Comprehensive data protection for all workloads
Post Reply
Fox54
Enthusiast
Posts: 29
Liked: never
Joined: May 12, 2009 1:47 am
Contact:

Active directory authoritative restore

Post by Fox54 »

Hi,

I am using VEEAM 3.0 and i have 3 Domain Controller in VM that i replicate to a backup server

If i need to run on my backup server, do i need to tell one of the DC that it need to do an autoritative restore ???
or all DC will recover since it is integrated with VSS and all DC will say (after the automatic safe mode boot) that they have successfully restored ?


Should i make a backup of active directory (System State) in a file on the VM and restore from that in AD restore mode ? or all DC will recover since it is integrated

Or is there another way ?

should i keep 1 DC in physical machine just in case ?
Gostev
Chief Product Officer
Posts: 31792
Liked: 7295 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Active directory authoritative restore

Post by Gostev »

Hello, Veeam Backup will always perform non-authoritative restore of the DC in multi-DC environment. At this time, we do not provide capabilities of performing authoritative restore. Thank you.
hakand
Novice
Posts: 3
Liked: never
Joined: Apr 05, 2010 10:49 am
Full Name: Hakan D
Contact:

Re: Active directory authoritative restore

Post by hakand »

This topic is a bit old but the same question has been asked a few times. I have read up on all the topics.
With veeam VSS enabled, the restore of an AD server occurs perfectly due to it restoring it in a Non Authoritative mode. However, this is only good when you still have another live AD to replicate from. I have yet to test this in a Single AD environment because we have multiple DCs installed allmost everywhere for the obvious reason.
Could it be added as a feature request to perform an authoritative restore?
Right now there are a few alternatives:
- Not using VSS (but still quiescing)
- Perhaps manually interupting the restore process and performing an authoritative restore. Veeam boots the VM automatically and reboots it aswell so there is no time to perform this. Are there manual steps we could take to do this, that are verified by Veeam? I would be ok with this.
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Active directory authoritative restore

Post by tsightler »

There's not really any reason you can't do an authoritative restore with Veeam, you just have to perform the "ntdsutil" steps manually, it's only a couple of commands.
Gostev
Chief Product Officer
Posts: 31792
Liked: 7295 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Active directory authoritative restore

Post by Gostev »

Tom is correct, you just hit F8 during when the restored DC first boots, get into the Directory Services restore mode on the OS boot menu, and do it according to Microsoft Active Directory authoritative restore guides. If your other DC are all dead, don't forget that you will need to transfer FSMO roles to your restored DC using the ntdsutil seize command.
hakand
Novice
Posts: 3
Liked: never
Joined: Apr 05, 2010 10:49 am
Full Name: Hakan D
Contact:

Re: Active directory authoritative restore

Post by hakand »

Ok, then I was correct that I simply need to abrupt the automatic boot, and do a restore db. I will try this out.
In case of a DR one will need to restore all servers. Seizing roles from a server is something else. Will an authoritative restore handle this aswell?, since I remember to only seize roles when the holder is completely dead.
Gostev
Chief Product Officer
Posts: 31792
Liked: 7295 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Active directory authoritative restore

Post by Gostev »

hakand wrote:Seizing roles from a server is something else. Will an authoritative restore handle this aswell?
Yes, you can do that if needed - I have posted the actual command for that in my post above.
hakand
Novice
Posts: 3
Liked: never
Joined: Apr 05, 2010 10:49 am
Full Name: Hakan D
Contact:

Re: Active directory authoritative restore

Post by hakand »

Gostev,

I meant if Server1 seizes roles from Server2, and I later restore Server2 (non auth), will that end up ok, or do I still need to remove it from Active Directory? I'm pretty familiar with AD and will test as many scenarios as I can. Up till now I'm very pleased with the product.
Gostev
Chief Product Officer
Posts: 31792
Liked: 7295 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Active directory authoritative restore

Post by Gostev »

Hakan, your question relates more to the actual process of the authoritative restore of Active Directory, this has nothing to deal with our product. So, it is best to consultant with Microsoft on that. Based on my AD knowledge I believe that in scenario you have outlined everything will be OK. You can also skip role seizing part if you plan to restore all DCs from backup (again, my understanding).

Our product provides automated non-authoritative restore (which is what you will want to do in most cases to recover failed DC). Authoritative restore is complex manual process that should be done according to Microsoft guideliness. It is very rarely needed (basically, only when Active Directory is completely trashed). Depending on the scenario you choose for complete restore of your AD, you may or may not have to seize roles or remove Domain Controllers from AD.
donikatz
Expert
Posts: 116
Liked: never
Joined: Jan 01, 2006 1:01 am
Contact:

Re: Active directory authoritative restore

Post by donikatz »

I'm performing a full production DR test for the first time (previously I've used test environments and partial production only, not everything from scratch) and can't seem to get our first DC to come up properly. When I initially boot the first restored DC, click F8, and choose DSRM, it boots into safe mode, shows the login screen, but then before I can login it initiates shutdown and reboots. Seems to me the Veeam automatic non-authoritative restore procedure is kicking in even if I interrupt boot and go into DRM manually. How do I bypass this to be able to perform a proper authoritative restore? Thanks
Gostev
Chief Product Officer
Posts: 31792
Liked: 7295 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Active directory authoritative restore

Post by Gostev »

Click F8 after the first reboot happens (during the second boot), and then you should be able to perform authoritative restore. DC won't sync with other DCs until it boots up the second time.
donikatz
Expert
Posts: 116
Liked: never
Joined: Jan 01, 2006 1:01 am
Contact:

Re: Active directory authoritative restore

Post by donikatz »

Hm, tried that, but when it comes up on the third reboot (after authoritative restore on 2nd boot), AD doesn't seem to come up. Group policy, DNS, & DHCP server all don't see AD. I'll give it another try tomorrow, maybe a stupid mistake on my end. Thanks Anton!
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Active directory authoritative restore

Post by tsightler »

Your post prompted me to give this a try. We're still on Windows 2003R2, and I preformed the following steps:

1. Restored our "master" AD controller to a sandbox
2. Booted AD controller and let Veeam complete the "non-authoritative" restore
3. On second boot hit "F8" and selected "DSRM"
4. Logged in with DSRM account and password
5. Ran "ntdsutil"
6. At the "ntdsutil:" prompt type "authoritative restore"
7. At the "ntdsutil authoritative restore:" prompt typed "restore database"
8. After a bunch of stuff scrolled by regarding opening DIT, finding latest change, etc, it reported everything complete.
9. Type "quit" to exit the ntdsutil utility
10. Rebooted server.
11. Server took quite a while to boot, but let me login with my domain account

Everything looked pretty good, but starting domain admin tools like "Active Directory Users and Computers" would report "no domain controller found" unless I pointed it specifically at the specific name of the restored domain controller, then the tools would work fine. This is because, in our environment, our DNS servers are separate from the domain controllers (we don't run Microsoft DNS) and the restored environment had no DNS server. I restored our DNS server into the sandbox environment as well and everything was good to go.
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Active directory authoritative restore

Post by tsightler »

Oh, I forgot something, since you're doing an authoritative restore, assuming a complete destruction of your AD, you'll probably also need to preform an authoritative restore of the SYSVOL before your SYSVOL and NETLOGON shares become available. This is pretty easy by simply setting a registry value. Here are some Microsoft KB articles on the process:

This one is for Windows 2000 domain controller restores, but still applies to at least 2003 and probably 2008 as well:
http://support.microsoft.com/kb/316790

This one is more generic to FRS in general, but mentions both 2000 and 2003:
http://support.microsoft.com/kb/290762

This one covers from Win2000 to 2008 and has some general notes:
http://msdn.microsoft.com/en-us/library ... S.85).aspx

Note that you might want to make a backup of the existing contents of SYSVOL or be prepared to restore them using the file level restore options from Veeam.
donikatz
Expert
Posts: 116
Liked: never
Joined: Jan 01, 2006 1:01 am
Contact:

Re: Active directory authoritative restore

Post by donikatz »

Thanks Tom! Sorry for the late response. I was able to successfully restore AD authoritatively on the second boot as Anton suggested, but also had to use the Burflags registry keys in your second link (first DC authoritative and then second DC non-authoritative) to get FRS working again (I'd tried the old trick of dfsutil /purgemupcache to no avail). All other services then seemed to be in order. To be sure, I restored Exchange 2003 and it was perfectly happy (and when Exchange is happy, I'm happy). Appreciate the help! d
samuk
Expert
Posts: 127
Liked: never
Joined: Mar 18, 2009 2:15 pm
Full Name: Sam
Contact:

Re: Active directory authoritative restore

Post by samuk »

Sorry if this has been asked before..

Veeam Backup restore does the restore by default in Authoritive mode, how do i do a non authoritive mode restore of the second DC?

Windows 2008 - 2 DC's both are GC's. I will be restoring both DC's to a test environment.
donikatz
Expert
Posts: 116
Liked: never
Joined: Jan 01, 2006 1:01 am
Contact:

Re: Active directory authoritative restore

Post by donikatz »

Default is NON-authoritative restore, authoritative is the one that requires the extra steps described previously. At least for 4.1, I haven't tested in 5.0 lab yet.
samuk
Expert
Posts: 127
Liked: never
Joined: Mar 18, 2009 2:15 pm
Full Name: Sam
Contact:

Re: Active directory authoritative restore

Post by samuk »

I have to test this tonight..and reading all the above is confusing me!

We have two Windows 2008 DC's, both are Global catalog Servers.

A VSS backup was taken using Veeam backup 4.11/

I want to restore these two servers into a test environment. not sure about authoritive \ non authoritive?

What are the steps? the additional steps here are for 2003? do the same apply to Windows 2008?
samuk
Expert
Posts: 127
Liked: never
Joined: Mar 18, 2009 2:15 pm
Full Name: Sam
Contact:

Re: Active directory authoritative restore

Post by samuk »

Okay just spoke to Microsoft!

I want to restore both my VSS enabled backups of the two DC's to a test environment.

They said to do an NON-Authoritive restore of both DC's and they will work once powered on. (this as above Veeam does by default)

They advised Authroritive restores are used when restoring into an exiting environment for obejct restores.
donikatz
Expert
Posts: 116
Liked: never
Joined: Jan 01, 2006 1:01 am
Contact:

Re: Active directory authoritative restore

Post by donikatz »

If there is no existing DC (i.e. testing full DR restore), your first restored DC has to be authoritative. Really, though, the whole point of a lab is to break things and then learn how to fix them; I'd suggest restoring in different scenarios, blowing them away, and restoring again until you've had some good practice.
samuk
Expert
Posts: 127
Liked: never
Joined: Mar 18, 2009 2:15 pm
Full Name: Sam
Contact:

Re: Active directory authoritative restore

Post by samuk »

hmm..

so Veeam does non authoritive restore by default?

Do i need to follow this for doing an authoritive restore for the 1st DC? and does it apply to Windows 2008?
Gostev
Chief Product Officer
Posts: 31792
Liked: 7295 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Active directory authoritative restore

Post by Gostev »

This topic covers authoritative restore on Windows 2008:
Active Directory and DR Site
samuk
Expert
Posts: 127
Liked: never
Joined: Mar 18, 2009 2:15 pm
Full Name: Sam
Contact:

Re: Active directory authoritative restore

Post by samuk »

Thanks again Gostev..

doing a restore from Veeam of both DC's worked fine for me. Its working at present will come back to it tommorow to re-check.
donikatz
Expert
Posts: 116
Liked: never
Joined: Jan 01, 2006 1:01 am
Contact:

Re: Active directory authoritative restore

Post by donikatz »

Anton, thanks for the link to the newer thread. Looks like while some of the info in our thread here was correct & helpful (worked for me), the original premise was incorrect and everyone just followed suit. The other thread is correct that there's no need for an authoritative restore, only for SYSVOL to be authoritative (achieved differently depending if FRS or DFRS). So reading back my earlier posts in this thread, the BurFlags key is what actually made it work, the rest was really unnecessary. Thanks to Tom once again for his good insight and for correcting his post here. samuk, I apologize for any confusion.
habibalby
Veteran
Posts: 392
Liked: 33 times
Joined: Jul 18, 2011 9:30 am
Full Name: Hussain Al Sayed
Location: Bahrain
Contact:

Re: Active directory authoritative restore

Post by habibalby »

Hello,
Is the Authoritative Restore is mandatory for a DC or just I can restore the DC VM and Boot it should work fine?

I have just tested backing up a test DC, I deleted the VM and I restored it again, it restores fine without any issue. I looked at the event viewer all the VSS and NTDS shows only information, no errors no warning.

Please clarify.

Thanks,
Vitaliy S.
VP, Product Management
Posts: 27368
Liked: 2798 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Active directory authoritative restore

Post by Vitaliy S. »

Hello Hussain,

Authoritative restore is not mandatory, and in most of the time you will need to do only non-authoritative restore in order to bring your DC back to the production site. Thanks.
habibalby
Veteran
Posts: 392
Liked: 33 times
Joined: Jul 18, 2011 9:30 am
Full Name: Hussain Al Sayed
Location: Bahrain
Contact:

Re: Active directory authoritative restore

Post by habibalby »

Hi,
Thanks for your quick reply.

That's what I did actually. I just deleted the VM and I restored it from last Incremental Backup. It restores successfully, and DC came up normal.

Code: Select all

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          8/1/2011 1:01:36 PM
Event ID:      1109
Task Category: Replication
Level:         Information
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      vESXDC01.ESX.Local
Description:
Active Directory Domain Services has been restored from backup media, or has been configured to host an application partition. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows. 
 
InvocationID attribute (old value):
e550509e-f1fd-43f9-86a9-9c51c3dd589b 
InvocationID attribute (new value):
19cd74da-7dea-4316-9487-9daf2ce7d2ee 
Update sequence number:
20493 
 
The invocationID is changed when a directory server is restored from backup media or is configured to host a writeable application directory partition.




Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          8/1/2011 1:03:22 PM
Event ID:      1000
Task Category: Service Control
Level:         Information
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      vESXDC01.ESX.Local
Description:
Microsoft Active Directory Domain Services startup complete, version 6.1.7600.16612 


Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          8/1/2011 1:02:16 PM
Event ID:      1394
Task Category: Service Control
Level:         Information
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      vESXDC01.ESX.Local
Description:
All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted.

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          8/1/2011 1:03:53 PM
Event ID:      4
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      vESXDC01.ESX.Local
Description:
The DNS server has finished the background loading of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.


Log Name:      DFS Replication
Source:        DFSR
Date:          8/1/2011 1:03:58 PM
Event ID:      1210
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      vESXDC01.ESX.Local
Description:
The DFS Replication service successfully set up an RPC listener for incoming replication requests. 
 
Additional Information: 
Port: 5722


Log Name:      DFS Replication
Source:        DFSR
Date:          8/1/2011 1:03:58 PM
Event ID:      1206
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      vESXDC01.ESX.Local
Description:
The DFS Replication service successfully contacted domain controller vESXDC01.ESX.Local to access configuration information.
Post Reply

Who is online

Users browsing this forum: Bing [Bot], mattskalecki and 83 guests