Active Directory Forest Recovery

Active Directory Forest Recovery

Here is an article with an Active Directory recovery scenario. You can play as what this scenario on a model for you become familiar with the procedure for Recovery of AD (pending to have a true crash). The original article language was French and I translated into English.        

Existing infrastructure

Active Directory

This procedure is very dependent on the Active Directory infrastructure in place. In the context of the demo, AD Windows 2008 R2 architecture in place is composed of the following elements:

  • 1 Domain, 1 forest: intra.domain.local
  • 2 Domain (DC1, DC2) controllers
  • 2 Servers DNS (DC1, DC2)
  • 2 Global Catalog (DC1, DC2)
  • Distribution of FSMO roles
    • Schema master (DC1)
    • Domain naming master (DC1)
    • RID master (DC1)
    • PDC emulator (DC1)
    • Infrastructure master (DC1)

Result of a dcdiag/test: knowsofroleholders

Some objects are created in the AD for the test:



To achieve this recovery procedure, it is necessary to have a backup "System State" of a DC in the domain. In the case of a multi-domaine infrastructure, you need to have a CD by area. The best Backup will be the one that has the greatest number of FSMO roles. In our case, it will be better to use a Backup of the DC1. This evaluators us stages of recovery of FSMO roles missing (16)

Info: The Windows Server 2008 environments, integrated backup tools are called "Windows Server Backup" and settled via the console Features

To restore AD DS, it is necessary to have the password to restore Active Directory. This password was positioned at the initial installation, it may has not been retained. If this is the case, follow the detailed here KB322672 today.


This procedure must - be carried out in the following cases:

  • All DC it suffered a software or physical corruption that makes the impossible business
  • The Active Directory environment has been sabotaged
  • A risky action triggered a corruption of data through the forest
  • None of the domain controllers cannot replicate with partners
  • No change cannot be performed on AD DS from the DC
  • New DC can be added to the existing fields


Retrieve an an Active Directory forest is to recreate "from scratch" AD DS on all DC or restore the forest from a Backup. As a result, the AD recovery operation causes data loss where changes has been made since the last Backup execution

Macro Steps

The recovery steps are following:

  1. Backup AD DS
  2. Extinction of all DC
  3. Restore the System State of DC1
  4. Recovery of the FSMO roles (if required)
  5. Cleaning of AD (Metadata CleanUp) replication partners
  6. Installation of new domain controllers

Each is detailed in the following section



Before the recovery procedure, it is important to know the backup in place strategy to identify the good backups.

The Backup of the domain controller operation is done via Windows Backup (Wbadmin.exe). Ideally, the Backup files are then outsourced.

To back up the System State of a domain controller, this is the command to use:

WBADMIN start systemstatebackup - backuptarget: \\FILESERVER\BACKUP

Once the Backup is completed, the command ends with the message:

By default, the backup files generated are identifiable as follows in the target directory:

Recovery AD DS

At this moment, we are putting an AD crash. From this moment, the decision is made to restore the directory by following the procedure detailed below.

Extinction of all domain controllers

To avoid replication of corrupted or obsolete data with the directory that we will go back, it is essential to make inactive all domain controllers in the forest, in particular the FSMO role holders.

The first DC restoration

In our case, the DC to restore is unquestionably the DC1.intra.domain.local server. There roles DNS, and all forest and domain FSMO roles.

In a multidomain, a domain controller in the domain context root of the forest should be chosen because it contains both the structure of the forest (trusts) and the root DNS integrated with the AD and the AD resource records.


On a new machine DC-RESTO installed in WorkGroup, we will restore the Backup of System State of the DC1 server. This new server in Directory restore mode

Bcdedit/set safeboot dsrepair

On the reboot, the server goes directly into mode restoration directory (instead of having to press F8 through the console)

The Backup file may contain different Backup files. It is necessary for the restoration of the most suitable file (careful, this is not necessarily the most recent!).

To find the "Version Identifier" of the backup file that we want to use, it runs:

WBADMIN get versions - backuptarget: \\FILESERVER\Backup

The name ID for my backup file preferred is "12/07/2009-09: 21″"

The restoration of the SYSVOL directory must - be "Authoritarian" type for this DC will be the first directory. Here is the command is run on the new server:

wbadmin start systemstaterecovery –backuptarget:\\FILESERVER\backup –authsysvol –versions:12/07/2009-09:21

Respond YES to 5 warnings:

  • Do you want to start the system state recovery operation?
  • Do you want to continue?

The command ends with the message:

On the restart, connect local administrator of the machine. Attention, the password of the account is the recovery password (DSRM)

When the machine restarts, the message appears:

Disable the boot in Directory restore mode:

Bcdedit /deletevalue safeboot

Configure the server to be used as a preferred DNS. Change the IP configuration. The restored server is then the first DNS of the "new forest".

Restart the server to connect in the domain administrator (the password is always the same as before)

Validation / Test

Once restored, the first CD "supports" the new forest. It is therefore essential to carry out some tests to validate the relevance of the restoration.

  • The name of the machine is consistent (DC1.intra.domain.local)
  • The IP configuration is valid
  • The SYSVOL and NETLOGON directories are present and shared
  • The ADUC Console contains the existing objects in the directory before the Backup
  • Replication partners are always visible in the console "Sites and Services".
  • Service records are present in DNS Zone
  • ADSI Edit to view the entire Partitions AD DS


Initial configuration

Some actions are required to initialize the AD, escape corrupt DC elders and prepare for the integration of new servers.

Global catalog (optional)

In the case of the restoration of a Multi-domaine forest, several GC are potentially recovered. It is therefore necessary to ensure first that no GC replica non-existent objects. Uncheck the box "Global Catalog" of the DC1 server NTDS settings in the console "Sites and Services". The GC roles will be reapplied when the complete recovery operation will be completed.

RID pool

Between the time of the Backup and recovery, it may be that a "Security Principals" have been created in the AD. Therefore, these objects recovered a SID in their creation. They no longer exist because the prior to their creation backup has been restored. To avoid that new created users retrieve the same SID, it is essential to increase the beginning of the range of the RID Pool.

Start ldp.exe

Click Connection and then Connect

Find out the name of the local server FQDN

Click Connection and then Bind and OK

Click on View / Tree and enter the DN of the RID Manager: CN=RID Manager$,CN=System,DC=intra,DC=domain,dc=local

Identify the value of the attribute rIDAvailablePool and copy

Click on Browse and then Modify

In the DN field, type

cn=RID Manager$,cn=System,dc=intra,dc=domain,dc=local

In the Attribute field, type rIDAvailablePool.

Paste the value identified above and add the value 100000. If we take all5 last figures, 422 708 becomes 522 708 and click Replace, Enter and Run

(Optional) FSMO roles

In the case of the restoration of a CD is not all FSMO roles, it is necessary to restore to be all present in the new forest.

In a command prompt, run NTDSUtil.exe

Type roles

At the prompt "fsmo maintenance", type connections

At the prompt "server connections", type connect to server dc1.intra.domain.local

Type quit

Then type the following commands to retrieve each of the forest and the domain FSMO roles:

  • seize Schema master
  • seize Naming master
  • seize Infrastructure master
  • seize PDC
  • seize RID master


We now have a new forest consisting of a DC, DNS which has all FSMO roles.

Cleaning of the AD (Metadata CleanUp)

In an AD DS 2008 or 2008 R2, the cleaning of the metabase Active Directory is done automatically when it deletes an object of type Domain Controller.

In the ADUC console, open the or Domain Controllers

Delete all except DC1 DC objects

Check the box and click on Delete

The account password Machine and krbtgt

In the case of DC that would possibly be still online despite the previous steps of the procedure, we need to reset the machine and the account krbtgt account. We make sure to not respond with "old" DC

In a command prompt, type:

netdom resetpwd /server :DC1.intra.domain.local /userD:administrator /password :*

The command must be run 2x

To reset the password on the krbtgt account, connect to the ADUC console and do a right click / change password on the account in question

The action must be carried out 2x

The Active Directory environment is now ready to receive new DC.

The DC1 server can be re-promoted as a Global catalog

Relocation of the former DC in the new forest

In our case, DC2 will be reinstalled and join to the forest via DCPROMO:

Remaining shares

Once the AD stable environment, your organization and the reasons for the break, some actions and developments can be carried out if necessary:

  • Addition of domain controllers
  • DNS reconfiguration
  • Distribution of FSMO roles (today on DC01)
  • Recreation of objects that could be deleted from the Backup and restoration
  • Add to Global Catalogs
  • Change the words of passes of Auditors to senior privileges (Enterprise Admins, Schema Admins), especially in the case of sabotage
  • On client machines, reconnect them to the domain, or with an "I" or by recreating a Secure Channel
  • Rebuild trust relationships to the external forest

Source Link
Leave a Comment
  • Please add 8 and 8 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
  • Richard Mueller edited Revision 1. Comment: Added TOC and tag

  • Richard Mueller edited Original. Comment: Remove (en-US) from title

Page 1 of 1 (2 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
  • Richard Mueller edited Original. Comment: Remove (en-US) from title

  • Richard Mueller edited Revision 1. Comment: Added TOC and tag

Page 1 of 1 (2 items)