-
- Enthusiast
- Posts: 29
- Liked: never
- Joined: May 12, 2009 1:47 am
- Contact:
Active directory authoritative restore
Hi,
I am using VEEAM 3.0 and i have 3 Domain Controller in VM that i replicate to a backup server
If i need to run on my backup server, do i need to tell one of the DC that it need to do an autoritative restore ???
or all DC will recover since it is integrated with VSS and all DC will say (after the automatic safe mode boot) that they have successfully restored ?
Should i make a backup of active directory (System State) in a file on the VM and restore from that in AD restore mode ? or all DC will recover since it is integrated
Or is there another way ?
should i keep 1 DC in physical machine just in case ?
I am using VEEAM 3.0 and i have 3 Domain Controller in VM that i replicate to a backup server
If i need to run on my backup server, do i need to tell one of the DC that it need to do an autoritative restore ???
or all DC will recover since it is integrated with VSS and all DC will say (after the automatic safe mode boot) that they have successfully restored ?
Should i make a backup of active directory (System State) in a file on the VM and restore from that in AD restore mode ? or all DC will recover since it is integrated
Or is there another way ?
should i keep 1 DC in physical machine just in case ?
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Active directory authoritative restore
Hello, Veeam Backup will always perform non-authoritative restore of the DC in multi-DC environment. At this time, we do not provide capabilities of performing authoritative restore. Thank you.
-
- Novice
- Posts: 3
- Liked: never
- Joined: Apr 05, 2010 10:49 am
- Full Name: Hakan D
- Contact:
Re: Active directory authoritative restore
This topic is a bit old but the same question has been asked a few times. I have read up on all the topics.
With veeam VSS enabled, the restore of an AD server occurs perfectly due to it restoring it in a Non Authoritative mode. However, this is only good when you still have another live AD to replicate from. I have yet to test this in a Single AD environment because we have multiple DCs installed allmost everywhere for the obvious reason.
Could it be added as a feature request to perform an authoritative restore?
Right now there are a few alternatives:
- Not using VSS (but still quiescing)
- Perhaps manually interupting the restore process and performing an authoritative restore. Veeam boots the VM automatically and reboots it aswell so there is no time to perform this. Are there manual steps we could take to do this, that are verified by Veeam? I would be ok with this.
With veeam VSS enabled, the restore of an AD server occurs perfectly due to it restoring it in a Non Authoritative mode. However, this is only good when you still have another live AD to replicate from. I have yet to test this in a Single AD environment because we have multiple DCs installed allmost everywhere for the obvious reason.
Could it be added as a feature request to perform an authoritative restore?
Right now there are a few alternatives:
- Not using VSS (but still quiescing)
- Perhaps manually interupting the restore process and performing an authoritative restore. Veeam boots the VM automatically and reboots it aswell so there is no time to perform this. Are there manual steps we could take to do this, that are verified by Veeam? I would be ok with this.
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: Active directory authoritative restore
There's not really any reason you can't do an authoritative restore with Veeam, you just have to perform the "ntdsutil" steps manually, it's only a couple of commands.
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Active directory authoritative restore
Tom is correct, you just hit F8 during when the restored DC first boots, get into the Directory Services restore mode on the OS boot menu, and do it according to Microsoft Active Directory authoritative restore guides. If your other DC are all dead, don't forget that you will need to transfer FSMO roles to your restored DC using the ntdsutil seize command.
-
- Novice
- Posts: 3
- Liked: never
- Joined: Apr 05, 2010 10:49 am
- Full Name: Hakan D
- Contact:
Re: Active directory authoritative restore
Ok, then I was correct that I simply need to abrupt the automatic boot, and do a restore db. I will try this out.
In case of a DR one will need to restore all servers. Seizing roles from a server is something else. Will an authoritative restore handle this aswell?, since I remember to only seize roles when the holder is completely dead.
In case of a DR one will need to restore all servers. Seizing roles from a server is something else. Will an authoritative restore handle this aswell?, since I remember to only seize roles when the holder is completely dead.
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Active directory authoritative restore
Yes, you can do that if needed - I have posted the actual command for that in my post above.hakand wrote:Seizing roles from a server is something else. Will an authoritative restore handle this aswell?
-
- Novice
- Posts: 3
- Liked: never
- Joined: Apr 05, 2010 10:49 am
- Full Name: Hakan D
- Contact:
Re: Active directory authoritative restore
Gostev,
I meant if Server1 seizes roles from Server2, and I later restore Server2 (non auth), will that end up ok, or do I still need to remove it from Active Directory? I'm pretty familiar with AD and will test as many scenarios as I can. Up till now I'm very pleased with the product.
I meant if Server1 seizes roles from Server2, and I later restore Server2 (non auth), will that end up ok, or do I still need to remove it from Active Directory? I'm pretty familiar with AD and will test as many scenarios as I can. Up till now I'm very pleased with the product.
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Active directory authoritative restore
Hakan, your question relates more to the actual process of the authoritative restore of Active Directory, this has nothing to deal with our product. So, it is best to consultant with Microsoft on that. Based on my AD knowledge I believe that in scenario you have outlined everything will be OK. You can also skip role seizing part if you plan to restore all DCs from backup (again, my understanding).
Our product provides automated non-authoritative restore (which is what you will want to do in most cases to recover failed DC). Authoritative restore is complex manual process that should be done according to Microsoft guideliness. It is very rarely needed (basically, only when Active Directory is completely trashed). Depending on the scenario you choose for complete restore of your AD, you may or may not have to seize roles or remove Domain Controllers from AD.
Our product provides automated non-authoritative restore (which is what you will want to do in most cases to recover failed DC). Authoritative restore is complex manual process that should be done according to Microsoft guideliness. It is very rarely needed (basically, only when Active Directory is completely trashed). Depending on the scenario you choose for complete restore of your AD, you may or may not have to seize roles or remove Domain Controllers from AD.
-
- Expert
- Posts: 116
- Liked: never
- Joined: Jan 01, 2006 1:01 am
- Contact:
Re: Active directory authoritative restore
I'm performing a full production DR test for the first time (previously I've used test environments and partial production only, not everything from scratch) and can't seem to get our first DC to come up properly. When I initially boot the first restored DC, click F8, and choose DSRM, it boots into safe mode, shows the login screen, but then before I can login it initiates shutdown and reboots. Seems to me the Veeam automatic non-authoritative restore procedure is kicking in even if I interrupt boot and go into DRM manually. How do I bypass this to be able to perform a proper authoritative restore? Thanks
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Active directory authoritative restore
Click F8 after the first reboot happens (during the second boot), and then you should be able to perform authoritative restore. DC won't sync with other DCs until it boots up the second time.
-
- Expert
- Posts: 116
- Liked: never
- Joined: Jan 01, 2006 1:01 am
- Contact:
Re: Active directory authoritative restore
Hm, tried that, but when it comes up on the third reboot (after authoritative restore on 2nd boot), AD doesn't seem to come up. Group policy, DNS, & DHCP server all don't see AD. I'll give it another try tomorrow, maybe a stupid mistake on my end. Thanks Anton!
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: Active directory authoritative restore
Your post prompted me to give this a try. We're still on Windows 2003R2, and I preformed the following steps:
1. Restored our "master" AD controller to a sandbox
2. Booted AD controller and let Veeam complete the "non-authoritative" restore
3. On second boot hit "F8" and selected "DSRM"
4. Logged in with DSRM account and password
5. Ran "ntdsutil"
6. At the "ntdsutil:" prompt type "authoritative restore"
7. At the "ntdsutil authoritative restore:" prompt typed "restore database"
8. After a bunch of stuff scrolled by regarding opening DIT, finding latest change, etc, it reported everything complete.
9. Type "quit" to exit the ntdsutil utility
10. Rebooted server.
11. Server took quite a while to boot, but let me login with my domain account
Everything looked pretty good, but starting domain admin tools like "Active Directory Users and Computers" would report "no domain controller found" unless I pointed it specifically at the specific name of the restored domain controller, then the tools would work fine. This is because, in our environment, our DNS servers are separate from the domain controllers (we don't run Microsoft DNS) and the restored environment had no DNS server. I restored our DNS server into the sandbox environment as well and everything was good to go.
1. Restored our "master" AD controller to a sandbox
2. Booted AD controller and let Veeam complete the "non-authoritative" restore
3. On second boot hit "F8" and selected "DSRM"
4. Logged in with DSRM account and password
5. Ran "ntdsutil"
6. At the "ntdsutil:" prompt type "authoritative restore"
7. At the "ntdsutil authoritative restore:" prompt typed "restore database"
8. After a bunch of stuff scrolled by regarding opening DIT, finding latest change, etc, it reported everything complete.
9. Type "quit" to exit the ntdsutil utility
10. Rebooted server.
11. Server took quite a while to boot, but let me login with my domain account
Everything looked pretty good, but starting domain admin tools like "Active Directory Users and Computers" would report "no domain controller found" unless I pointed it specifically at the specific name of the restored domain controller, then the tools would work fine. This is because, in our environment, our DNS servers are separate from the domain controllers (we don't run Microsoft DNS) and the restored environment had no DNS server. I restored our DNS server into the sandbox environment as well and everything was good to go.
-
- VP, Product Management
- Posts: 6035
- Liked: 2860 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: Active directory authoritative restore
Oh, I forgot something, since you're doing an authoritative restore, assuming a complete destruction of your AD, you'll probably also need to preform an authoritative restore of the SYSVOL before your SYSVOL and NETLOGON shares become available. This is pretty easy by simply setting a registry value. Here are some Microsoft KB articles on the process:
This one is for Windows 2000 domain controller restores, but still applies to at least 2003 and probably 2008 as well:
http://support.microsoft.com/kb/316790
This one is more generic to FRS in general, but mentions both 2000 and 2003:
http://support.microsoft.com/kb/290762
This one covers from Win2000 to 2008 and has some general notes:
http://msdn.microsoft.com/en-us/library ... S.85).aspx
Note that you might want to make a backup of the existing contents of SYSVOL or be prepared to restore them using the file level restore options from Veeam.
This one is for Windows 2000 domain controller restores, but still applies to at least 2003 and probably 2008 as well:
http://support.microsoft.com/kb/316790
This one is more generic to FRS in general, but mentions both 2000 and 2003:
http://support.microsoft.com/kb/290762
This one covers from Win2000 to 2008 and has some general notes:
http://msdn.microsoft.com/en-us/library ... S.85).aspx
Note that you might want to make a backup of the existing contents of SYSVOL or be prepared to restore them using the file level restore options from Veeam.
-
- Expert
- Posts: 116
- Liked: never
- Joined: Jan 01, 2006 1:01 am
- Contact:
Re: Active directory authoritative restore
Thanks Tom! Sorry for the late response. I was able to successfully restore AD authoritatively on the second boot as Anton suggested, but also had to use the Burflags registry keys in your second link (first DC authoritative and then second DC non-authoritative) to get FRS working again (I'd tried the old trick of dfsutil /purgemupcache to no avail). All other services then seemed to be in order. To be sure, I restored Exchange 2003 and it was perfectly happy (and when Exchange is happy, I'm happy). Appreciate the help! d
-
- Expert
- Posts: 127
- Liked: never
- Joined: Mar 18, 2009 2:15 pm
- Full Name: Sam
- Contact:
Re: Active directory authoritative restore
Sorry if this has been asked before..
Veeam Backup restore does the restore by default in Authoritive mode, how do i do a non authoritive mode restore of the second DC?
Windows 2008 - 2 DC's both are GC's. I will be restoring both DC's to a test environment.
Veeam Backup restore does the restore by default in Authoritive mode, how do i do a non authoritive mode restore of the second DC?
Windows 2008 - 2 DC's both are GC's. I will be restoring both DC's to a test environment.
-
- Expert
- Posts: 116
- Liked: never
- Joined: Jan 01, 2006 1:01 am
- Contact:
Re: Active directory authoritative restore
Default is NON-authoritative restore, authoritative is the one that requires the extra steps described previously. At least for 4.1, I haven't tested in 5.0 lab yet.
-
- Expert
- Posts: 127
- Liked: never
- Joined: Mar 18, 2009 2:15 pm
- Full Name: Sam
- Contact:
Re: Active directory authoritative restore
I have to test this tonight..and reading all the above is confusing me!
We have two Windows 2008 DC's, both are Global catalog Servers.
A VSS backup was taken using Veeam backup 4.11/
I want to restore these two servers into a test environment. not sure about authoritive \ non authoritive?
What are the steps? the additional steps here are for 2003? do the same apply to Windows 2008?
We have two Windows 2008 DC's, both are Global catalog Servers.
A VSS backup was taken using Veeam backup 4.11/
I want to restore these two servers into a test environment. not sure about authoritive \ non authoritive?
What are the steps? the additional steps here are for 2003? do the same apply to Windows 2008?
-
- Expert
- Posts: 127
- Liked: never
- Joined: Mar 18, 2009 2:15 pm
- Full Name: Sam
- Contact:
Re: Active directory authoritative restore
Okay just spoke to Microsoft!
I want to restore both my VSS enabled backups of the two DC's to a test environment.
They said to do an NON-Authoritive restore of both DC's and they will work once powered on. (this as above Veeam does by default)
They advised Authroritive restores are used when restoring into an exiting environment for obejct restores.
I want to restore both my VSS enabled backups of the two DC's to a test environment.
They said to do an NON-Authoritive restore of both DC's and they will work once powered on. (this as above Veeam does by default)
They advised Authroritive restores are used when restoring into an exiting environment for obejct restores.
-
- Expert
- Posts: 116
- Liked: never
- Joined: Jan 01, 2006 1:01 am
- Contact:
Re: Active directory authoritative restore
If there is no existing DC (i.e. testing full DR restore), your first restored DC has to be authoritative. Really, though, the whole point of a lab is to break things and then learn how to fix them; I'd suggest restoring in different scenarios, blowing them away, and restoring again until you've had some good practice.
-
- Expert
- Posts: 127
- Liked: never
- Joined: Mar 18, 2009 2:15 pm
- Full Name: Sam
- Contact:
Re: Active directory authoritative restore
hmm..
so Veeam does non authoritive restore by default?
Do i need to follow this for doing an authoritive restore for the 1st DC? and does it apply to Windows 2008?
so Veeam does non authoritive restore by default?
Do i need to follow this for doing an authoritive restore for the 1st DC? and does it apply to Windows 2008?
-
- Chief Product Officer
- Posts: 31804
- Liked: 7298 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Active directory authoritative restore
This topic covers authoritative restore on Windows 2008:
Active Directory and DR Site
Active Directory and DR Site
-
- Expert
- Posts: 127
- Liked: never
- Joined: Mar 18, 2009 2:15 pm
- Full Name: Sam
- Contact:
Re: Active directory authoritative restore
Thanks again Gostev..
doing a restore from Veeam of both DC's worked fine for me. Its working at present will come back to it tommorow to re-check.
doing a restore from Veeam of both DC's worked fine for me. Its working at present will come back to it tommorow to re-check.
-
- Expert
- Posts: 116
- Liked: never
- Joined: Jan 01, 2006 1:01 am
- Contact:
Re: Active directory authoritative restore
Anton, thanks for the link to the newer thread. Looks like while some of the info in our thread here was correct & helpful (worked for me), the original premise was incorrect and everyone just followed suit. The other thread is correct that there's no need for an authoritative restore, only for SYSVOL to be authoritative (achieved differently depending if FRS or DFRS). So reading back my earlier posts in this thread, the BurFlags key is what actually made it work, the rest was really unnecessary. Thanks to Tom once again for his good insight and for correcting his post here. samuk, I apologize for any confusion.
-
- Veteran
- Posts: 392
- Liked: 33 times
- Joined: Jul 18, 2011 9:30 am
- Full Name: Hussain Al Sayed
- Location: Bahrain
- Contact:
Re: Active directory authoritative restore
Hello,
Is the Authoritative Restore is mandatory for a DC or just I can restore the DC VM and Boot it should work fine?
I have just tested backing up a test DC, I deleted the VM and I restored it again, it restores fine without any issue. I looked at the event viewer all the VSS and NTDS shows only information, no errors no warning.
Please clarify.
Thanks,
Is the Authoritative Restore is mandatory for a DC or just I can restore the DC VM and Boot it should work fine?
I have just tested backing up a test DC, I deleted the VM and I restored it again, it restores fine without any issue. I looked at the event viewer all the VSS and NTDS shows only information, no errors no warning.
Please clarify.
Thanks,
-
- VP, Product Management
- Posts: 27371
- Liked: 2799 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: Active directory authoritative restore
Hello Hussain,
Authoritative restore is not mandatory, and in most of the time you will need to do only non-authoritative restore in order to bring your DC back to the production site. Thanks.
Authoritative restore is not mandatory, and in most of the time you will need to do only non-authoritative restore in order to bring your DC back to the production site. Thanks.
-
- Veteran
- Posts: 392
- Liked: 33 times
- Joined: Jul 18, 2011 9:30 am
- Full Name: Hussain Al Sayed
- Location: Bahrain
- Contact:
Re: Active directory authoritative restore
Hi,
Thanks for your quick reply.
That's what I did actually. I just deleted the VM and I restored it from last Incremental Backup. It restores successfully, and DC came up normal.
Thanks for your quick reply.
That's what I did actually. I just deleted the VM and I restored it from last Incremental Backup. It restores successfully, and DC came up normal.
Code: Select all
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 8/1/2011 1:01:36 PM
Event ID: 1109
Task Category: Replication
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: vESXDC01.ESX.Local
Description:
Active Directory Domain Services has been restored from backup media, or has been configured to host an application partition. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows.
InvocationID attribute (old value):
e550509e-f1fd-43f9-86a9-9c51c3dd589b
InvocationID attribute (new value):
19cd74da-7dea-4316-9487-9daf2ce7d2ee
Update sequence number:
20493
The invocationID is changed when a directory server is restored from backup media or is configured to host a writeable application directory partition.
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 8/1/2011 1:03:22 PM
Event ID: 1000
Task Category: Service Control
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: vESXDC01.ESX.Local
Description:
Microsoft Active Directory Domain Services startup complete, version 6.1.7600.16612
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 8/1/2011 1:02:16 PM
Event ID: 1394
Task Category: Service Control
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: vESXDC01.ESX.Local
Description:
All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted.
Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 8/1/2011 1:03:53 PM
Event ID: 4
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: vESXDC01.ESX.Local
Description:
The DNS server has finished the background loading of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.
Log Name: DFS Replication
Source: DFSR
Date: 8/1/2011 1:03:58 PM
Event ID: 1210
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: vESXDC01.ESX.Local
Description:
The DFS Replication service successfully set up an RPC listener for incoming replication requests.
Additional Information:
Port: 5722
Log Name: DFS Replication
Source: DFSR
Date: 8/1/2011 1:03:58 PM
Event ID: 1206
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: vESXDC01.ESX.Local
Description:
The DFS Replication service successfully contacted domain controller vESXDC01.ESX.Local to access configuration information.
Who is online
Users browsing this forum: Bing [Bot], shangwsh, woifgaung and 141 guests