PKI Disaster Recovery: Backing Up and Restoring AD Objects
In my last blog posting I covered viewing PKI related Active Directory Objects. In this blog post, I am going to cover the steps necessary to backup and recover AD Objects. The group responsible for Active Directory in your organization should have the capabilities to both back up and restored Active Directory objects. However, I wanted to cover the steps involved for those who may not be familiar with the process. This description of backing up and restoring Active Directory objects covers the steps to perform a backup and restore using the built in back up tools in Windows Server 2012. If your domain controllers are hosted on an older OS the steps will be slightly different.
The process for Restore is called an Authoritative Restore. When you restore a domain controller from a backup and do not perform an authoritative restore it will simply replicate the current state of Active Directory from other Domain Controllers. To ensure the object you want to restore is not overwritten, and is instead replicated out to other domain controllers, an Authoritative Restore needs to be performed. An Authoritative Restore effectively increases the USN number of the object forcing it to be replicated out to other domain controllers instead of being overwritten.
Installing Windows Server Backup
Before backing up Active Directory you first need to install the Windows Server Backup feature. To start the installation of Windows Server Backup go to the Manage menu in Server Manager and select Add Roles and Features.
When the Add Roles and Feature Wizard opens, click Next.
On the Installation Type page, click Next.
On the Server Selection page, ensure the proper server is selected and click Next.
On the Server Roles page of the wizard, click Next.
On the Features page, select Windows Server Backup and click the Next button.
On the Confirmation page, click Install.
On the Results page, click Close.
Now that you have Windows Server Backup installed, you can open it by selecting the Tools menu in Server Manager, and selecting Windows Server Backup.
Backing Up Active Directory
Once the Windows Server Backup management console opens select Local Backup and then select Backup Schedule…
On the Getting Started page of Backup Schedule Wizard, click the Next button.
On the Select Backup Configuration page, select Custom.
On Select Items for Backup page, click Add Items.
Select System State and click OK.
Then click Next.
On Specify Backup Type, select the appropriate backup schedule, and click Next.
On the Specify Destination Type, select the appropriate Destination and click Next.
In my case I have selected a local disk, so I am going to select the appropriate disk, and clicked Next.
Since I selected a local disk, it is letting me know that it will reformat the drive.
On the Confirmation page select Finish.
Then on the Summary page of the wizard click Close.
Oops, I “accidentally” deleted my FourthCoffee Computer certificate template. So, now let me Authoritatively Restore the template to recover it .
Restoring AD Objects
So the first step is to boot one of the domain controllers that have been backed up in Directory Services Repair Mode. In order to do this I reboot the Server. As the Server is booting up I press F8 to bring up the Advanced Boot Options menu. On the Advanced Boot Options menu I select Directory Services Repair Mode.
I then have to log onto the Domain Controller with the DSRM password.
Once logged into the Domain Controller, you will need to start Windows Server Backup. From the Actions pane, I select Recover…
Since, in my scenario I backed up to a local drive, I select This server on the Getting Started page of the Recovery Wizard, then I click Next.
I select the appropriate backup on the Select Backup Date, and click Next.
On the Select Recovery Type page, I select System state, and click Next.
On the Select Location for System State Recovery page, I click Next.
I acknowledge the warning by click OK.
On the Confirmation page, I click Recover.
I acknowledge the warning by clicking Yes.
After restoring the backup I boot in DSRM mode.
I login to the Domain Controller with the DSRM password.
After I login I am prompted that the system state restore finished successfully.
I know need to authoritatively restore the FourthCoffee Computer template.
- So, I open a command prompt and type ntdsutil, and press Enter.
- Then I type activate instance ntds.
- Then in order to enter Authoritative Restore mode, I type authoritative restore and press Enter.
- Then to restore the object, I type restore object and then the DN of the object. Specifically, I type restore object CN=FourthCoffeeComputer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=FourthCoffee,DC=com.
When prompted I click Yes to continue the Authoritative Restore.
The restore completes successfully.
After the restore, I rebooted the Domain Controller and my FourthCoffee Computer template was now available.
In this blog posting I covered the steps necessary to backup up a Domain Controller. I also covered the steps necessary to restore an AD Object that is deleted. In this scenario I restored a Certificate Template that was accidentally deleted.