Tech Info's

Microsoft Windows, RedHat and VMware Virtualization Platform

Posts Tagged ‘Active Directory Forest Disaster Recovery using System State Backup’

Active Directory Forest Disaster Recovery using System State Backup

Posted by Prashanth P on January 21, 2013

Pre-Requisite for Active Directory Forest Disaster Recovery

1. The OS version should be the same as it was on the original server.

2. The service pack level should be the same as on the original server

3. The IE version should be the same.

4. The disk layout and size should be same or higher compared to the original server.

5. In case of VMWARE, VMTOOLS should be installed on the machine (Good to have but not necessary).

6. The guest should be assigned static memory, processor and other resources.

7. The server should be isolated on the network with no connectivity back to production Active Directory Environment.

8. Make sure the system state backups for appropriate parent and child domains are made available to the machine respectively.

9. The machine should be set NOT TO SYNCHRONIZE with host.

10. Windows Server 2003 R2 SP2 ISO/Install Media.

Lab Exercise (Steps to perform Active Directory Forest Disaster Recovery)

1. Lab Servers should be built as workgroup with basic configuration.

2. Copy the Latest Active Directory System State Backup to the Lab Servers.


Make sure the Latest Active Directory System State Backup should not have any Permission Restrictions (specially Backup taken through Applications like Quest and etc.,). 

3. Install the DNS Service, Windows Support Tools and Admin Pack on the Lab Server.

4. Boot the Lab Server to “DSRepair” mode.

5. Recovery the Latest System State Backup copied to the Lab Server with “Advanced Options”.


a. Make sure to choose below mentioned options while using Recovery “Advanced Options”.

b. Restore files to: Original Location.

c. When restoring files that already exist on your computer: Replace existing files.

d. Select the options you want to use:

i. Restore security settings.

ii. Restore junction points, but not the folders and file data they reference.

iii. Preserve existing volume mount points.

iv. When restoring replicated data sets, mark the restored data as the primary data for all replicas.

6. After the Successful System State Backup Recovery, Set the Boot Option to Normal and Server has to be rebooted.

7. Login to the Domain Account (Preferably Domain Admin).

8. Update the IP Address, Subnet Mask, Gateway and Preferred DNS Server IP address (Include Local Server IP address as Preferred or Alternate DNS Server).

9. Identify the Built-In Administrator Account and Reset Password.


Using LDP Tool we can find the Built-In Administrator Account

a. Open LDP, Connect to Server and Bind with your account.

b. Switch to Tree view (enter the Domain DN), search and select any Admin Privileged account (Eg. Domain Admin account).

c. On the right hand side search for “objectSid”, copy it and open search window past it in place of * with “objectclass=*”.

d. Change “objectclass” as “objectsid”, select scope as subtree, delete last 5 digits and replace it with 500 and select Domain DN as Base DN.

e. Search for DN and other details (that will be the built-in administrator account).

10. Disable Global Catalog if it is enabled in Active Directory Sites and Services.


Need to update registry as mentioned in KB

11. Increase RID Pool by 100,000.


Using Adsiedit.msc we can update the RID Pool

 a. Open adsiedit.msc, expand Domain, select “CN=System” and on the right hand side double click “CN=RID Manager$”.

b. Add 100,000 to “rIDAvailablePool”.

12. Login to the Built-In Administrator Account.

13. Seize FSMO Roles depending upon the Root of the Forest or Root of the Tree.

14. Perform Metadata Clean Up for rest of the Domain controllers in the Domain.


a. From a command prompt, run “dsquery server > dclist.cmd”.

Now run “notepad dclist.cmd”

b. Remove the DC that will remain in the environment from the list (the one just restored)

c. add the following to the first line of the file

for %%a in (

d. add the following to the last line of the file

) do (

NTDSUTIL “me cl” “re se se %%a” q q)

e. Save the file and run the script.

f. Reopen the same script and change the last line. Instead of this line “ntdsutil “me cle” “re se se %%a” q q” have this line added:

dsrm %%a –noprompt –q)

g. Now open AD Sites and Services and make sure the DCs are no longer listed there.

15.   Remove all other Name Server Entries in DNS Server.

16.   Reset Computer account password.


a. At a command prompt, type the following:

C:> netdom resetpwd /server:<SERVER NAME> /userd:<Administrator Account> /passwordd:<password>

Note that the /passwordd switch does in fact have two “d”s.

b. Repeat the command to reset the password again.

17.   Reset “krbtgt” account password.


a. Run Active Directory Users and Computers.

b. Find the “krbtgt” account.

c. Note that you have to have Advanced options enabled to see this account.

d. Right-click on it and select Reset password. Enter a strong password.

e. Repeat to reset the password a second time, and enter a new password.

f. Close ADUC.

18.   Reset all Trust passwords.


a. At a command prompt, type the following:

C:> netdom trust <NETBIOS NAME OF THE ROOT DOMAIN> /domain:<NETBIOS NAME OF OTHER DOMAIN> /resetoneside /passwordt:<new trust password> /usero:<Administrator Account> /passwordo:<password>


This command also resets the trust password history.

b. Remember the password, as you will need to set the same password on the other side as well, when you reset the trust from child or other domains.

19.   Configure Domain Time Server.


a. To check the Time Source Configuration execute the below mentioned command

c:>w32tm /dumpreg /subkey:parameters /computer:DC_Name


Where DC_Name is the Name of the Domain Controller

b. On Root of the Forest Domain Controller configure NTP Server

To configure the Domain Controller with the PDC Emulator FSMO to another time source, run

C:>w32tm /config /manualpeerlist:DC_Name /syncfromflags:manual /reliable:yes /update

C:>net stop w32time

C:>net start w32time


Please set for “DC_Name” the time source as listed above, either with its IP address or DNS name. If more than one is needed separate them with a space in between and don’t forget the quotes: “”

c. On any other Domain Controller in the Forest, configuring domain computer for automatic domain time synchronization, run

C:>w32tm /config /syncfromflags:domhier /update

d. After that you have to run

C:>net stop w32time

C:>net start w32time

20.   Finally after restoring all Domains’ DC Enable Global Catalog on all the Domain Controllers and Check for Replication Status or Summary.

Posted in Active Directory | Tagged: | 2 Comments »