确定如何恢复林Determine how to recover the forest

适用于: Windows Server 2016、Windows Server 2012 和 2012 R2、Windows Server 2008 和 2008 R2Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2

恢复整个 Active Directory 林涉及到将其从备份还原,或重新安装 Active Directory 域服务在林中的每个域控制器) DC (上的 (AD DS) 。Recovering an entire Active Directory forest involves either restoring it from backup or reinstalling Active Directory Domain Services (AD DS) on every domain controller (DC) in the forest. 恢复林会将林中的每个域还原到上次受信任的备份时的状态。Recovering the forest restores each domain in the forest to its state at the time of the last trusted backup. 因此,还原操作将导致至少丢失以下 Active Directory 数据:Consequently, the restore operation will result in the loss of at least the following Active Directory data:

  • 所有对象 (如上次受信任备份后添加的用户和计算机) All objects (such as users and computers) that were added after the last trusted backup
  • 自上次受信任的备份以来对现有对象所做的所有更新All updates that were made to existing objects since the last trusted backup
  • 对 AD DS (中的配置分区或架构分区所做的所有更改,如自上次信任的备份以来) 架构更改All changes that were made to either the configuration partition or the schema partition in AD DS (such as schema changes) since the last trusted backup

对于林中的每个域,必须知道域管理员帐户的密码。For each domain in the forest, the password of a Domain Admin account must be known. 最好是内置管理员帐户的密码。Preferably, this is the password of the built-in Administrator account. 还必须知道 DSRM 密码才能执行 DC 的系统状态还原。You must also know the DSRM password to perform a system state restore of a DC. 通常,在安全位置将管理员帐户和 DSRM 密码历史记录存档到安全位置,前提是这些备份有效,也就是说,在逻辑删除生存期内或在已删除的对象生存期内(如果启用了 Active Directory 回收站)。In general, it is a good practice to archive the Administrator account and DSRM password history in a safe place for as long as the backups are valid, that is, within the tombstone lifetime period or within the deleted object lifetime period if Active Directory Recycle Bin is enabled. 你还可以将 DSRM 密码与域用户帐户同步,以便更容易记住。You can also synchronize the DSRM password with a domain user account in order to make it easier to remember. 有关详细信息,请参阅知识库文章 961320For more information, see KB article 961320. 在准备过程中,必须在林恢复之前对 DSRM 帐户进行同步。Synchronizing the DSRM account must be done in advance of the forest recovery, as part of preparation.


默认情况下,管理员帐户是内置 Administrators 组的成员,域管理员组和企业管理员组也是如此。The Administrator account is a member of the built-in Administrators group by default, as are the Domain Admins and Enterprise Admins groups. 此组对域中的所有 Dc 都具有完全控制权。This group has full control of all DCs in the domain.

确定要使用的备份Determining which backups to use

定期备份每个域的至少两个可写 Dc,以便您可以选择多个备份。Back up at least two writeable DCs for each domain regularly so you have several backups to choose from. 请注意,不能使用只读域控制器 (RODC) 的备份来还原可写 DC。Note that you cannot use the backup of a read-only domain controller (RODC) to restore a writeable DC. 建议你通过使用在发生故障之前经过几天的备份来还原 Dc。We recommend that you restore the DCs by using backups that were taken a few days before the occurrence of the failure. 通常,必须确定 recentness 与还原的数据的 safeness 之间的平衡点。In general, you must determine a tradeoff between the recentness and the safeness of the restored data. 选择的备份越新,能恢复的数据也就越有用,但这可能会增加将危险数据重新引入已还原林的风险。Choosing a more recent backup recovers more useful data, but it might increase the risk of reintroducing dangerous data into the restored forest.

还原系统状态备份取决于备份的原始操作系统和服务器。Restoring system state backups depends on the original operating system and server of the backup. 例如,不应将系统状态备份还原到其他服务器。For example, you should not restore a system state backup to a different server. 在这种情况下,你可能会看到以下警告:In this case, you may see the following warning:

"指定的备份所在的服务器不同于当前的备份。“The specified backup is of a different server than the current one. 不建议使用备份到备用服务器执行系统状态恢复,因为该服务器可能会变得不可用。We do not recommend performing a system state recovery with the backup to an alternate server because the server might become unusable. 是否确实要使用此备份恢复当前服务器? "Are you sure you want to use this backup for recovering the current server?”

如果需要将 Active Directory 还原到不同的硬件,请创建完整的服务器备份,并计划执行完整服务器恢复。If you need to restore Active Directory to different hardware, create full server backups and plan to perform a full server recovery.


从 Windows Server 2008 开始,不支持在新硬件或相同硬件上将系统状态备份还原到新安装的 Windows Server。Beginning with Windows Server 2008, it is not supported to restore system state backup to a new installation of Windows Server on new hardware or the same hardware. 如果在同一硬件上重新安装了 Windows Server,如本指南后面的建议,则可以按以下顺序还原域控制器:If Windows Server is reinstalled on the same hardware, as recommended later in this guide, then you can restore the domain controller in this order:

  1. 执行完整服务器还原,以便还原操作系统以及所有文件和应用程序。Perform a full server restore in order to restore the operating system and all files and applications.
  2. 使用 wbadmin.exe 执行系统状态还原,以将 SYSVOL 标记为权威。Perform a system state restore using wbadmin.exe in order to mark SYSVOL as authoritative.

有关详细信息,请参阅 Microsoft 知识库文章 249694For more information, see Microsoft KB article 249694.

如果出现故障的时间未知,请进一步进行调查,确定保存林的最后一个安全状态的备份。If the time of the occurrence of the failure is unknown, investigate further to identify backups that hold the last safe state of the forest. 这种方法不太理想。This approach is less desirable. 因此,我们强烈建议您每日保存有关 AD DS 的运行状况状态的详细日志,以便在林范围内发生故障时,可以确定故障的大致时间。Therefore, we strongly recommend that you keep detailed logs about the health state of AD DS on a daily basis so that, if there is a forest-wide failure, the approximate time of failure can be identified. 还应保留备份的本地副本以实现更快的恢复。You should also keep a local copy of backups to enable faster recovery.

如果启用了 Active Directory 回收站,则备份生存期等于 deletedObjectLifetime 值或 tombstoneLifetime 值(以较小者为准)。If Active Directory Recycle Bin is enabled, the backup lifetime is equal to the deletedObjectLifetime value or the tombstoneLifetime value, whichever is less. 有关详细信息,请参阅 Active Directory 回收站循序渐进指南 (https://go.microsoft.com/fwlink/?LinkId=178657) 。For more information, see Active Directory Recycle Bin Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=178657).

作为替代方法,还可以使用 Active Directory 数据库装载工具 ( # A0) ,并使用轻型目录访问协议 (LDAP) 工具(例如 Ldp.exe 或 Active Directory 用户和计算机)识别哪个备份具有林的最新安全状态。As an alternative, you can also use the Active Directory database mounting tool (Dsamain.exe) and a Lightweight Directory Access Protocol (LDAP) tool, such as Ldp.exe or Active Directory Users and Computers, to identify which backup has the last safe state of the forest. Windows Server 2008 和更高版本的 Windows Server 操作系统中包含的 Active Directory 数据库装载工具公开作为 LDAP 服务器存储在备份或快照中的 Active Directory 数据。The Active Directory database mounting tool, which is included in Windows Server 2008 and later Windows Server operating systems, exposes Active Directory data that is stored in backups or snapshots as an LDAP server. 然后,可以使用 LDAP 工具来浏览数据。Then, you can use an LDAP tool to browse the data. 此方法的优点是,不需要在目录服务还原模式下重新启动任何 DC (DSRM) 检查 AD DS 备份的内容。This approach has the advantage of not requiring you to restart any DC in Directory Services Restore Mode (DSRM) to examine the contents of the backup of AD DS.

有关使用 Active Directory 数据库装载工具的详细信息,请参阅 Active Directory 数据库装载工具循序渐进指南For more information about using the Active Directory database mounting tool, see the Active Directory Database Mounting Tool Step-by-Step Guide.

你还可以使用 ntdsutil snapshot 命令创建 Active Directory 数据库的快照。You can also use the ntdsutil snapshot command to create snapshots of the Active Directory database. 通过计划定期创建快照的任务,您可以在一段时间内获取 Active Directory 数据库的其他副本。By scheduling a task to periodically create snapshots, you can obtain additional copies of the Active Directory database over time. 你可以使用这些副本来更好地识别林范围的故障发生的时间,然后选择要还原的最佳备份。You can use these copies to better identify when the forest-wide failure occurred and then choose the best backup to restore. 若要创建快照,请使用 Windows Server 2008 附带的 ntdsutil 版本或 windows Vista 或更高版本的远程服务器管理工具 (RSAT) 。To create snapshots, use the version of ntdsutil that ships with Windows Server 2008 or the Remote Server Administration Tools (RSAT) for Windows Vista or later. 目标 DC 可以运行任何版本的 Windows Server。The target DC can run any version of Windows Server. 有关使用 ntdsutil snapshot 命令的详细信息,请参阅 snapshotFor more information about using the ntdsutil snapshot command, see Snapshot.

确定要还原的域控制器Determining which domain controllers to restore

在决定要还原哪个域控制器时,简化还原过程很重要。Ease of the restore process is an important factor when deciding which domain controller to restore. 建议为每个域使用一个专用 DC,作为还原的首选 DC。It is recommended to have a dedicated DC for each domain that is the preferred DC for a restore. 专用还原 DC 使你可以更轻松地计划和执行林恢复,因为你使用的是用于执行还原测试的相同源配置。A dedicated restore DC makes it easier to reliably plan and execute the forest recovery because you use the same source configuration that was used to perform restore tests. 你可以编写恢复脚本,而不会争用不同的配置,例如 DC 是否持有操作主机角色,或者它是 GC 还是 DNS 服务器。You can script the recovery, and not contend with different configurations, such as whether the DC holds operations master roles or not, or whether it is a GC or DNS server or not.


尽管不建议在简单的情况下还原操作主机角色持有者,但某些组织可能会选择还原一个以获得其他好处。While it is not recommended to restore an operations master role holder in the interest of simplicity, some organizations may choose to restore one for other advantages. 例如,还原 RID 主机可能有助于防止在恢复过程中管理 Rid 的问题。For example restoring the RID master may help prevent problems with managing RIDs during the recovery.

选择最符合以下条件的 DC:Choose a DC that best meets the following criteria:

  • 可写的 DC。A DC that is writeable. 必须设置此项。This is mandatory.

  • 在支持 VM 生成 id 的虚拟机监控程序上运行 Windows Server 2012 作为虚拟机的 DC。A DC running Windows Server 2012 as a virtual machine on a hypervisor that supports VM-GenerationID. 此 DC 可用作克隆的源。This DC can be used as a source for cloning.

  • 可以在物理上或虚拟网络上访问的 DC,并且最好位于数据中心内。A DC that is accessible, either physically or on a virtual network, and preferably located in a datacenter. 这样,便可以在林恢复过程中轻松地将它与网络隔离开来。This way, you can easily isolate it from the network during forest recovery.

  • 具有良好的完整服务器备份的 DC。A DC that has a good full server backup. 一个好的备份是可以成功还原的备份,在发生故障之前的几天内执行,并包含尽可能多的有用数据。A good backup is a backup that can be restored successfully, was taken a few days before the failure, and contains as much useful data as possible.

  • 在发生故障之前,作为域名系统 (DNS) 服务器的 DC。A DC that was a Domain Name System (DNS) server before the failure. 这节省了重新安装 DNS 所需的时间。This saves the time required to reinstall DNS.

  • 如果还使用 Windows 部署服务,请选择未配置为使用 BitLocker 网络解锁的 DC。If you also use Windows Deployment Services, choose a DC that is not configured to use BitLocker Network Unlock. 在这种情况下,不支持将 BitLocker 网络解锁用于在林恢复期间从备份还原的第一个 DC。In this case, BitLocker Network Unlock is not supported to be used for the first DC that you restore from backup during a forest recovery.

    BitLocker 网络解锁,因为在已部署 Windows 部署服务 (WDS ) 的 dc 上, 不能 使用 BitLocker 网络解锁,因为这样做会导致第一个 DC 需要 Active Directory 和 WDS 才能进行解锁的情况。BitLocker Network Unlock as the only key protector cannot be used on DCs where you have deployed Windows Deployment Services (WDS) because doing so results in a scenario where the first DC requires Active Directory and WDS to be working in order to unlock. 但在还原第一个 DC 之前,Active Directory 尚不能用于 WDS,因此无法解锁。But before you restore the first DC, Active Directory is not yet available for WDS, so it cannot unlock.

    若要确定是否已将 DC 配置为使用 BitLocker 网络解锁,请检查以下注册表项中是否标识了网络解锁证书:To determine if a DC is configured to use BitLocker Network Unlock, check that a Network Unlock certificate is identified in the following registry key:


维护处理或还原包含 Active Directory 的备份文件时的安全过程。Maintain security procedures when handling or restoring backup files that include Active Directory. 林恢复的紧急性会无意中导致忽视的安全最佳做法。The urgency that accompanies forest recovery can unintentionally lead to overlooking security best practices. 有关详细信息,请参阅 关于保护 Active Directory 安装和日常操作的最佳实践指南中标题为 "建立域控制器备份和还原策略" 的部分:第 II 部分。For more information, see the section titled “Establishing Domain Controller Backup and Restore Strategies” in Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part II.

标识当前林结构和 DC 函数Identify the current forest structure and DC functions

通过标识林中的所有域确定当前林结构。Determine the current forest structure by identifying all the domains in the forest. 创建每个域中的所有 Dc 的列表,尤其是包含备份的 Dc 和可作为克隆源的虚拟化 Dc。Make a list of all of the DCs in each domain, particularly the DCs that have backups, and virtualized DCs which can be a source for cloning. 目录林根级域的 Dc 列表最为重要,因为你将首先恢复该域。A list of DCs for the forest root domain will be the most important because you will recover this domain first. 还原目录林根级域后,可以使用 Active Directory 管理单元获取林中的其他域、Dc 和站点的列表。After you restore the forest root domain, you can obtain a list of the other domains, DCs, and the sites in the forest by using Active Directory snap-ins.

准备一个表,其中显示域中每个 DC 的功能,如以下示例中所示。Prepare a table that shows the functions of each DC in the domain, as shown in the following example. 这将帮助你在恢复后恢复到林的预故障配置。This will help you revert back to the pre-failure configuration of the forest after recovery.

DC 名称DC name 操作系统Operating system FSMOFSMO GCGC RODCRODC 备份Backup DNSDNS 服务器核心Server Core VMVM VM-GenIDVM-GenID
DC_1DC_1 Windows Server 2012Windows Server 2012 架构主机,域命名主机Schema master, Domain naming master Yes No Yes No No Yes Yes
DC_2DC_2 Windows Server 2012Windows Server 2012 None Yes No Yes Yes No Yes Yes
DC_3DC_3 Windows Server 2012Windows Server 2012 结构主机Infrastructure Master No No No Yes Yes Yes Yes
DC_4DC_4 Windows Server 2012Windows Server 2012 PDC 模拟器,RID 主机PDC emulator, RID Master Yes No No No No Yes No
DC_5DC_5 Windows Server 2012Windows Server 2012 None No No Yes Yes No Yes Yes
RODC_1RODC_1 Windows Server 2008 R2Windows Server 2008 R2 None Yes Yes Yes Yes Yes Yes No
RODC_2RODC_2 Windows Server 2008Windows Server 2008 None Yes Yes No Yes Yes Yes No

对于林中的每个域,标识包含该域的 Active Directory 数据库的受信任备份的单个可写 DC。For each domain in the forest, identify a single writeable DC that has a trusted backup of the Active Directory database for that domain. 选择用于还原 DC 的备份时,请务必小心。Use caution when you choose a backup to restore a DC. 如果失败的日期和原因大约是已知的,则一般建议使用在该日期之前数天内进行的备份。If the day and cause of the failure are approximately known, the general recommendation is to use a backup that was made a few days before that date.

在此示例中,有四个备份候选项: DC_1、DC_2、DC_4 和 DC_5。In this example, there are four backup candidates: DC_1, DC_2, DC_4, and DC_5. 在这些备份候选项中,只还原一个。Of these backup candidates, you restore only one. 由于以下原因 DC_5 建议的 DC:The recommended DC is DC_5 for the following reasons:

  • 它满足使用它作为虚拟化 DC 克隆的源的要求,也就是说,它在支持 VM 生成 id 的虚拟机监控程序上运行 Windows Server 2012 作为虚拟 DC,运行允许 (克隆的软件,或者可以在) 克隆时删除的软件。It satisfies requirements for using it as a source for virtualized DC cloning, that is, it runs Windows Server 2012 as a virtual DC on a hypervisor that supports VM-GenerationID, runs software that is allowed to be cloned (or that can be removed if it is not able to be cloned). 还原后,PDC 模拟器角色将被强制转移到该服务器,并且可以添加到域的可克隆域控制器组。After the restore, the PDC emulator role will be seized to that server and it can be added to the Cloneable Domain Controllers group for the domain.
  • 它运行完整安装的 Windows Server 2012。It runs a full installation of Windows Server 2012. 运行服务器核心安装的 DC 不太方便作为恢复目标。A DC that runs a Server Core installation can be less convenient as a target for recovery.
  • 它是 DNS 服务器。It is a DNS server. 因此,无需重新安装 DNS。Therefore, DNS does not have to be reinstalled.


由于 DC_5 不是全局目录服务器,因此它还有一个优点,那就是不需要在还原后删除全局编录。Because DC_5 is not a global catalog server, it also has an advantage in that the global catalog does not need to be removed after the restore. 但是,无论 DC 是否也是全局编录服务器,因为从 Windows Server 2012 开始,默认情况下所有 Dc 都是全局编录服务器,并且在任何情况下,建议在林恢复过程中删除并添加全局编录。But whether or not the DC is also a global catalog server is not a decisive factor because beginning with Windows Server 2012, all DCs are global catalog servers by default, and removing and adding the global catalog after the restore is recommended as part of the forest recovery process in any case.

隔离恢复林Recover the forest in isolation

首选方案是在第一个还原的 DC 恢复到生产环境之前关闭所有可写 Dc。The preferred scenario is to shut down all writeable DCs before the first restored DC is brought back into production. 这可确保所有危险数据不会复制回恢复的林中。This ensures that any dangerous data does not replicate back into the recovered forest. 关闭所有操作主机角色持有者尤其重要。It is particularly important to shut down all operations master role holders.


在某些情况下,你可能会将计划为每个域恢复的第一个 DC 移到隔离的网络,同时允许其他 Dc 保持联机,以最大程度地减少系统停机时间。There may be cases where you move the first DC that you plan to recover for each domain to an isolated network while allowing other DCs to remain online in order to minimize system downtime. 例如,如果要从失败的架构升级中恢复,则可以选择在执行隔离时在生产网络上运行域控制器。For example, if you are recovering from a failed schema upgrade, you may choose to keep domain controllers running on the production network while you perform recovery steps in isolation.

如果正在运行虚拟化 Dc,则可以将它们移到与将执行恢复的生产网络隔离的虚拟网络中。If you are running virtualized DCs, you can move them to a virtual network that is isolated from the production network where you will perform recovery. 将虚拟化 Dc 移动到单独的网络有两个好处:Moving virtualized DCs to a separate network provides two benefits:

  • 由于隔离的 Dc 被隔离,因此不能再次发生导致林恢复的问题。Recovered DCs are prevented from reoccurrence of the problem that caused the forest recovery because they are isolated.
  • 可以在单独的网络上执行虚拟化 DC 克隆,以便在将关键的 Dc 恢复到生产网络之前,可以运行和测试这些 Dc。Virtualized DC cloning can be performed on the separate network so that a critical number of DCs can be running and tested before they are brought back to the production network.

如果你在物理硬件上运行 Dc,请断开你计划在目录林根级域中还原的第一个 DC 的网络电缆。If you are running DCs on physical hardware, disconnect the network cable of the first DC that you plan to restore in the forest root domain. 如果可能,还应断开所有其他 Dc 的网络电缆。If possible, also disconnect the network cables of all other DCs. 这会阻止 Dc 进行复制(如果在林恢复过程中意外启动)。This prevents DCs from replicating, if they are accidentally started during the forest recovery process.

在分布在多个位置的大型林中,可能很难确保所有可写 Dc 都已关闭。In a large forest that is spread across multiple locations, it can be difficult to guarantee that all writeable DCs are shut down. 出于此原因,恢复步骤(如重置计算机帐户和 krbtgt 帐户,以及清除元数据)旨在确保已恢复的可写 Dc 不会与危险的可写 Dc 一起复制 (以防在林) 中有一些仍处于联机状态。For this reason, the recovery steps—such as resetting the computer account and krbtgt account, in addition to metadata cleanup—are designed to ensure that the recovered writeable DCs do not replicate with dangerous writeable DCs (in case some are still online in the forest).

不过,只有在离线使用可写 Dc 后,才能保证不会进行复制。However, only by taking writeable DCs offline can you guarantee that replication does not occur. 因此,应尽可能部署远程管理技术,以帮助你在林恢复期间关闭并物理隔离可写 Dc。Therefore, whenever possible, you should deploy remote management technology that can help you to shut down and physically isolate the writeable DCs during forest recovery.

可写 Dc 处于脱机状态时,Rodc 可以继续运行。RODCs can continue to operate while writeable DCs are offline. 其他 DC 不会直接复制任何 RODC 中的任何更改,尤其是无架构或配置容器更改-因此,在恢复过程中,这些更改不会带来与可写 Dc 相同的风险。No other DC will directly replicate any changes from any RODC—especially, no Schema or Configuration container changes—so they do not pose the same risk as writeable DCs during recovery. 在所有可写 Dc 恢复并联机后,应重新生成所有 Rodc。After all the writeable DCs are recovered and online, you should rebuild all the RODCs.

当恢复操作并行进行时,Rodc 将继续允许访问其各自站点中缓存的本地资源。RODCs will continue to allow access to local resources that are cached in their respective sites while the recovery operations are going on in parallel. 未缓存在 RODC 上的本地资源会将身份验证请求转发给可写 DC。Local resources that are not cached on the RODC will have authentication requests forwarded to a writeable DC. 这些请求将失败,因为可写 Dc 处于脱机状态。These requests will fail because writeable DCs are offline. 某些操作(例如密码更改)在恢复可写 Dc 之前也不起作用。Some operations such as password changes will also not work until you recover writeable DCs.

如果你使用的是中心辐射型网络体系结构,则可以先关注如何恢复中心站点中的可写 Dc。If you are using a hub-and-spoke network architecture, you can concentrate first on recovering the writeable DCs in the hub sites. 稍后,你可以在远程站点中重建 Rodc。Later, you can rebuild the RODCs in remote sites.

后续步骤Next Steps