判斷如何復原森林Determine how to recover the forest

適用於: Windows Server 2016、 Windows Server 2012 和 2012 R2、 Windows Server 2008 和 2008 R2Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2

復原整個 Active Directory 樹系在森林中每個網域控制站 (DC) 需要從備份還原或重新安裝 Active Directory Domain Services (AD DS)。Recovering an entire Active Directory forest involves either restoring it from backup or reinstalling Active Directory Domain Services (AD DS) on every domain controller (DC) in the forest. 復原樹系還原森林中的每個網域狀態一次的受信任的最後一個備份。Recovering the forest restores each domain in the forest to its state at the time of the last trusted backup. 因此,還原將會導致遺失至少 Active Directory 下列資料:Consequently, the restore operation will result in the loss of at least the following Active Directory data:

  • 已新增受信任的最後一個備份後 (例如,使用者與電腦) 所有物件All objects (such as users and computers) that were added after the last trusted backup

  • 自從現有物件受信任的最後一個備份的所有更新All updates that were made to existing objects since the last trusted backup

  • 所有上次信任備份設定磁碟分割或架構 (例如架構變更) AD ds 磁碟分割所做的變更All changes that were made to either the configuration partition or the schema partition in AD DS (such as schema changes) since the last trusted backup

    森林中的每個網域,必須知道的網域管理員 account 密碼。For each domain in the forest, the password of a Domain Admin account must be known. 最好是,這是建,且不會停用的密碼。Preferably, this is the password of the built-in Administrator account, which must not be disabled. 您還必須知道 DSRM 執行系統狀態還原 DC 的密碼。You must also know the DSRM password to perform a system state restore of a DC. 一般而言,它是個好習慣,只要備份不正確,也就是或刪除物件期間期間如果尚未 Active Directory 資源回收筒中標記期間期間保存管理員和 DSRM 密碼歷史在安全的地方的。In general, it is a good practice to archive the Administrator account and DSRM password history in a safe place for as long as the backups are valid, that is, within the tombstone lifetime period or within the deleted object lifetime period if Active Directory Recycle Bin is enabled. 您也可以使用核對使用者的 DSRM 密碼同步處理為了讓您更輕鬆地記住。You can also synchronize the DSRM password with a domain user account in order to make it easier to remember. 如需詳細資訊,查看知識庫文章961320For more information, see KB article 961320. 同步處理 DSRM account 必須完成之前樹系復原,準備的一部分。Synchronizing the DSRM account must be done in advance of the forest recovery, as part of preparation.


管理員是根據預設,系統管理員 」 建群組成員網域系統管理員 」 及企業系統管理員 」 群組。The Administrator account is a member of the built-in Administrators group by default, as are the Domain Admins and Enterprise Admins groups. 此群組網域中有完整的所有網域控制站的控制項。This group has full control of all DCs in the domain.

判斷要使用的備份Determining which backups to use

在至少兩個寫入網域控制站的每個網域定期備份,您有幾個可選擇備份。Back up at least two writeable DCs for each domain regularly so you have several backups to choose from. 請注意,您無法使用唯讀網域控制站 (RODC) 的備份還原寫入 DC。Note that you cannot use the backup of a read-only domain controller (RODC) to restore a writeable DC. 我們建議您在使用拍攝發生失敗的前幾天的備份還原網域控制站。We recommend that you restore the DCs by using backups that were taken a few days before the occurrence of the failure. 一般而言,您必須判斷 recentness 和還原資料的 safeness 之間折衷。In general, you must determine a tradeoff between the recentness and the safeness of the restored data. 選擇較新的備份復原更多有用的資料,但可能會增加 reintroducing 危險資料入還原樹系的風險。Choosing a more recent backup recovers more useful data, but it might increase the risk of reintroducing dangerous data into the restored forest.

原始作業系統和伺服器的備份還原備份系統狀態而有所不同。Restoring system state backups depends on the original operating system and server of the backup. 例如,您不應該系統狀態的備份還原到不同的伺服器。For example, you should not restore a system state backup to a different server. 在這種情形下,您可能會看見下列警告:In this case, you may see the following warning:

「非目前不同是伺服器的指定的備份。“The specified backup is of a different server than the current one. 我們不建議執行系統狀態復原備份至另一部因為伺服器可能會進入不穩定。We do not recommend performing a system state recovery with the backup to an alternate server because the server might become unusable. 確定您想要使用此備份復原目前伺服器?」Are you sure you want to use this backup for recovering the current server?”

如果您需要 Active Directory 還原到不同的硬體,請建立 server 的完整備份和來執行完整伺服器修復計劃。If you need to restore Active Directory to different hardware, create full server backups and plan to perform a full server recovery.


開始使用 Windows Server 2008,它不受支援系統狀態備份還原到新的 Windows Server 安裝新的硬體或相同的硬體。Beginning with Windows Server 2008, it is not supported to restore system state backup to a new installation of Windows Server on new hardware or the same hardware. 如果建議在本文稍後的方式相同的硬體,會重新安裝 Windows Server,您可以還原此訂單的網域控制站:If Windows Server is reinstalled on the same hardware, as recommended later in this guide, then you can restore the domain controller in this order:

  1. 若要還原作業系統所有檔案和應用程式執行完整伺服器都還原。Perform a full server restore in order to restore the operating system and all files and applications.

    1. 執行系統狀態還原為了 SYSVOL 標示為授權使用 wbadmin.exe。Perform a system state restore using wbadmin.exe in order to mark SYSVOL as authoritative.

    如需詳細資訊,查看 Microsoft 知識庫文章249694For more information, see Microsoft KB article 249694.

如果不明相符項目的失敗的時間,進一步調查找出保留最後一個安全狀態的樹系的備份。If the time of the occurrence of the failure is unknown, investigate further to identify backups that hold the last safe state of the forest. 這種方式較不建議。This approach is less desirable. 因此,我們非常建議這樣的樹系失敗時,可以找大約失敗時 AD DS 的健康狀態的相關詳細的登讓每日。Therefore, we strongly recommend that you keep detailed logs about the health state of AD DS on a daily basis so that, if there is a forest-wide failure, the approximate time of failure can be identified. 您也應該保留本機的備份,您可以更快速地復原複本。You should also keep a local copy of backups to enable faster recovery.

如果尚未 Active Directory 資源回收桶,備份期間相當於deletedObjectLifetime值或tombstoneLifetime的值,少於。If Active Directory Recycle Bin is enabled, the backup lifetime is equal to the deletedObjectLifetime value or the tombstoneLifetime value, whichever is less. 如需詳細資訊,請查看Active Directory 資源回收桶 Step-by-Step 指南(https://go.microsoft.com/fwlink/?LinkId=178657)。For more information, see Active Directory Recycle Bin Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=178657).

或者,您也可以使用 Active Directory 資料庫裝載工具 (Dsamain.exe) 和輕量型 Directory 存取通訊協定 (LDAP) 工具,例如 Ldp.exe 或 Active Directory 使用者和電腦找出要備份具有樹系的最後安全狀態。As an alternative, you can also use the Active Directory database mounting tool (Dsamain.exe) and a Lightweight Directory Access Protocol (LDAP) tool, such as Ldp.exe or Active Directory Users and Computers, to identify which backup has the last safe state of the forest. Active Directory 資料庫裝載工具,包括 Windows Server 2008 和 Windows Server 作業系統更新中,將會公開 Active Directory 資料儲存在備份或快照為 LDAP 伺服器。The Active Directory database mounting tool, which is included in Windows Server 2008 and later Windows Server operating systems, exposes Active Directory data that is stored in backups or snapshots as an LDAP server. 然後,您可以使用 LDAP 工具瀏覽資料。Then, you can use an LDAP tool to browse the data. 此方法不需要重新任何俠中 Directory 服務還原模式 (DSRM) 來檢查到 AD ds 備份的優點。This approach has the advantage of not requiring you to restart any DC in Directory Services Restore Mode (DSRM) to examine the contents of the backup of AD DS.

如需有關如何使用 Active Directory 資料庫裝載工具的詳細資訊,請Active Directory 資料庫裝載工具 Step-by-Step 指南For more information about using the Active Directory database mounting tool, see the Active Directory Database Mounting Tool Step-by-Step Guide.

您也可以使用ntdsutil 快照命令建立的 Active Directory 資料庫快照。You can also use the ntdsutil snapshot command to create snapshots of the Active Directory database. 排程定期建立快照的工作,您可以取得其他複本 Active Directory 資料庫段時間。By scheduling a task to periodically create snapshots, you can obtain additional copies of the Active Directory database over time. 您可以使用這些複本變得更好找出發生樹系失敗時,然後選擇 [還原最佳備份。You can use these copies to better identify when the forest-wide failure occurred and then choose the best backup to restore. 若要建立快照,使用的版本ntdsutil的船與 Windows Server 2008 或遠端伺服器管理工具 (RSAT) 適用於 Windows Vista 或更新版本。To create snapshots, use the version of ntdsutil that ships with Windows Server 2008 or the Remote Server Administration Tools (RSAT) for Windows Vista or later. 目標俠執行任何的 Windows Server 版本。The target DC can run any version of Windows Server. 如需有關使用ntdsutil 快照命令,查看快照For more information about using the ntdsutil snapshot command, see Snapshot.

判斷要還原的網域控制站Determining which domain controllers to restore

還原程序輕鬆時決定還原的網域控制站要素。Ease of the restore process is an important factor when deciding which domain controller to restore. 建議您已針對每個網域 DC 還原慣用的專用的 DC。It is recommended to have a dedicated DC for each domain that is the preferred DC for a restore. 專用俠更容易可靠地計劃和因為您使用的已用來執行相同來源的設定,請執行樹系復原還原測試。A dedicated restore DC makes it easier to reliably plan and execute the forest recovery because you use the same source configuration that was used to perform restore tests. 您可以指令碼復原,並不應付不同的設定,例如是否 DC 保有作業主要的角色,或是否或不是 GC 或 DNS 伺服器。You can script the recovery, and not contend with different configurations, such as whether the DC holds operations master roles or not, or whether it is a GC or DNS server or not.


雖然不建議還原求簡便作業主角擁有者,某些組織可能選擇還原另一個用於其他優點。While it is not recommended to restore an operations master role holder in the interest of simplicity, some organizations may choose to restore one for other advantages. 例如還原 RID 主機有助於避免管理 Rid 復原期間的問題。For example restoring the RID master may help prevent problems with managing RIDs during the recovery.

選擇 DC 最符合下列條件:Choose a DC that best meets the following criteria:

  • 寫入俠。A DC that is writeable. 這是必要的。This is mandatory.

  • 執行 Windows Server 2012 為一樣支援 VM-GenerationID hypervisor DC。A DC running Windows Server 2012 as a virtual machine on a hypervisor that supports VM-GenerationID. 這個網域控制站可以複製使用做為來源。This DC can be used as a source for cloning.

  • 可以存取實體或 virtual 網路上,最好是位於 datacenter DC。A DC that is accessible, either physically or on a virtual network, and preferably located in a datacenter. 如此一來,您可以輕鬆地找出它從網路期間樹系復原。This way, you can easily isolate it from the network during forest recovery.

  • DC 有完整的伺服器良好備份。A DC that has a good full server backup. 良好備份是可以成功還原、拍攝失敗時前, 幾天,其中包含更有用的資料,盡可能為備份。A good backup is a backup that can be restored successfully, was taken a few days before the failure, and contains as much useful data as possible.

  • 已失敗之前的網域名稱系統」(DNS) 伺服器俠。A DC that was a Domain Name System (DNS) server before the failure. 這樣可以省重新安裝 DNS 所需的時間。This saves the time required to reinstall DNS.

  • 如果您也可以使用 Windows 部署服務,選擇 DC 的不設定為使用 BitLocker 網路解除鎖定。If you also use Windows Deployment Services, choose a DC that is not configured to use BitLocker Network Unlock. 此時,請 BitLocker 網路解除鎖定不支援用來從備份還原的樹系復原期間的第一個 DC。In this case, BitLocker Network Unlock is not supported to be used for the first DC that you restore from backup during a forest recovery.

    BitLocker 網路解除鎖定為鍵保護裝置無法上使用 Dc 因為如此一來,會導致案例中,有部署 Windows 部署服務 (WDS) 的第一個 DC 需要 Active Directory 和 WDS 工作以解除鎖定的位置。BitLocker Network Unlock as the only key protector cannot be used on DCs where you have deployed Windows Deployment Services (WDS) because doing so results in a scenario where the first DC requires Active Directory and WDS to be working in order to unlock. 尚未還原的第一個 DC 之前,Active Directory 適用於 WDS,讓它無法解除鎖定。But before you restore the first DC, Active Directory is not yet available for WDS, so it cannot unlock.

    若要判斷是否 DC 已設定為使用 BitLocker 網路解除鎖定,請檢查網路解除鎖定的憑證可在下列機碼:To determine if a DC is configured to use BitLocker Network Unlock, check that a Network Unlock certificate is identified in the following registry key:


    維護處理,或還原備份的檔案包含 Active Directory 時的安全性程序。Maintain security procedures when handling or restoring backup files that include Active Directory. 只要隨附樹系修復不小心導致安全的最佳做法而錯過了。The urgency that accompanies forest recovery can unintentionally lead to overlooking security best practices. 如需詳細資訊,請查看中的「建立網域控制站備份及還原策略」一節最佳做法指南保護 Active Directory 安裝和 Day-to-Day 作業:第二部For more information, see the section titled “Establishing Domain Controller Backup and Restore Strategies” in Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part II.

找出目前的樹系結構和 DC 函式Identify the current forest structure and DC functions

檢測軍人森林中的所有網域判斷目前的樹系結構。Determine the current forest structure by identifying all the domains in the forest. 在每個網域中,尤其是 Dc 已備份和模擬的 Dc 可以複製的來源,讓所有的網域控制站的清單。Make a list of all of the DCs in each domain, particularly the DCs that have backups, and virtualized DCs which can be a source for cloning. 由於您會先復原這個網域將最重要的樹系根網域網域控制站的清單。A list of DCs for the forest root domain will be the most important because you will recover this domain first. 還原森林根網域之後,您可以使用 Active Directory 嵌入式管理單元取得其他網域、Dc,並在森林中的網站清單。After you restore the forest root domain, you can obtain a list of the other domains, DCs, and the sites in the forest by using Active Directory snap-ins.

下列範例所示,準備表格網域中顯示的每個 DC 功能。Prepare a table that shows the functions of each DC in the domain, as shown in the following example. 這將有助於還原回修復之後的樹系前失敗設定。This will help you revert back to the pre-failure configuration of the forest after recovery.

DC 名稱DC name 作業系統Operating system FSMOFSMO GCGC RODCRODC 備份Backup DNSDNS Server CoreServer Core VMVM VM-GenIDVM-GenID
DC_1DC_1 Windows Server 2012Windows Server 2012 網域命名主機的架構主機Schema master, Domain naming master [是]Yes 否]No [是]Yes 否]No 否]No [是]Yes [是]Yes
DC_2DC_2 Windows Server 2012Windows Server 2012 None [是]Yes 否]No [是]Yes [是]Yes 否]No [是]Yes [是]Yes
DC_3DC_3 Windows Server 2012Windows Server 2012 基礎結構主機Infrastructure Master 否]No 否]No 否]No [是]Yes [是]Yes [是]Yes [是]Yes
DC_4DC_4 Windows Server 2012Windows Server 2012 肯定移除主機PDC emulator, RID Master [是]Yes 否]No 否]No 否]No 否]No [是]Yes 否]No
DC_5DC_5 Windows Server 2012Windows Server 2012 None 否]No 否]No [是]Yes [是]Yes 否]No [是]Yes [是]Yes
RODC_1RODC_1 Windows Server 2008 R2Windows Server 2008 R2 None [是]Yes [是]Yes [是]Yes [是]Yes [是]Yes [是]Yes 否]No
RODC_2RODC_2 Windows Server 2008Windows Server 2008 None [是]Yes [是]Yes 否]No [是]Yes [是]Yes [是]Yes 否]No

森林中的每個網域中找出單一寫入 DC 的 Active Directory 資料庫該網域信任的備份。For each domain in the forest, identify a single writeable DC that has a trusted backup of the Active Directory database for that domain. 當您選擇還原 DC 備份,請務必小心。Use caution when you choose a backup to restore a DC. 如果大約已知的日期和失敗的原因,一般建議使用所建立的備份日期的前幾天。If the day and cause of the failure are approximately known, the general recommendation is to use a backup that was made a few days before that date.

在此範例中,有四種備份的候選項目:DC_1、DC_2、DC_4,以及 DC_5。In this example, there are four backup candidates: DC_1, DC_2, DC_4, and DC_5. 這些備份的候選項目的還原只有一個。Of these backup candidates, you restore only one. 建議的俠是 DC_5 原因如下:The recommended DC is DC_5 for the following reasons:

  • 使用它做為來源模擬俠複製的需求,滿足、為複製允許 virtual DC 支援 VM-GenerationID,執行的軟體,hypervisor 上執行 Windows Server 2012 (或,可以將無法是否移除複製)。It satisfies requirements for using it as a source for virtualized DC cloning, that is, it runs Windows Server 2012 as a virtual DC on a hypervisor that supports VM-GenerationID, runs software that is allowed to be cloned (or that can be removed if it is not able to be cloned). 復原之後,PDC 角色模擬器將會以取回伺服器,它可以加入的網域複製網域控制站群組。After the restore, the PDC emulator role will be seized to that server and it can be added to the Cloneable Domain Controllers group for the domain.

  • 它會執行完整的 Windows Server 2012 安裝。It runs a full installation of Windows Server 2012. 執行 Server Core 安裝 DC 可以是不方便為目標進行復原。A DC that runs a Server Core installation can be less convenient as a target for recovery.

  • 它是 DNS 伺服器。It is a DNS server. 因此,DNS 不必則會重新安裝。Therefore, DNS does not have to be reinstalled.


DC_5 不是通用伺服器,因為它也有利用通用不需要還原之後被移除。Because DC_5 is not a global catalog server, it also has an advantage in that the global catalog does not need to be removed after the restore. 但 DC 也是通用伺服器不是決定性係數因為開始使用 Windows Server 2012,所有網域控制站預設值,並移除並在任何案例還原建議的樹系的修復程序的一部分,加入通用通用伺服器。But whether or not the DC is also a global catalog server is not a decisive factor because beginning with Windows Server 2012, all DCs are global catalog servers by default, and removing and adding the global catalog after the restore is recommended as part of the forest recovery process in any case.

復原隔離森林Recover the forest in isolation

若要關閉所有寫入網域控制站之前第一次還原網域控制站帶回 production 是慣用的案例。The preferred scenario is to shut down all writeable DCs before the first restored DC is brought back into production. 這樣可確保回到復原森林不會複寫危險的任何資料。This ensures that any dangerous data does not replicate back into the recovered forest. 請務必尤其是關機所有作業主角位置。It is particularly important to shut down all operations master role holders.


可能有您想要的每個網域隔離網路復原允許其他保留 online 為了降到最低系統當機的網域控制站同時的第一個 DC 將移動的案例。There may be cases where you move the first DC that you plan to recover for each domain to an isolated network while allowing other DCs to remain online in order to minimize system downtime. 例如,如果您要修復的架構失敗的升級,您選擇保留 production 在網路上執行時修復的步驟執行隔離的網域控制站。For example, if you are recovering from a failed schema upgrade, you may choose to keep domain controllers running on the production network while you perform recovery steps in isolation.

如果您正在執行模擬的 Dc,您可以移動 virtual 網路隔 production 網路位置,您將會執行復原。If you are running virtualized DCs, you can move them to a virtual network that is isolated from the production network where you will perform recovery. 移動到不同的網路的模擬的 Dc 提供兩個優點:Moving virtualized DCs to a separate network provides two benefits:

  • 無法復原的 Dc 再次造成樹系復原,因為它們隔離的問題。Recovered DCs are prevented from reoccurrence of the problem that caused the forest recovery because they are isolated.

  • 模擬俠複製可以在不同網路上執行,使 Dc 重大一些可以執行和之前 production 網路回到匯測試。Virtualized DC cloning can be performed on the separate network so that a critical number of DCs can be running and tested before they are brought back to the production network.

    如果您正在執行網域控制站在實體硬體,中斷連接想要還原森林根網域中的第一個 dc 網路線。If you are running DCs on physical hardware, disconnect the network cable of the first DC that you plan to restore in the forest root domain. 如果可能的話,也拔除所有其他網域控制站的網路纜長度。If possible, also disconnect the network cables of all other DCs. 如此可防止 Dc 複寫,如果您不小心開始使用的樹系的修復程序期間。This prevents DCs from replicating, if they are accidentally started during the forest recovery process.

    大的樹系分散在多個位置,很難保證所有寫入網域控制站的關機。In a large forest that is spread across multiple locations, it can be difficult to guarantee that all writeable DCs are shut down. 基於這個原因,修復的步驟,例如重設電腦 account 和 krbtgt 帳號,此外中繼資料清理 — 設計用來確保復原寫入網域控制站執行不複寫危險寫入 dc(以防一些仍然 online 森林中)。For this reason, the recovery steps—such as resetting the computer account and krbtgt account, in addition to metadata cleanup—are designed to ensure that the recovered writeable DCs do not replicate with dangerous writeable DCs (in case some are still online in the forest).

    不過,只要 offline 拍攝寫入 Dc 可以您保證不會複寫嗎?However, only by taking writeable DCs offline can you guarantee that replication does not occur. 因此,可能的話,您應該部署,可協助您關機並實體樹系復原期間隔離寫入網域控制站的遠端管理技術。Therefore, whenever possible, you should deploy remote management technology that can help you to shut down and physically isolate the writeable DCs during forest recovery.

    Rodc 可以繼續運作寫入網域控制站在離線時。RODCs can continue to operate while writeable DCs are offline. 任何其他俠會直接從任何 RODC 複寫的任何變更,尤其不是架構或設定容器變更,讓它們復原時不會為寫入 Dc 相同的風險。No other DC will directly replicate any changes from any RODC—especially, no Schema or Configuration container changes—so they do not pose the same risk as writeable DCs during recovery. 所有寫入網域控制站復原並 online 之後,您應該重建所有 Rodc。After all the writeable DCs are recovered and online, you should rebuild all the RODCs.

    Rodc 將繼續允許存取本機資源時復原作業的平行進行的快取中他們各自的網站。RODCs will continue to allow access to local resources that are cached in their respective sites while the recovery operations are going on in parallel. 本機不會在 RODC 快取的資源將會有轉寄給寫入 DC 驗證要求。Local resources that are not cached on the RODC will have authentication requests forwarded to a writeable DC. 因為寫入 Dc 離線,將會失敗這些要求。These requests will fail because writeable DCs are offline. 除非您復原寫入網域控制站某些作業,例如變更密碼也將無法運作。Some operations such as password changes will also not work until you recover writeable DCs.

    如果您正在使用的網路中樞支點架構,您可以復原寫入網域控制站中心站台上第一次專注。If you are using a hub-and-spoke network architecture, you can concentrate first on recovering the writeable DCs in the hub sites. 之後,您可以重建 Rodc 遠端網站。Later, you can rebuild the RODCs in remote sites.

後續步驟Next Steps