-
- Novice
- Posts: 3
- Liked: never
- Joined: Jun 05, 2021 2:00 am
- Full Name: Burton Hooker
- Contact:
Issues restoring a DC VM
I was running a test restore of one of my domain controllers and wondered if anyone else had the same issues I did and what you did to resolve it. We are still using ESXI 5.5 but plan on upgrading soon. I removed the DC's VM from inventory, created a new folder for it, and moved the files to the new folder. That way if anything went wrong I could bring the original VM back up easily. I then deleted the empty folder and proceeded to do a restore of the VM to the same location using a restore point 26 days earlier. Everything seemed to go fine. I was able to add the restored VM to inventory and boot up the VM. I could even log into the VM with my domain credentials. However the DNS server function needed to be rebuilt and it appears the CA is not working either. I ended up removing the restored VM from inventory, moving it to a new folder, and bringing the original VM back up in it's original folder. Any idea why these didn't work and what I can do to get them working? Thank you.
-
- Expert
- Posts: 193
- Liked: 27 times
- Joined: Apr 24, 2013 8:53 pm
- Full Name: Chuck Stevens
- Location: Seattle, WA
- Contact:
Re: Issues restoring a DC VM
I don't think you can just restore a domain controller like that. Have you followed this document?
https://www.veeam.com/blog/backing-up-d ... ction.html
https://www.veeam.com/blog/backing-up-d ... ction.html
Veeaming since 2013
-
- Veeam Software
- Posts: 21181
- Liked: 2163 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Issues restoring a DC VM
There's also a detailed KB article describing different domain recovery scenarios, worth a look.
-
- Novice
- Posts: 3
- Liked: never
- Joined: Jun 05, 2021 2:00 am
- Full Name: Burton Hooker
- Contact:
Re: Issues restoring a DC VM
Thank you I will check those out.
-
- Novice
- Posts: 3
- Liked: never
- Joined: Jun 05, 2021 2:00 am
- Full Name: Burton Hooker
- Contact:
Re: Issues restoring a DC VM
OK after reading through those it seems like I did everything correctly. I am using application aware processing in my backups. Though I don't remember seeing the DC boot in DSRM. It did log into the domain just fine so that much worked. I didn't think to try opening any of the AD tools. I know DNS was missing the database and suspect the CA wasn't working as it caused our Cisco Jabber clients to lose their connection. I'll give it another try in 2 weeks in my next maintenance window.
-
- VP, Product Management
- Posts: 7321
- Liked: 1567 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Issues restoring a DC VM
Hi Burton,
I have some tips and comments.
If you backup a DC in Veeam Guest Processing mode then we leave some restore awarenes flags on the VM. If the DC is restored then, we will automatically bring this VM in non-authoritative restore mode. https://www.veeam.com/kb2119 https://docs.microsoft.com/en-us/window ... ve-restore
This happens only if the following conditions are true:
- Backup with Veeam Guest Processing successful.
- Restore done with networking enabled (the network itself do not matter, what matters is that the VM network adapters are connected.
- The VM will boot multiple times automatically to set the VM up in non-authoritative restore mode. If you access the console in that time or logon this process is interrupted.
- Overal correct AD processing can is only supported by Microsoft when you have only one network card present. If you have multiple then some of the services will only bind to one of the network cards which can switch if you restore VMs. Avoid this as it is anyway not supported by AD.
Non-Authoritive restore mode is used when you add the domain controller back to an existing domain. Some of the services go only online after they had a chance to get the latest updates from the other domain controllers to avoid issues. I guess this is what you are seeing here.
If it is your only AD server and you want to recover your domain completely, you need to set authoritative restore mode manually. https://www.veeam.com/kb2119
I hope the above helps.
Restore of very old domain controller restore points can have some side effects because of Kerberos certificate updates and and related trusts (check event logs of the restored server). I would more look into our granular AD restore methods if you want to revert some changes that happened there. Check our "compare" feature in the Active Directory Explorer.
I have some tips and comments.
If you backup a DC in Veeam Guest Processing mode then we leave some restore awarenes flags on the VM. If the DC is restored then, we will automatically bring this VM in non-authoritative restore mode. https://www.veeam.com/kb2119 https://docs.microsoft.com/en-us/window ... ve-restore
This happens only if the following conditions are true:
- Backup with Veeam Guest Processing successful.
- Restore done with networking enabled (the network itself do not matter, what matters is that the VM network adapters are connected.
- The VM will boot multiple times automatically to set the VM up in non-authoritative restore mode. If you access the console in that time or logon this process is interrupted.
- Overal correct AD processing can is only supported by Microsoft when you have only one network card present. If you have multiple then some of the services will only bind to one of the network cards which can switch if you restore VMs. Avoid this as it is anyway not supported by AD.
Non-Authoritive restore mode is used when you add the domain controller back to an existing domain. Some of the services go only online after they had a chance to get the latest updates from the other domain controllers to avoid issues. I guess this is what you are seeing here.
If it is your only AD server and you want to recover your domain completely, you need to set authoritative restore mode manually. https://www.veeam.com/kb2119
I hope the above helps.
Restore of very old domain controller restore points can have some side effects because of Kerberos certificate updates and and related trusts (check event logs of the restored server). I would more look into our granular AD restore methods if you want to revert some changes that happened there. Check our "compare" feature in the Active Directory Explorer.
Who is online
Users browsing this forum: Bing [Bot], Semrush [Bot] and 9 guests