Restore only a single DC with Veeam

[Nk123]

Hi,
I read mosly are article from Veeam exits about restoring Domain-Controller.
Restore ist made bye veeam in Non-Authoritative Restore (Default).
This means that the restored Dc (it was the only DC before, no ther DC exit before) waits for others to synchronize with him.
In KB2119 https://www.veeam.com/kb2119 is explained that if I want to switch to Authoriative mode for my 2022 Server
I have to do this steps for my system to force the Authoriative mode :
use Powershell:
--------------------------------------------------------------------------------------------------------------------------------------
1.
REG ADD "HKLM\System\CurrentControlSet\Services\DFSR\Restore" /v SYSVOL /t REG_SZ /d authoritative /f
REG ADD "HKLM\System\CurrentControlSet\Control\BackupRestore\SystemStateRestore " /v LastRestoreId /t REG_SZ /d 10000000-0000-0000-0000-000000000000 /f
NET STOP DFSR
NET START DFSR

If the first DC that was restored is already hosting operations master roles, set the following registry value in order to bypass initial synchronization requirements and not to wait for another partner to replicate the directory partitions:

2.
Key Location: HKLM\System\CurrentControlSet\Services\NTDS\Parameters
Value Name: Repl Perform Initial Synchronizations
Value Type: DWORD (32-Bit) Value
Value Data: 0

After setting the value above, restart the domain controller.

Note: Don’t forget to reset this value back to 1 after domain recovery is completed, so that the domain controller requires successful replication with its partners before starting to service client requests.
--------------------------------------------------------------------------------------------------------------------------------------------------------------
My question: in my system i do not find that key Repl Perform Initial Synchronizations.
I suggest that I have to create it?!
Microsoft support warm to this key and only use it, on test and not productive systems.

So my Question I excuted point 1, but I am not sure to create the step 2.
Waht happens If I do nothing of both commands ans still wait a log time 1 hours. would the restored DC, which will not find any other DCs in network will work fine as a DC with all roles he had before?
I use VeeamAgentWindows for Backup of the DC.
If you can not answer me the question please send it to your Veeam Support, because this Information is for all Customers importend.
Thank you

[david.domask]

Hi Nk123,

Regarding your concerns on Repl Perform Initial Synchronizations, I'm guessing you're referring to this Microsoft article as the source for your concern?

https://learn.microsoft.com/en-us/troub ... resolution

> The use of Repl Perform Initial Synchronizations should be used only in critical situations to resolve temporary and specific problems. The default setting should be restored after such problems are resolved.

As I see it, the instructions from the Veeam article are compliant with the guidance as indeed with such a situation, you're temporarily using the value for resolve a very specific problem, and then removing the value. I imagine the caution from the article is about _leaving the registry value enabled_ long term. But just creating it and going through the rest of the KB article and removing the registry value should be all you need.

By default, Veeam will restore the DC as non-authoritative as you noted; while I'm not an AD expert, my understanding was that in non-Authoritative mode it will wait for partners to replicate to it before any other automatic actions, so I believe either replication or manual intervention is required, but I will defer to others with more expertise on that matter.

[Nk123]

Hi,
thanks David for answering!
If veeam offers a free tool, it should also explain the restore of an only single existing Domain Controller in the network.

Here is the explanation from Veeam:

This scenario assumes:

The Domain Controller is being restored to an environment where other Domain Controllers are present from which the restored Domain Controller can replicate information.
or
!!!! This is my senario--> The Domain Controller being restored is the only Domain Controller that exists in the environment.

In this scenario, a simple non-authoritative restore is sufficient to recover.
Restore the Domain Controller. The steps taken by Application-Aware Processing during the backup process will cause the Domain Controller to be restored in a non-authoritative state. The restored Domain Controller will first boot into Directory Services Restore Mode (DSRM) mode, then automatically reboot into a normal state. The Domain Controller will know that it has been recovered from backup and will allow the other DC's in the environment to update it.

!!! What does that mean? If I have only one DC in Network, then I have to do nothing? Just after reboot it will work like before I restored it? Did you also understand it like I do? So no need of the commands above?!

When restoring a Domain Controller as the single Domain Controller in an environment, the same boot cycle will occur after restore (DSRM boot, automatic-reboot, normal boot). After the automatic reboot, the restored DC will enter an operational state.

Thank you for answers!