Recovering Active Directory

In this post we will cover the active directory disaster recovery and the things that will impact the production environment.

Active directory was introduced with windows server 2000 and has been refined by Microsoft over a period of time in Windows 2003 / R2, Windows server 2008 and now the R2 release of windows 2008. With windows 2008 R2 Microsoft introduced a new functionality called the AD Recycle bin. When an object is deleted in AD, it goes to the AD recycle bin and the administrator has the option of reinstating the object.

The option of reanimating (getting a deleted object back) was there in windows server 2003 sp2 however it did not repopulate the attributes of the object that were deleted. For most of the administrators the AD recycle bin has come as a boon, however with the recent economic recession managements are no longer considering investing in IT infrastructure so we still have a lot of legacy windows 2000/ 2003 servers in the domain.

Scenario 1: Active directory object gets deleted.

a) In case of a single domain controller the option would be to restore from the latest system state backup that was taken before the object was deleted.

b) Multiple domain controllers: In this case the system state backup (latest) needs to be restored and authoritatively for that object. In order to achieve this, start the DC (on which the backup was taken) in the Directory services restore mode. Then restore the system state backup that was taken either using NTbackup or any other third party solution.

Use Ntdsutil, from the windows support tool to restore the object or the subtree authoritatively.

restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx

to restore the entire database use the restore database command. The best way to check for the syntax is to do a ntdsutil /?

This would increase the USN number and the object would be replicated to all the domain controllers in the domain. If the authoritative restore is not performed, when AD replication occurs, the other domain controllers would have a higher USN number for that object and the object would be deleted.

If the entire AD database is corrupt, you might have to do an authoritative restore for the entire database.

FSMO Roles & Global Catalog:

Certain domain controllers are designated a Flexible single master operation role, the First domain controller in the domain has the FSMO roles, which the administrator could transfer to any other domain controller in the domain. In case of the FSMO owner fails then the other domain controllers would not be able to take over the roles unless the administrator intervenes and restores the domain controllers or seizes the role to another domain controller and performs the metadata cleanup for the Failed DC.

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through Multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object.

The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.

If any domain controller fails and it holds the FSMO role and the system cannot be restored due to the lack of backup a metadata cleanup needs to be performed. What it essentially does is it removes the account for that DC from the other existing domain controllers. Metadata cleanup needs to be performed on any single live Dc and the changes are replicated to the other domain controllers. In this case if the failed DC is a FSMO role holder then this role needs to be seized to the other DC. Please note that seizing is not an option if you also plan to restore that DC from a backup at a later time.

Tool to seize FSMO role is Ntdsutil again.

Scenario 1:

Restoring Deleted object in Active Directory:

Deleted objects could be restored in active directory using the system state backup. The steps are outlined below for restoring a test object that was deleted.

  1. Log on locally to the domain controller (any DC) in the directory services restore mode.
  2. Restore from the backup, (tape).
  3. And run the ntdsutil command from the support tools.

Below is an example to restore a deleted OU named “Management” in the domain


Ntdsutil: authoritative restore

Restore subtree OU= management, dc=Test, dc=com.

To restore a deleted user named user1 in the OU Management would be as follows:

Ntdsutil: authoritative restore.

Restore object CN=user1, ou=Management, dc=Test, dc=com

Note: this needs to be done on one of the domain controllers in the domain. When the object is authoritatively restored the USN (update sequence number) will be higher on the restored DC, this object will then replicate to the other entire domain controller in the domain.

Scenario 2:

Domain controller Failure.

This could occur due to hardware or OS failure on the domain controller, In this case if there is a failure and the domain controller crashes we have the following options.

Restore from a Backup: since we have multiple domain controllers in the domain, restoring from a backup is feasible incase one of the domain controller fails. Please note that this restore is a Non authoritative in nature.

The second option is to provision a new hardware and then add the server to the domain and promote it as a domain controller. If the server name is different before it crashed the it could be added to the domain and promoted as a DC, however the same name cannot be used before a metadata cleanup.

How to perform a metadata cleanup?


Click Start, point to Programs, point to Accessories, and then click Command Prompt.

At the command prompt, type ntdsutil, and then press ENTER.

Type metadata cleanup and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur.

Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before making the connection. To do this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type null for the password parameter.

Types connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server.

Note If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message:

Error 2094. The DSA Object cannot be deleted0x2094

Type quit, and then presses ENTER. The Metadata Cleanup menu appears.

Type select operation target and press ENTER.

Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number.

Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine whether the server being removed is the last domain controller of that domain.

Type list sites and press ENTER. A list of sites, each with an associated number, appears.

Type select site number and press ENTER, where number is the number associated with the site the server you are removing is a member of. You should receive a confirmation listing the site and domain you chose.

Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed.

Type select server number, where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name System (DNS) host name, and the location of the server’s computer account you want to remove.

Type quit and press ENTER. The Metadata Cleanup menu appears.

Type remove selected server and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message, the NTDS Settings object may already be removed from Active Directory as the result of another administrator removing the NTDS Settings object or replication of the successful removal of the object after running the DCPROMO utility.

Also delete any DNS entries and then it registered again.

Scenario 3:

Domain controllers fail across all the sites.

In case all the domain controllers fail across all the sites due to any disaster, this could be due to several reasons. If the active directory gets corrupted on one of the DC’s it could replicate the corruption to all the other domain controllers in the domain. If such a catastrophe occurs then Restoring from Backup and doing an authoritative restore is advisable.

First restore from the backup in this case the tape drive and then perform an authoritative restore on the domain level.


Authoritative restore.

Restore Database.

This should restore the entire database and the replication would replicate it to all the domain controllers in the domain.

User Profile

The user can have either a local profile, i,e saved on the terminal server or a Terminal services profile. the TS profile path could be specified in the users properties, Remote tab.

It is not advisable to use a roaming profile for both the desktop that the user logs into and the terminal server, the reson is that you would see inconsistencies in the profile. Lets assume that a user has a roaming profile and no TS profile is specified, the user would login to his desktop and get the romaing profile, lets say he then logs into the terminal server, the same profile is loaded, then the user makes some changes on the TS and logs off. then he makes changes to the desktop profile, the changes made on the desktop will be saved, the last writer wins!!

How to move the local profiles on the terminal server to a New TS:

use Robocopy to copy the profiles, you would also need to export the profile Guid and the profile list from the TS where the profiles are to the TS where you neeed to move these profiles.

the Reg path would be HKLM\software\Microsoft\windowsNT\currentversion.

also donot copy the all user, administrator, default user profile folder, only the users profiles would do.