The AD DS domain/forest recovery is a very complex procedure that requires regular hands on and proper isolated recovery environment (hyper/V or vmware isolated LAN).

AD DS forest recovery guidelines and procedures:


Some best practices for backing up and recovering AD DS:

  • Backup DNS integrated zone data:
    • dnscmd /enumzones > C:\Script\AllZones.txt
      for /f %%a in (C:\Script\AllZones.txt) do dnscmd /ZoneExport %%a Export\%%a.dns
  • Backup all Group policies and links
  • Backup all distinguished name of objects in the domain:
    • dsquery * domainroot -scope subtree -attr modifytimestamp distinguishedname -limit 0 > DNlist.txt
  • Store operating system files, the Active Directory database (Ntds.dit), and SYSVOL on separate volumes that do not contain other user, operating system, or application data.
  • For domain controllers, perform regular backups of system state data by using the wbadmin start systemstatebackup command or prefer BMR (bare metal restore backup) using wbadmin (http://blogs.technet.com/b/askcore/archive/2011/05/12/bare-metal-restore.aspx). For more information, see Wbadmin start systemstatebackup (http://go.microsoft.com/fwlink/?LinkId=111741).
  • For domain controllers, you can also use the other variant wbadmin start backup command to include other drives or folders. For more information, see Wbadmin start backup (http://go.microsoft.com/fwlink/?LinkId=111741).
  • Create a backup volume on a dedicated internal or external hard drive. On Vista or Win 2008, you cannot use a network shared folder as a backup target for a system state backup. To store a system state backup on a network shared folder, you must use a local volume as the backup target and then copy the backup to the network shared folder. But since Win 2008 R2, you can use a network share !!!!

example: For ADDS 2008 R2: wbadmin start systemstatebackup -targetserver:\\fileserver\adbackup -quiet

example: For ADDS 2008 R2: wbadmin start backup -targetserver:\\fileserver\adbackups -include:d: -systemstate -vssfull -quiet

  • Turns out that Microsoft disabled the ability to save System State backups to the system volume (termed a “critical” volume here). There is a fix for this in the form of a registry change. The article is located here: http://support.microsoft.com/kb/944530. Note that to implement this change, you will need to create a new key under the HKLM\System\CurrentControlSet\Services\wbengine, as well as adding the necessary entry: AllowSSBToAnyVolume  dword value =1.
  • To avoid having to use the operating system media during recovery, use the Windows Automated Installation Kit to install Windows RE on a separate partition. Use that partition to access Windows Recovery options. For more information about the Windows Automated Installation Kit, see Windows Automated Installation Kit (Windows AIK) (http://go.microsoft.com/fwlink/?LinkId=90643).

Les mises à jour du schéma sont irréversibles. Une fois répliquées vers les autres DCs de la forêt, il ne sera plus possible de revenir en arrière à l’état d’avant la modification. Puisqu’il n’est pas possible de réaliser un authoritative restore de la partition schema, seule la restauration d’une sauvegarde du system state sur tous les DCs de la forêt ayant répliqué la modification du schema permettra de revenir en arrière. Afin d’assurer au maximum le succès de l’opération de mise à jour du schéma et, en même temps, déterminer précisément la volumétrie de la réplication résultante, nous conseillons de maquetter cette opération sur un DC en pré-production. Voici des liens complémentaires, relatifs aux changement opérés lors de la mise à jour du schéma, le déroulement de la mise à jour, les possibilités de troubleshooting, etc. :

Version Windows Server Version:
13 Windows 2000 Server
30 Windows Server 2003
31 Windows Server 2003 R2
44 Windows Server 2008
47 Windows Server 2008 R2
56 Windows Server 2012
69 Windows Server 2012 R2