PKI Disaster Recovery: Backing Up and Restoring AD Objects

In my last blog posting I covered viewing PKI related Active Directory Objects.  In this blog post, I am going to cover the steps necessary to backup and recover AD Objects.  The group responsible for Active Directory in your organization should have the capabilities to both back up and restored Active Directory objects.  However, I wanted to cover the steps involved for those who may not be familiar with the process.  This description of backing up and restoring Active Directory objects covers the steps to perform a backup and restore using the built in back up tools in Windows Server 2012.  If your domain controllers are hosted on an older OS the steps will be slightly different.

The process for Restore is called an Authoritative Restore.  When you restore a domain controller from a backup and do not perform an authoritative restore it will simply replicate the current state of Active Directory from other Domain Controllers.  To ensure the object you want to restore is not overwritten, and is instead replicated out to other domain controllers, an Authoritative Restore needs to be performed.  An Authoritative Restore effectively increases the USN number of the object forcing it to be replicated out to other domain controllers instead of being overwritten.

Installing Windows Server Backup

Before backing up Active Directory you first need to install the Windows Server Backup feature.  To start the installation of Windows Server Backup go to the Manage menu in Server Manager and select Add Roles and Features.

image

When the Add Roles and Feature Wizard opens, click Next.

image

On the Installation Type page, click Next.

image

On the Server Selection page, ensure the proper server is selected and click Next.

image

On the Server Roles page of the wizard, click Next.

image

On the Features page, select Windows Server Backup and click the Next button.

image

On the Confirmation page, click Install.

image

On the Results page, click Close.

image

Now that you have Windows Server Backup installed, you can open it by selecting the Tools menu in Server Manager, and selecting Windows Server Backup.

image

Backing Up Active Directory

Once the Windows Server Backup management console opens select Local Backup and then select Backup Schedule…

image

On the Getting Started page of Backup Schedule Wizard, click the Next button.

image

On the Select Backup Configuration page, select Custom.

image

On Select Items for Backup page, click Add Items.

image

Select System State and click OK.

image

Then click Next.

image

On Specify Backup Type, select the appropriate backup schedule, and click Next.

image

On the Specify Destination Type, select the appropriate Destination and click Next.

image

In my case I have selected a local disk, so I am going to select the appropriate disk, and clicked Next.

image

Since I selected a local disk, it is letting me know that it will reformat the drive.

image

On the Confirmation page select Finish.

image

Then on the Summary page of the wizard click Close.

image

Oops!?!

Oops, I “accidentally” deleted my FourthCoffee Computer certificate template.  So, now let me Authoritatively Restore the template to recover it .

image

Restoring AD Objects

So the first step is to boot one of the domain controllers that have been backed up in Directory Services Repair Mode.  In order to do this I reboot the Server.  As the Server is booting up I press F8 to bring up the Advanced Boot Options menu.  On the Advanced Boot Options menu I select Directory Services Repair Mode.

image

I then have to log onto the Domain Controller with the DSRM password.

image

Once logged into the Domain Controller, you will need to start Windows Server Backup.  From the Actions pane, I select Recover…

image

Since, in my scenario I backed up to a local drive, I select This server on the Getting Started page of the Recovery Wizard, then I click Next.

image

I select the appropriate backup on the Select Backup Date, and click Next.

image

On the Select Recovery Type page, I select System state, and click Next.

image

On the Select Location for System State Recovery page, I click Next.

image

I acknowledge the warning by click OK.

image

On the Confirmation page, I click Recover.

image

I acknowledge the warning by clicking Yes.

image

After restoring the backup I boot in DSRM mode.

image

I login to the Domain Controller with the DSRM password.

image

After I login I am prompted that the system state restore finished successfully.

image

I know need to authoritatively restore the FourthCoffee Computer template. 

  • So, I open a command prompt and type ntdsutil, and press Enter
  • Then I type activate instance ntds
  • Then in order to enter Authoritative Restore mode, I type authoritative restore and press Enter
  • Then to restore the object, I type restore object and then the DN of the object.  Specifically, I type restore object CN=FourthCoffeeComputer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=FourthCoffee,DC=com.

When prompted I click Yes to continue the Authoritative Restore.

image

The restore completes successfully.

image 

After the restore, I rebooted the Domain Controller and my FourthCoffee Computer template was now available.

Summary

In this blog posting I covered the steps necessary to backup up a Domain Controller.  I also covered the steps necessary to restore an AD Object that is deleted.  In this scenario I restored a Certificate Template that was accidentally deleted. 

-Chris