none
How to restore active directory in case of corruption?

    Question

  • Hi!

    Planning my DR for active directory and having problem understand how to recovery from a complete AD-failure. I have seven 2008 R2 domain controllers and have application aware backup (veeam) of the DC with all FSMO roles.

    I don't understand the procedure of rolling back the whole AD in case of for example if the schema gets corrupted during an adprepp, or if i detect that an application does not work after extending the schema, that I missed to test before upgrading.

    I could do it like this:

    1. Shutdown two domain controllers and take a snapshot of them to get it consistent. (With FSMO roles)

    2. Start them up and make the change.

    3. In case of rollback, shut down all seven domain controllers and revert both DCs from snapshot.

    4. Start cleaning up metadata of powered down DCs

    5. reinstall os of powered down DCs

    6. start them up and dcpromo

    As I understand this would work but is not supported?

    What is the real way of doing it ?

    Thanks!

    Tuesday, February 28, 2017 1:15 PM

Answers

All replies

  • I am not sure if Schema can become corrupted. At last resort, I believe you can defunct the changes that you have made in your schema. If your AD is totally ruined, however it is a different story.

    First of all I would like to recommend you stop believing in reverting snapshots for your domain controllers. Domain controllers maintains a secure channel between each other and once you revert the snapshot, there is high chance that they will stop working due to secure channel problems. Not to mention about USN rollback which is another effect of reverting snapshots.

    Do not forget even with restoring AD from a backup, you will have to spend some time for troubleshooting of possible replication problems. Read links below:


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Tuesday, February 28, 2017 1:42 PM
    Moderator

  • I don't understand the procedure of rolling back the whole AD in case of for example if the schema gets corrupted during an adprepp, or if i detect that an application does not work after extending the schema, that I missed to test before upgrading.


     For schema changes&corruptions,Only Full forest recovery rollback that.So you need a full backup first then shut down all DC's and you should perform Nonauthoritative Restore of ADDS.(single DC),next step turn on other dc and remove lingering objects,Usn rollbacks,etc...Or forcefully demote other dc,will do metadata cleanup then promote them as domain controller again.

    Also you can check these articles about AD forest recovery;

    https://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(WS.10).aspx

    https://blogs.technet.microsoft.com/newenglandpfe/2011/05/20/common-scenarios-for-active-

    and this is the latest one;

    https://1drv.ms/w/s!AuVEEHIwTxv9hsRHNK6F0ZsGOai77w


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, February 28, 2017 3:45 PM