Microsoft's recommendations for DC recovery

[zoltank]

I'm doing some testing and research regarding disaster recovery where I have to restore our network from scratch (i.e. the building burns down). In the tests I've done so far I have Veeam restore my DCs into the test environment, I bring up the first server and set SYSVOL to authoritative, bring up the other servers, wait about 15 minutes, and everything is up and running happily.

However, after reading through the Microsoft document on forest recovery, I wondering if I'm going this wrong. Per the document you should only restore one DC, clean up the metadata of all the other DCs, and then dcpromo servers to replace the other DCs. In addition, Microsoft wants you to invalidate the RID pool, change the DC computer password, and change the krbtgt password. Doing is Microsoft's way is obviously slower and with more steps to go wrong.

The computer and krbtgt password reset seem only to ensure no pre-restore DCs can accidentally replicate corrupt data to the restored DC. In my scenario corrupt data isn't an issue, so I should be able to skip these steps. Since we're a single domain/single site network, it doesn't look like the RID invalidation is required either. However, the recommendation to only restore a single DC I'm still not sure if it applies to my situation or not. If you know the data on the DCs can be trusted, why not restore all of them? Or would you have to do an authoritative database restore on the first DC is you plan to restore the other DCs instead of just promoting them?

So, what are people's real world experiences? Do I need to change my recovery procedure to incorporate Microsoft's recommendations?

http://technet.microsoft.com/en-us/libr ... s.10).aspx under the section "Restore the first writeable domain controller in each domain".

[hans_lenze]

If you are absolutely sure that all your domain controllers in your backup are the same 'age' (snapshotted at the exact same second when making the backup) you should have no problems when you restore them all. If the backups are some time apart (say, 15 minutes) there's a change that some data will be marked as 'already replicated' while not present in the first DC backup. Because this data is marked as 'successfully replicated' on the second DC, you'll have missing records. Leading to users that can log on if you authenticate to one DC but not when using the other. In other words, if you don't take the backup of all your DCs at the same exace second, you cannot trust the data in your backup.

To be sure that there's only a single authoritative source you can restore a single DC and build a second one from scratch (promote a fresh server). That way you'll have one database that's you use to build your new environment.

[zoltank]

Veeam uses VSS compliant backups and when restoring a DC it will automatically perform a non-authoritative restore. It's my understanding that, because of this, you don't need to worry about having the domain controls snapshots happen all at the exact same moment.