Active Directory Recovery Windows Server 2012 R2 – Step by Step

Test Setup

In this Active Directory Recovery test scenario we have 3 Domain Controllers:
  1. BA-testDC1 - Physical Domain Controller, Global Catalog
  2. BA-testDC2 - Virtual Domain Controller, Global Catalog
  3. BA-testDC3 - Virtual Domain Controller, holds all FSMO roles
We are using Hyper-V for this experiment, but other hypervisors should also work fine. We will be using Hyper-V 'Internal' vSwitch type to keep the test network isolated. Altaro VM backup was used for backup and recovery of the VMs. Any recent backup software that supports Hyper-V should work just fine. I will not be going into the details of how  Altaro backups and restores were performed. I would rather concentrate on how Active Directory (AD) was recovered. Therefore first step will start from powering on the VM that just had been restored from Altaro.

Test Objective

We assume there had been a disaster scenario where we lost the physical DC and the Hyper-V host that had the virtual DCs. We aim to recover only two virtual DCs into a new Hyper-V host from offsite backup files. Active directory must be recovered and made fully functional. Physical server will get deleted from the AD and metadata cleanup will be carried out. At the end of the experiment we should have two recovered virtual DCs and functioning AD.

Test Assumptions

  • AD is using FRS for replication (I will try to update this guide to include steps for DFS replicated environment soon)
  • Physical DC will be demoted/removed
  • Powershell version is 4.0 or newer (to check run $PSversionTable)

Initial recovered and powered off VMs

Step 1. Power on BA-testDC3 in DSRM mode.

It is important that VMs start with their virtual network adapters (vNIC) disconnected. We boot BA-testDC3 into DSRM (press F8 during start up and choose Directory Services Recovery Mode). If you can't get to F8 Boot menu, boot into Windows 2012 R2 installation disk and start Command prompt. Run the below two commands to enable Boot menu
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 10
Afterwards remove the installation media and try F8 as you boot BA-testDC3 in Hyper-V console.

First time boot of BA-testDC3 in DSRM mode

Step 2. Disable NTFRS and NETLOGON services

We do this to avoid SYSVOL folder being adversely changed during next boot.
Set-Service -Name NtFrs -StartupType Disabled

Set-Service -Name Netlogon -StartupType Disabled

Powershell commands to disable NTFRS and NETLOGON services

Step 3. Reboot into normal mode and set SYSVOL authoritative restore

Login as Administrator and run the following Powershell cmdlet to make SYSVOL authoritative
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup' -Name BurFlags -Value 212 -Type DWord

Registry view of Powershell cmdlet to set BurFlags

Step 4. Set correct IP/DNS settings on the main interface

The following assumes the VM has only single vNIC. Run the following Powershell cmdlets to reset IP/DNS settings. Change the values in red to your own values. Wait for each cmdlet to complete before running the next one.
Get-netadapter | Remove-Netroute -Confirm:$false
Get-netadapter | Remove-NetIPAddress -Confirm:$fale
Get-netadapter | new-NetIPAddress -IPAddress 192.168.0.60 -AddressFamily IPv4 -PrefixLength 20 -DefaultGateway 192.168.0.40
Get-netadapter | Set-DnsClientServerAddress -ServerAddresses ("192.168.0.60")

Reset IP/DNS settings using Powershell

Step 5. Set NTFRS and NETLOGON services to automatic and start them. Restart DNS.

Run the followimg cmdlets, one at a time.
Get-Service ntfrs,netlogon | Set-Service -StartupType Automatic
Start-Service ntfrs,netlogon
Restart-Service dns

Start NTFRS, NETLOGON and DNS services

Step 6. Connect VM to the internal vSwitch

Otherwise DNS service will keep failing. Once the interface is up you can observe that it will show domain profile (BA-Test.local).

Bring up the virtual network adapter

Step 7. Delete BA-testDC1 from AD and do metadata clean up

Open AD Users and Computers and delete BA-testDC1 from Domain Controllers OU. Also delete it from AD Sites and Services. You can skip this step if you are recovering all the DCs.

Bring up the virtual network adapter

Step 8. Boot BA-testDC2 and reset its IP/DNS settings

The following assumes the VM has only single vNIC. Run the following Powershell cmdlets to reset IP/DNS settings. Change the values in red to ones in your environment.
Get-netadapter | Remove-Netroute -Confirm:$false
Get-netadapter | Remove-NetIPAddress -Confirm:$false
Get-netadapter | new-NetIPAddress -IPAddress 192.168.0.66 -AddressFamily IPv4 -PrefixLength 20 -DefaultGateway 192.168.0.40
Get-netadapter | Set-DnsClientServerAddress -ServerAddresses ("192.168.0.66")

Start BA-testDC2 and reset its IP/DNS settings

Step 9. Set SYSVOL non-authoritative and restart NTFRS

Run the following cmdlets one at a time.
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup' -Name BurFlags -Value 210 -Type DWord
Restart-Service Ntfrs

Change registry on BA-testDC2 to set SYSVOL non-authoritative

Step 10. Connect VM to the internal vSwitch

Verify connectivity to/from BA-testDC3.

Connect BA-testDC2 to the recovery network

Step 11. Clean DNS/IP records for the deleted DC

Metadata clean up does not clear stale DNS/IP records for deleted DCs. Clear DNS name/IP records for removed DC (BA-testDC1) from all zones in one of the recovered DCs’ DNS Manager. You will need to manually  go through all DNS zones and subfolders to remove any Name/IP records for the deleted DC. Otherwise there will be replication errors. You can skip this step if you are recovering all the DCs.

Clean lingering DNS/IP records for deleted DC (BA-testDC1)

Step 12. Initiate manual AD replication

Run the command below from elevated command prompt to speed up the replication.

   repadmin /syncall /AdePq

Initiate manual AD replicationInitiate manual AD replication

To verify replication between the DCs you can use Active Directory Replication Status Tool from Microsoft. If you see replication errors do not panic. Complete sync/replication can take some time. Once full replication and sync is complete you can put the DCs into production network and try authenticating to them from a client machine. Here are few diagnostic commands to verify AD and replication status.
 DCDIAG >c:\dcdiag.txt
 REPADMIN /showrepl * /csv >c:\showrepl.csv
 REPADMIN /showrepl >c:\showrepl.txt
 DCDIAG /TEST:DNS >c:\dcdiag-dns.txt

AD replication status

Feel free to leave your  questions or comments and I will try to follow up. Every AD environment has its uniqueness, therefore some of the steps above may have to be adapted slightly.

Leave a comment

Your email address will not be published. Required fields are marked *