Policies not restored to SYSVOL from system state backup
-
Thursday, December 27, 2012 6:39 PM
I am restoring a system state backup to my test environment win2003 DC's.
After my backup and before my restore, I deleted a GPO. During the wizard I chose "Restore to: Original Location" and "Leave Existing Files". Post restore, the GPO was once again listed in gpmc, but was not restored to SYSVOL.
FYI I did this from DSRM, exactly per these steps: http://technet.microsoft.com/en-us/library/cc758435(v=ws.10).aspx
Thanks in advance,
Jaime
All Replies
-
Thursday, December 27, 2012 9:46 PMSystem state backup does not include the FRS database, so you may need to restore it separately: http://support.microsoft.com/kb/290762
-
Thursday, December 27, 2012 11:16 PM
Hello,
Please read this links:
How to restore Group Policy without GPMC? (Florian Frommherz)
How do I restore deleted Group Policy Object files
Regards
-
Friday, December 28, 2012 2:25 AM
It seems from your decription the sysvol folder is empty.Can you verify the same by checking the sysvol folder.If the data is present then you need to perfrom authorative restore of sysvol assuming you have single DC.http://support.microsoft.com/kb/290762/
If the sysvol folder is empty,restore the systemstate backup at alternate location and copy the content of sysvol from backup to sysvol folder and then perfrom authorative restore of sysvol or if you have seperate sysvol folder backup the same can also be used.http://technet.microsoft.com/en-us/library/cc778271(v=ws.10).aspx
If you have multiple DC's and other server have sysvol content then you need to perfrom D2(non authorative) on the exiting server.Also verify the health of dc by running dcdiag /q and repadmin /replsum and post the log if error is reported.
In case if the sysvol backup does not have polcies and script folder and you dont have seperate sysvol backup then you need to run dcgpofix but the old policies will be lost:http://www.windowsitpro.com/article/group-policy/how-can-i-restore-the-contents-of-the-default-domain-and-default-domain-controller-dc-group-policy-objects-gpos-
The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state:
http://support.microsoft.com/kb/833783
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Edited by Sandesh DubeyMicrosoft Community Contributor Friday, December 28, 2012 8:39 AM
-
Friday, December 28, 2012 10:01 AMModerator
I am restoring a system state backup to my test environment win2003 DC's.
After my backup and before my restore, I deleted a GPO. During the wizard I chose "Restore to: Original Location" and "Leave Existing Files". Post restore, the GPO was once again listed in gpmc, but was not restored to SYSVOL.
FYI I did this from DSRM, exactly per these steps: http://technet.microsoft.com/en-us/library/cc758435(v=ws.10).aspx
Thanks in advance,
Jaime
Are you talking about performing authoritative restore of the complete database? If yes, sysvol is included in the system state backup which hold GPO's & scripts.
Active Directory Backup and Restore http://technet.microsoft.com/en-us/library/bb727048.aspx
Best practices around Active Directory Authoritative Restores in Windows Server 2003 and 2008
Performing an Authoritative Restore of Active Directory Objects
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Friday, December 28, 2012 2:09 PMThanks for the helpful replies. My big missing link of knowledge was the burflags thing.. I didn't realize sysvol auth restore was separate from the directory auth restore, this answers my original question.
Per Microsoft on the burflags thing: "We recommend the procedure that is described in this article as a last resort to restore a domain's SYSVOL tree and its contents."
This gets me thinking a full auth restore of everything is perhaps a small use case. I'm really just looking for the ideal way to recover AD in a DR situation, and at this point am thinking it will just be easier for my additional DC's to just build and promote new ones. -
Friday, December 28, 2012 2:10 PM
System state backup does not include the FRS database, so you may need to restore it separately: http://support.microsoft.com/kb/290762
Here are the files Neil mentioned:
NtFrs %systemroot%\ntfrs\jet\* /s
%SystemRoot%\debug\NtFrs*
%systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*/s
%systemroot%\sysvol\domain\NtFrs_PreExisting___See_EventLog\* /s
%systemroot%\sysvol\staging\domain\NTFRS_*http://support.microsoft.com/kb/233427
Will I need these in a full DR situation?
-
Saturday, December 29, 2012 3:31 AM
You just need to restore the system state backup on the server and troubleshoot further if you recieveing any errors.However if you have only one DC in the network then add one more DC for redundancy in production env.
As you are testing this in the test lab restore the systemstate and check the health of DC by running dcdiag /q and also ensure that NIC setting is configured correctly on server as this http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
Introduction to Administering Active Directory Backup and Restore
http://technet.microsoft.com/en-us/library/cc738755(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc778772(v=ws.10).aspxRestore Active Directory from backup:http://technet.microsoft.com/en-us/library/cc758435(v=ws.10).aspx
Note:Officially system state backup is not supported on different hardware it is to be used on the same system or similar but seen scenario where it doesn't work on similar system also due to driver version difference.
Hope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Saturday, December 29, 2012 3:17 PMIn many cases yes, it's a lot easier to just run a metadata cleanup of a failed DC and rebuild it with a fresh installation and promote it. But if a GPO is deleted, well, as you see as others have posted, you have to make accomodations in your DR plan to restore it as a separate restore procedure/steps.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Monday, December 31, 2012 5:58 PM
Thanks all. I am marking this message as the answer in order to provide a complete explanation:
Yes SYSVOL is included in system state backup.
The reason it didn't get restored to my AD environment is because I had a 2nd DC that retained the old SYSVOL, which replicated over the newly restored SYSVOL on the DC I was working on. This happened because although I did perform an authoritative restore of the AD database, I did not perform the separate auth restore specific to the SYSVOL. Awinish provided a link which describes this distinction: http://technet.microsoft.com/en-us/library/bb727048.aspx#EOAA
- Marked As Answer by JaimeBisceglia Monday, December 31, 2012 5:58 PM
-
Saturday, January 05, 2013 1:04 AM
It seems from your decription the sysvol folder is empty.Can you verify the same by checking the sysvol folder.If the data is present then you need to perfrom authorative restore of sysvol assuming you have single DC.http://support.microsoft.com/kb/290762/
If the sysvol folder is empty,restore the systemstate backup at alternate location and copy the content of sysvol from backup to sysvol folder and then perfrom authorative restore of sysvol or if you have seperate sysvol folder backup the same can also be used.http://technet.microsoft.com/en-us/library/cc778271(v=ws.10).aspx
If you have multiple DC's and other server have sysvol content then you need to perfrom D2(non authorative) on the exiting server.Also verify the health of dc by running dcdiag /q and repadmin /replsum and post the log if error is reported.
In case if the sysvol backup does not have polcies and script folder and you dont have seperate sysvol backup then you need to run dcgpofix but the old policies will be lost:http://www.windowsitpro.com/article/group-policy/how-can-i-restore-the-contents-of-the-default-domain-and-default-domain-controller-dc-group-policy-objects-gpos-
The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state:
http://support.microsoft.com/kb/833783
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Sandesh,
In bold in the above quoted text, it appears you have repeated a previously posted link and info by Neil Frick. It would be helpful to curtail repetitive posts for posters, or at least reference the fact that someone else has already posted the link in a thread.
Thank you.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/This post is provided AS-IS with no warranties or guarantees and confers no rights.
.png)
