-
- Novice
- Posts: 3
- Liked: never
- Joined: Apr 19, 2024 1:54 am
- Full Name: Craig Brown
- Contact:
Restore of NTDS.dit
Hi There,
I'm new to VEEAM. I'm looking to restore just the NTDS.dit database for Active Directory so I can mount it and query a previous version using Powershell. I've done this successfully in the past with other backup and restore software, but it involved carrying out a system state restore, an option that doesn't seem to exist with VEEAM.
The process on the old software would be:
1. System state restore to another location, ensuring the new VM is not connected to the network and not turned on.
2. Remove VMDK from the restored DC VM and mount it into another VM.
3. From this "other VM" copy the NTDS.dit off to a running DC where I can mount it using the DSAMAIN tool.
If I do a VEAAM full system restore of a DC (it's an application aware backup BTW) it completes fine, boots into DSRM and then boots again into "normal mode". Again, the NIC on the VM is not connected so the DC is isolated from the network. So far so good. However, at this point I can't open AD users and computers or the DNS GUI on the restore VM as it complains that AD isn't running. And if I try to mount the disk containing the DB to another VM and then mount the AD DB with DSAMAIN that also fails, and I'm pretty sure that's because the logs of the database haven't been committed in an application aware state as there still exists the temp.db file in the same folder as the NTDS.dit. I think to get the DB into a working state I would need to also restore the disk contain the logs and "replay" them.
Is there something I'm doing wrong?
I'm new to VEEAM. I'm looking to restore just the NTDS.dit database for Active Directory so I can mount it and query a previous version using Powershell. I've done this successfully in the past with other backup and restore software, but it involved carrying out a system state restore, an option that doesn't seem to exist with VEEAM.
The process on the old software would be:
1. System state restore to another location, ensuring the new VM is not connected to the network and not turned on.
2. Remove VMDK from the restored DC VM and mount it into another VM.
3. From this "other VM" copy the NTDS.dit off to a running DC where I can mount it using the DSAMAIN tool.
If I do a VEAAM full system restore of a DC (it's an application aware backup BTW) it completes fine, boots into DSRM and then boots again into "normal mode". Again, the NIC on the VM is not connected so the DC is isolated from the network. So far so good. However, at this point I can't open AD users and computers or the DNS GUI on the restore VM as it complains that AD isn't running. And if I try to mount the disk containing the DB to another VM and then mount the AD DB with DSAMAIN that also fails, and I'm pretty sure that's because the logs of the database haven't been committed in an application aware state as there still exists the temp.db file in the same folder as the NTDS.dit. I think to get the DB into a working state I would need to also restore the disk contain the logs and "replay" them.
Is there something I'm doing wrong?
-
- Veeam Software
- Posts: 1985
- Liked: 489 times
- Joined: Jun 28, 2016 12:12 pm
- Contact:
Re: Restore of NTDS.dit
Hi Craig,
Just to confirm, do you have the logs on a different disk for this machine and during restore, you're only restoring the system disk? Also, did you enable Application Aware Processing for the backup and it was successful?
Basically, try doing an instant recovery of the domain controller to an isolated network or just disable the network connection during the restore process (you can configure an On-Demand Sandbox for future testing like this) and see if your testing works then and if all the services come up. I suspect you're correct if you are only restoring some of the disks of the DC, and since Instant Recovery won't take space for testing, it should be a pretty simple test.
Just to confirm, do you have the logs on a different disk for this machine and during restore, you're only restoring the system disk? Also, did you enable Application Aware Processing for the backup and it was successful?
Basically, try doing an instant recovery of the domain controller to an isolated network or just disable the network connection during the restore process (you can configure an On-Demand Sandbox for future testing like this) and see if your testing works then and if all the services come up. I suspect you're correct if you are only restoring some of the disks of the DC, and since Instant Recovery won't take space for testing, it should be a pretty simple test.
David Domask | Product Management: Principal Analyst
-
- Novice
- Posts: 3
- Liked: never
- Joined: Apr 19, 2024 1:54 am
- Full Name: Craig Brown
- Contact:
Re: Restore of NTDS.dit
So yes, the logs and the DB are on different disks, but like i said I'm doing a full system restore of the VM with all disks included. And yes, I'm doing an application aware backup and that is successful. The restore completes and the AD services themselves start up but the I can't use any tools such as Users and Computer or DNS mgmt as they give errors to say AD isn't running. The NIC is disconnected from the VM during all of this.
The part about the mounting the disk in order to get access to the NTDS.dit is only done AFTER I have completed the full system restore with all the disks.
I'm just following the process I did with the old backup software but not sure if that's how to achieve the same result using VEEAM.
The part about the mounting the disk in order to get access to the NTDS.dit is only done AFTER I have completed the full system restore with all the disks.
I'm just following the process I did with the old backup software but not sure if that's how to achieve the same result using VEEAM.
-
- Veeam Software
- Posts: 1985
- Liked: 489 times
- Joined: Jun 28, 2016 12:12 pm
- Contact:
Re: Restore of NTDS.dit
Got it, there should be no extra steps really needed if you're backing up all disks and also Application Aware Processing is successful.
https://www.veeam.com/blog/how-to-recov ... ction.html
This blog post is a bit older but it shows all the common DC related items you might encounter during restores. However, as you say you're doing this testing to run a query, maybe I'm misunderstanding why it needs to be mounted to another disk -- Instant Recovery was suggested because you can either attach it to a Virtual Lab in an On-Demand Sandbox and then access the instant recovered machine there and perform the queries, but maybe I'm missing the reason why it needs to be attached to another machine.
When you say " The restore completes and the AD services themselves start up but the I can't use any tools such as Users and Computer or DNS mgmt as they give errors to say AD isn't running", you mean on the restored machine right? What kind of errors are these? Veeam doesn't do anything special during the restore for DCs, so assuming Application Aware Processing went well, it's likely some nuance of DCs, but start with the blog post and if you're still having issues, maybe elaborate on what kind of errors the DC is throwing specifically.
https://www.veeam.com/blog/how-to-recov ... ction.html
This blog post is a bit older but it shows all the common DC related items you might encounter during restores. However, as you say you're doing this testing to run a query, maybe I'm misunderstanding why it needs to be mounted to another disk -- Instant Recovery was suggested because you can either attach it to a Virtual Lab in an On-Demand Sandbox and then access the instant recovered machine there and perform the queries, but maybe I'm missing the reason why it needs to be attached to another machine.
When you say " The restore completes and the AD services themselves start up but the I can't use any tools such as Users and Computer or DNS mgmt as they give errors to say AD isn't running", you mean on the restored machine right? What kind of errors are these? Veeam doesn't do anything special during the restore for DCs, so assuming Application Aware Processing went well, it's likely some nuance of DCs, but start with the blog post and if you're still having issues, maybe elaborate on what kind of errors the DC is throwing specifically.
David Domask | Product Management: Principal Analyst
-
- Novice
- Posts: 3
- Liked: never
- Joined: Apr 19, 2024 1:54 am
- Full Name: Craig Brown
- Contact:
Re: Restore of NTDS.dit
Thanks, but I've already read that blog already and followed it.
The reason the database must be mounted on another disk is so I can query the old version and the current version concurrently on the same domain controller. I don't want to bring the restored DC into production ( i only want its database) so I have to keep it isolated from the network, therefore the only way to get the NTDS.dit over to another DC is to mount the disk containing the restored DB.
And yes, the errors I get are on the fully restored DC, which is isolated from the network. The error I get when opening up "Users and computers" is "Naming information cannot be located for the following reason: The server is not operational".
The reason the database must be mounted on another disk is so I can query the old version and the current version concurrently on the same domain controller. I don't want to bring the restored DC into production ( i only want its database) so I have to keep it isolated from the network, therefore the only way to get the NTDS.dit over to another DC is to mount the disk containing the restored DB.
And yes, the errors I get are on the fully restored DC, which is isolated from the network. The error I get when opening up "Users and computers" is "Naming information cannot be located for the following reason: The server is not operational".
Who is online
Users browsing this forum: dulgidulgi, masahide.k and 40 guests