AD Forest Recovery - FAQ

Although speed of recovery isn't the primary goal of this guide, you can achieve shorter recovery times by:

• Creating a detailed forest recovery plan, updating it on a regular basis, and practicing it in a simulated test environment of reasonable size at least once a year.
• Performing a Windows Server Backup FULL backup which provides for both bare-metal recovery (BMR) or a System State recovery.
• Using virtualized domain controller (DC) cloning. Virtualized DC cloning expedites the process to get additional Domain Controllers deployed to restore the original bandwidth of domain services. DCs running after one DC is restored from backup in each domain, as it's a nonauthoritative restoration, the PDC Emulator must also be available during the cloning operation. The additional virtualized DCs can be cloned rather than waiting for potentially lengthy AD DS installations to be completed and for the completion of noncritical replication after installation. Forests where virtual DCs are hosted in a relatively small number of well-connected data centers potentially benefit most from cloning during recovery. However, any environment where multiple virtualized DCs for the same domain are colocated on the same hypervisor host should benefit.
• Using Install From Media IFM to reduce the time needed for complete replication, by reducing replication traffic, as only the delta will be replicated. It also enable fast installation of multiple DCs.
• If using complex remote site scenarios (rare): -** Install AD DS on one or multiple servers in a hub or staging site**, and then ship them to the remote site.
  • Implement backup/restore procedures for DCs with poor/intermittent connectivity, in addition to the DCs designated as primary backup and disaster recovery (BDR) systems in primary datacenter locations. You'll need to add steps to bring the restored DCs in other locations in sync with the main datacenter DCs. To do this, designate one DC as the computer account reference and only there let KDCSVC run. On the other DCs you restored, follow the steps in Reset domain controller's password with Netdom.exe
• Deploying read-only domain controllers (RODCs) RODCs can provide business continuity during the recovery process because they don't have to be disconnected from the network as writable DCs do. RODCs don't perform outbound replication. Therefore, they don't present the same risk that writable DCs pose for replicating damaging data back into the recovered environment.

Other factors that affect the duration of the forest recovery process include the following:

• When the Domain Controllers are Virtual machines, you may take advantage of snapshot restore to roll back a DC to a known good state. This isn't the recommended approach as snapshots used for backups come with a number of caveats, such as the availability of disk space for the snapshots on the VM server to have a usable backup history. We strongly recommend using regular backups as the main means for recovery. VM snapshots may help for recovery from problems after sensitive changes, such as forest-wide updates like domain rename or large schema updates. Note: You need to mark SYSVOL as authoritative for DFSR manually when needed. For more information about Virtualized Domain Controller, see Virtualized Domain Controller Architecture.

• When you restore DCs from backups, it takes time to locate and retrieve the physical backup media, such as tapes, reinstall the operating system, depending on the recovery scenario, and restore data from backup media.

  Note

  You can reduce the time required to reinstall the operating system and restore data from backup by performing a BMR recovery instead of system state restore. Because bare-metal recovery is binary-based, it completes much faster than system state restore. However, if the server contains data that is excluded from system state data that you don't want to restore, bare-metal recovery might not be a viable alternative to system state restore. Consider the advantages of performing a full server recovery instead of a system state restore for your servers specifically and prepare accordingly by performing the appropriate type of backup that you plan to restore later. General best practice would recommend performing a FULL backup which will provide for both a BMR or System State restore type.

  • When you rebuild DCs by replication, it takes time to replicate data for network-based promotions. You can decrease the time required for restoring DCs by placing the new domain controller in the same subnet as the partner to promote. This minimizes delays that are caused by network roundtrip and throughput.

• Reduce the time for retrieving backup media by:

  • Using the Active Directory Database Mounting Tool (Dsamain.exe) to identify the best backup to use for restore operations. For more information about using the Active Directory Database Mounting Tool, see the Active Directory Database Mounting Tool Step-by-Step Guide.
  • Labeling the backup media clearly and storing the media in an organized fashion at a convenient, yet secure, location that allows fast retrieval. Make sure you have valid credentials according to your backups.

• Forcing the removal of AD DS from the DCs instead of reinstalling the operating system. If the cause of the forest-wide failure has been identified to be purely within the scope of AD DS, you don't have to reinstall the operating system on the DCs. For more information about forcing the removal of AD DS from a DC, see Forcing the Removal of a Windows Server 2008 Domain Controller (https://go.microsoft.com/fwlink/?LinkId=132627).

• Use faster tape devices or disk backups to reduce the time that is required for restore operations. Businesses that have a more aggressive service-level agreement (SLA) might consider altering the forest recovery procedures to speed recovery.

Because of the complex and critical nature of the forest recovery process, there's currently no end-to-end automation. The forest recovery process is more a logistical and organizational challenge of restoring business continuity than a technical problem of process automation. Therefore, the individual who administers the environment should create a forest recovery plan that is specific to that environment and then automate sections of it that can be automated successfully.

You can perform most of the forest recovery steps by using command-line tools. Therefore, most of the steps are scriptable. For example, Ntdsutil.exe is one of the most frequently used tools in the forest recovery process.

Although scripts can speed recovery, you must thoroughly test these scripts before you apply them in a real environment. Also, you must update them according to changes in the Active Directory environment, such as the addition of a new domain or DC, or a new version of Active Directory.

Next steps

• AD Forest Recovery - Prerequisites
• AD Forest Recovery - Devise a custom forest recovery plan
• AD Forest Recovery - Steps to restore the forest
• AD Forest Recovery - Identify the problem
• AD Forest Recovery - Determine how to recover
• AD Forest Recovery - Perform initial recovery
• AD Forest Recovery - Procedures
• AD Forest Recovery - Frequently Asked Questions (FAQ)
• AD Forest Recovery - Recover a single domain within a multidomain forest
• AD Forest Recovery - Redeploy remaining DCs
• AD Forest Recovery - Virtualization
• AD Forest Recovery - Cleanup