressed “changed button”- this message appears
Read this: it say this role will be
unique. Only one Active directory
controller can perform this role.
Additional domain
controller name is
automatically
appears. Press
Change
29. System Admin Labs Sample
29 | P a g e B y : M U H A M M A D I Q B A L
After changing
At last, we will transferred last role “Schema master”
To transferred “schema role” we need to run a command “regsvr32 schmmgt.dll”
On ADC
As we can see there is
no any item in this
console
30. System Admin Labs Sample
30 | P a g e B y : M U H A M M A D I Q B A L
By default “Schema Master” role is disabled – we have to activate by using above mentioned
command Actually this command adds “schema master” then using MMC console we can see this
Go to MMC
Without regsvr32 command it won’t appear here, have to run this command first
Add this role
31. System Admin Labs Sample
31 | P a g e B y : M U H A M M A D I Q B A L
Now we can transfer this role from server (dc) to server2 (ADC)
32. System Admin Labs Sample
32 | P a g e B y : M U H A M M A D I Q B A L
Showed error so first we remove this error
33. System Admin Labs Sample
33 | P a g e B y : M U H A M M A D I Q B A L
This error comes because of DNS and firewall is not configured
After removing both errors
Error means
alternate DNS
server has Loop
back IP- have to
remove first
34. System Admin Labs Sample
34 | P a g e B y : M U H A M M A D I Q B A L
Now we will verify that, all the roles have been transferred to Server2 (ADC)
On ADC
Here we can see all the roles have been transferred