Active Directory Disaster Recovery
Workshop
Lab Manual
Revision 1.7
Table of Contents
LAB 1: Introduction to the Lab Environment .................................................................. 1
Goals .............................................................................................................................................. 1
Introduction ..................................................................................................................................... 1
Exercise 1: Inspect the Lab Environment ............................................................................................. 3
LAB 2: Object Recovery Using Authoritative Restore ...................................................... 4
Goals .............................................................................................................................................. 4
Introduction ..................................................................................................................................... 4
Exercise 1: Recover User Object and its Group Memberships Using Authoritative Restore .......................... 5
Exercise 2: Recover OU and its Contents Using Authoritative Restore .................................................... 10
LAB 3: Object Recovery Using Reanimation .................................................................. 15
Goals ............................................................................................................................................ 15
Introduction ................................................................................................................................... 15
Exercise 1: Recover User Object Using Object Reanimation .................................................................. 17
LAB 4: Group Policy Recovery ...................................................................................... 19
Goals ............................................................................................................................................ 19
Introduction ................................................................................................................................... 19
Exercise 1: Backup All Group Policies in the Forest .............................................................................. 20
Exercise 2: Change existing GPO and Analyze Changes via GPO Reports ................................................ 22
Exercise 3: Restore a GPO using GPMC .............................................................................................. 25
LAB 5: Forest Recovery ................................................................................................ 27
Goals ............................................................................................................................................ 27
Introduction ................................................................................................................................... 27
Exercise 1: Melt Down the Forest ...................................................................................................... 27
Exercise 2: Recover First DC of the Root Domain ................................................................................. 28
Exercise 3: Recover First DC of CHILD Domain ................................................................................... 33
Exercise 4: Recover CHILDDC2 ......................................................................................................... 37
Active Directory Disaster Recovery Lab Manual
LAB 1: Introduction to the Lab Environment
Goals

To familiarize you with the lab environment

To make sure you can use the lab environment
Introduction
The Disaster Recovery lab consists of three virtual machines. The machines are all connected to a single
subnet so that the DCs can communicate with your workstation and with each other.
Each virtual machine is running Windows Server 2003 Enterprise Edition, with SP1. The three virtual
machines are configured as three DCs in a single Active Directory forest, as described below.
Active Directory Forest
Your forest consists of two domains, drroot.local and child.drroot.local. The entire forest is running at
Windows 2003 forest functional level.
DNS
The drroot.local forest uses Microsoft DNS running on one DC, and is Active Directory integrated. There is
one DNS server in the drroot.local domain (ROOTDC1) and one in the child.drroot.local domain (CHILDDC1).
They point to themselves for their primary DNS resolver.
Root Domain
Domain administrator: adm.root
Domain administrator password: netpro
ROOTDC1 configuration
IP Address
10.7.5.1/16
Site
HubSite
Roles
Domain naming, RID master, PDC emulator, schema master
Is GC?
Yes
Hosts DNS?
Yes
DRSM credentials
Username: Administrator Password: netpro
Copyright © 2008 NetPro
All rights reserved.
Page 1
Active Directory Disaster Recovery Lab Manual
CHILD Domain
Domain administrator: adm.child
Domain administrator password: netpro
CHILDDC1 configuration
IP Address
10.7.5.3/16
Site
HubSite
Roles
RID master, PDC emulator
Is GC?
Yes
Hosts DNS?
No
DRSM credentials
Username: Administrator Password: netpro
CHILDDC2 configuration
IP Address
10.7.5.4/16
Site
HubSite
Roles
Infrastructure master
Is GC?
No
Hosts DNS?
No
DRSM credentials
Username: Administrator Password: netpro
Copyright © 2008 NetPro
All rights reserved.
Page 2
Active Directory Disaster Recovery Lab Manual
Exercise 1: Inspect the Lab Environment
Install virtual machine
images from DVD
1. Copy the virtual machine images from the DVDs you were provided to
your laptop hard drive(s), and configure the virtual machines
appropriately. Be sure that the VMs are all connected to the same virtual
(guest-only) network.
If you are going to run your VMs on two separate
machines, BEFORE connecting them to the physical
network, boot the images with no network connection and
set the IP addresses on all three VMs so that there will be
no conflicts on the physical lab network. See you instructor
for an appropriate set of IP addresses.
Inspect the DRROOT
domain
1. Start the image for ROOTDC1.
2. Login to the DRROOT domain using the domain administrator credentials
listed in the introduction.
3. On ROOTDC1, run Active Directory Users and Computers (ADUC) to
inspect the contents of the ROOT domain. In particular note that the
users and computers have all been moved under the
“OU=Delegated-OUs” organizational unit.
4. Note that the C:\Workshop\Scripts directory contains files you will use
during subsequent exercises.
Inspect the CHILD
domain
1. Start the images for CHILDDC1 and CHILDD2.
2. On CHILDDC1, login to the CHILD domain using the domain
administrator credentials listed in the introduction.
3. On CHILDDC1, run ADUC to inspect the contents of the CHILD domain.
Note that the structure is very similar to that of the ROOT domain.
4. Note that the C:\Workshop\Scripts directory contains files you will use
during subsequent exercises.
Copyright © 2008 NetPro
All rights reserved.
Page 3
Active Directory Disaster Recovery Lab Manual
LAB 2: Object Recovery Using Authoritative Restore
Goals

Understand the peculiarities of Active Directory data structures and how they affect data recovery.

Learn how to recover a single object from backup, including properly restoring its linked attributes, e.g.
the group memberships of a user object.

Learn how to recover a deleted OU and its contents using an authoritative restore.
Introduction
The lab focuses on recovering deleted Active Directory objects. You should have a good understanding of the
following concepts from the presentation:

Tombstoned objects and how they are created.

Linked attributes and how they are maintained, including forward links and backward links.

Link-value replication in Windows Server 2003.

How authoritative restore works.
This lab includes two exercises. In the first exercise you will delete and restore a user object with multiple
group memberships. You will see for yourself all of the strange and wonderful aspects of restoring an Active
Directory user object in a multi-domain environment.
In the second exercise, you will delete and authoritatively restore an entire OU, including users and groups.
Note: These exercises are based on a Windows Server 2003 SP1 environment running
in Windows Server 2003 forest functional level. If you are running a different Active
Directory environment, some of the steps for these tasks would be different. The
instructors will discuss some of these differences during the presentation.
On to the exercises!
Copyright © 2008 NetPro
All rights reserved.
Page 4
Active Directory Disaster Recovery Lab Manual
Exercise 1: Recover User Object and its Group Memberships Using Authoritative
Restore
Select a user and
inspect its group
memberships on
CHILDDC1
1. Log in to CHILDDC1 using the domain administrator credentials provided
in the introduction.
2. On CHILDDC1, run Active Directory Users and Computers and find a user
object, for instance CN=Simpson,
Bart,OU=Accounts,OU=ChildOU1,OU=DelegatedOUs,DC=child,DC=drroot,DC=local. Note the content of its
memberOf attribute (the backlink). These are the groups in the CHILD
domain that Bart is a member of.
3. On CHILDDC1, run ADSIEDIT.MSC, locate the user object, and note the
memberOf attribute. The memberOf attribute will contain backlinks to
the Universal groups in the DRROOT domain that Bart is a member of.
ADUC explicitly filters these to provide a consistent view of the
memberOf attribute. These are visible on CHILDDC1 because CHILDDC1
is also a GC and has entries for the group objects from the DRROOT
domain.
Inspect the user’s
group memberships on
CHILDDC2
1. Log in to CHILDDC2 using the domain administrator credentials provided
in the introduction.
2. On CHILDDC2, the non-GC, do the same thing. Note that the memberOf
attribute does NOT contain the backlinks to the universal groups in the
DRROOT domain.
Inspect the user’s
group memberships on
ROOTDC1
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction
2. From the Start menu, select Run, type LDP, and press Ok.
3. In LDP connect to the default server and bind using default credentials.
4. Search the DRROOT NC (set scope = subtree) to find all the groups of
which Bart is a member. Use the following search filter:
(&(objectclass=group)(member=CN=Simpson\,
Bart,OU=Accounts,OU=ChildOU1,OU=DelegatedOUs,DC=child,DC=drroot,DC=local))
Note: Bart’s common name (CN) attribute contains an
embedded space, so type carefully. Or even better, cut and
paste the DN from C:\Workshop\Scripts\Lab 1.Object
Recovery\LDPFilter.txt file.
5. Note that Bart is a member of two universal groups and one local group
in the DRROOT domain.
Delete the selected
user object
You should still be logged in as the domain administrator on CHILDDC1.
Verify replication of the
delete operation
You should still be logged in as the domain administrator on CHILDDC2.
Copyright © 2008 NetPro
All rights reserved.
1. On CHILDDC1, run Active Directory Users and Computers and locate the
user you selected in the first step.
2. Delete the user object.
1. On CHILDDC2, run Active Directory Users and Computers and verify the
user you deleted in the previous step has been deleted from CHILDDC2.
Page 5
Active Directory Disaster Recovery Lab Manual
Boot the GC into
Directory Services
Restore Mode
You should still be logged in as the domain administrator on CHILDDC1.
Perform a System State
restore of the GC
1. Log in to CHILDDC1 using the DSRM credentials provided in the
introduction.
2. From the Start menu, select Run, enter NTBACKUP, and press the Ok
button.
3. On the initial NTBACKUP dialog, click Next.
4. On the Backup or Restore Wizard dialog, select restore files and
settings and click Next.
5. On the What to Restore dialog, double-click the File entry on the left,
double-click on the appropriate backup file, check the System State
entry, and click Next.
1. On CHILDDC1, edit the startup parameters by right-clicking My
Computer, selecting Properties/Advanced/Startup and Recovery,
and selecting “Directory Service Restore Mode” from the Default
operating system drop-down list.
2. Restart the GC. When the GC restarts, it will come up in Directory
Services Restore Mode.
Note that we have included a system state backup of
CHILDDC1 for you to use in the C:\Workshop\Backups
directory.
Figure 1 Selecting System State restore
6. On the Complete the Backup or Restore Wizard dialog, click the
Advanced button, ensure that the entry for Restore files to: is set to
Original location, and press Next.
7. On the How to Restore dialog, select Leave existing files, and press
Next.
8. On the Advanced Restore options dialog, check When restoring
replicated datasets, mark the restored data as the primary data
for all replicas, and press Next. This will mark the restored SYSVOL as
authoritative for the entire domain and start the restore.
9. Do NOT restart the GC at this time.
Copyright © 2008 NetPro
All rights reserved.
Page 6
Active Directory Disaster Recovery Lab Manual
Authoritatively restore
the deleted object on
the GC
1. On CHILDDC1 (still in Directory Service Restore Mode), run NTDSUTIL.
2. At the ntdsutil: prompt, type authoritative restore.
3. At the authoritative restore: prompt, type restore subtree
<distinguished name>, where <distinguished name> is the DN of the
object you deleted, e.g. “CN=Simpson\,
Bart,OU=Accounts,OU=ChildOU1,OU=DelegatedOUs,DC=child,DC=drroot,DC=local”.
Note: Bart’s common name (CN) attribute contains a
comma and an embedded space, so type carefully.
Commas embedded in an RDN must be escaped with a
backslash (“\”), and the entire DN should be enclosed in
quotes. Even better, cut and paste the DN from another
application.
4. Type quit twice to exit ntdsutil.
5. Note the creation of two LDIF files, one for each domain. These LDIF
files contain group and manager update operations to help recover the
group memberships of the restored user. Also note the creation of a .txt
file containing the objectGuid and DN of the restored object. Use
NOTEPAD to look at the files to make sure the contents make sense. You
will find them in the directory from which NTDSUTIL has been executed.
Reboot CHILDDC1 into
normal mode
Restore group
memberships in the
users domain
1. On CHILDDC1, edit the DC startup parameters by right-clicking My
Computer and selecting Properties/Advanced/Startup and Recovery.
2. Select Windows Server 2003, Enterprise from the Default
operating system drop-down list.
3. Save your changes by pressing Ok twice.
4. Restart CHILDDC1.
Note: This step is NOT necessary in our Disaster Recovery
Lab today because we are running in Windows Server 2003
Forest Functional Level enabling Link Value Replication
(LVR), and all of the links were created in that mode.
NTDSUTIL automatically recovers the local domain links
(e.g. group memberships) for you. We’ve included these
steps here as a reference for object recovery in non-LVR
forest, or in an LVR-forest where the links were created
before the upgrade to Windows 2003 FFL.
1. Run LDIFDE to import the LDIF file created by NTDSUTIL to restore the
local domain group memberships. For instance:
C:\> ldifde –i –k –f ar_20061106123103_links_child.drroot.local.ldf
2. Run Active Directory Users and Computers, locate the restored user, and
verify that the user has been added to the appropriate groups in the
CHILD domain.
Copy NTDSUTILgenerated files to
ROOTDC1
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
2. Copy the NTDSUTIL-generated files from CHILDDC1, e.g.
C:\> COPY \\CHILDDC1\C$\ar_20061106123103_links_drroot.local.ldf C:\
C:\> COPY \\CHILDDC1\C$\ar_20061106122231_objects.txt
Copyright © 2008 NetPro
All rights reserved.
Page 7
Active Directory Disaster Recovery Lab Manual
Boot ROOTDC1 into
Directory Services
Restore Mode
1. On ROOTDC1, edit the startup parameters by right-clicking My
Computer, selecting Properties/Advanced/Startup and Recovery,
and selecting “Directory Service Restore Mode” from the Default
operating system drop-down list.
2. Restart ROOTDC1. When ROOTDC1 restarts, it will come up in Directory
Services Restore Mode.
Perform a system state
restore on ROOTDC1
1. Log in to ROOTDC1 using the DSRM credentials provided in the
introduction.
2. From the Start menu, select Run, enter NTBACKUP, and press the Ok
button.
3. On the initial NTBACKUP dialog, click Next.
4. On the Backup or Restore Wizard dialog, select restore files and
settings and click Next.
5. On the What to Restore dialog, double-click the File entry on the left,
double-click on the appropriate backup file, check the System State
entry, and click Next.
Figure 2 Selecting System State restore
6. On the Complete the Backup or Restore Wizard dialog, click the
Advanced button, ensure that the entry for Restore files to: is set to
Original location, and press Next.
7. On the How to Restore dialog, select Leave existing files, and press
Next.
8. On the Advanced Restore options dialog, check When restoring
replicated datasets, mark the restored data as the primary data
for all replicas, and press Next. This will mark the restored SYSVOL as
authoritative for the entire domain and start the restore.
9. Edit the startup parameters by right-clicking My Computer, selecting
Properties/Advanced/Startup and Recovery, and selecting “Windows
Server 2003, Enterprise” from the Default operating system drop-down
list.
10. Do NOT reboot ROOTDC1 at this time.
Use NTDSUTIL to
create LDIF files for
Copyright © 2008 NetPro
All rights reserved.
1. On ROOTDC1, run NTDSUTIL
Page 8
Active Directory Disaster Recovery Lab Manual
group memberships
2. At the ntdsutil: prompt, type authoritative restore.
3. At the authoritative restore: prompt, type create ldif file(s) from
<filename>, where <filename> is the name of the .txt file you copied
from CHILDDC1, for example ar_20061106-122231_objects.txt. This
will create LDIF files to run to restore group memberships in the
DRROOT domain.
Note: The only reason we perform an authoritative restore
on a DC in the DRROOT domain is so that NTDSUTIL can
create an LDIF file containing the group memberships in
the domain. Because we will not perform an authoritative
restore, the normal replication process in the DRROOT
domain will overwrite the data we have non-authoritatively
restored.
Reboot ROOTDC1 into
normal mode
1. On ROOTDC1, edit the DC startup parameters by right-clicking My
Computer and selecting Properties/Advanced/Startup and Recovery.
2. Select Windows Server 2003, Enterprise from the Default operating
system drop-down list.
3. Save your changes by pressing Ok twice.
4. Restart ROOTDC1.
Import LDIF files
created by NTDSUTIL
on ROOTDC1
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
2. Run LDIF to import the LDIF file created for the DRROOT domain in the
previous step, for instance:
ldifde –i –k –f ar_20061106124131_links_drroot.local.ldf
C:\>
Note that NTDSUTIL created two LDIF files, one for membership
information for groups in the DRROOT domain, and one for
memberships in groups in the CHILD domain. Because we
recovered the user on a GC in the CHILD domain, the CHILD
domain memberships have already been restored, and we do not
have to import the LDIF file for the CHILD domain memberships.
3. Run Active Directory Users and Computers and verify the appropriate
DRROOT group memberships have been updated with the restored user.
Summary
Copyright © 2008 NetPro
All rights reserved.
In this exercise we have deleted a user with group memberships both in its
own and another domain. We then restored the user from backup using
authoritative restore, and then recovered the user’s group memberships in
both its own and the other domain.
Page 9
Active Directory Disaster Recovery Lab Manual
Exercise 2: Recover OU and its Contents Using Authoritative Restore
Create a new system
state backup of
CHILDDC1
1. Log in to CHILDDC1 using the domain administrator credentials provided
in the introduction.
1. Open My Computer and navigate to the batch file you created to run
perform a system state backup.
2. Double-click on the batch file to run the backup.
3. Make sure the backup file was created by checking that the
C:\Workshop\Backup\samplebackup.bkf file has been created and
contains some data.
Note: You may wonder why you can’t just use the backup
you created originally. The explanation is a little involved.
The original objects in the directory you are using started
out with attribute version numbers of 1. When you deleted
the computer and user objects in the earlier exercises, and
then authoritatively restored them, NTDSUTIL increased
the version numbers of the object’s attributes to 10001,
and this replicated out to the other DCs. If we don’t create
a new backup now, but instead use the original backup,
when we authoritatively restore the deleted objects, the
version numbers will again be incremented to 10001. But
the other DC in the domain will already have this version
number, and there the replication conflict resolution code
will select the attribute value from the DC with higher DSA
GUID value. The result will be that the authoritatively
restore values will be overwritten by values from the other
DC in the domain. This is a problem whenever you
authoritatively restore the same object more than once in a
day. Note that you could also use the verinc option in
NTDSUTIL to increase the version number by some larger
amount.
Select and delete an OU
1. On CHILDDC1, run Active Directory Users and Computers and locate an
OU to delete, for instance OU=ChildOU1,OU=DelegatedOUs,DC=child,DC=drroot,DC=local.
2. Delete the OU.
Verify replication of the
delete operation
1. Log in to CHILDDC2 using the domain administrator credentials provided
in the introduction.
2. Run Active Directory Users and Computers and verify the OU you deleted
in the previous step has been deleted from CHILDDC2.
Copyright © 2008 NetPro
All rights reserved.
Page 10
Active Directory Disaster Recovery Lab Manual
Boot the GC into
Directory Services
Restore Mode
1. On CHILDDC1, edit the startup parameters by right-clicking My
Computer, selecting Properties/Advanced/Startup and Recovery,
and selecting “Directory Service Restore Mode” from the Default
operating system drop-down list.
2. Restart the GC. When the GC restarts, it will come up in Directory
Services Restore Mode.
Perform a System State
restore of the GC
1. Log in to CHILDDC1 using the DSRM credentials provided in the
introduction.
2. From the Start menu, select Run, enter NTBACKUP, and press the Ok
button.
3. On the initial NTBACKUP dialog, click Next.
4. On the Backup or Restore Wizard dialog, select restore files and
settings and click Next.
5. On the What to Restore dialog, double-click the File entry on the left,
double-click on the appropriate backup file, check the System State
entry, and click Next.
6. On the Complete the Backup or Restore Wizard dialog, click the
Advanced button, ensure that the entry for Restore files to: is set to
Original location, and press Next.
7. On the How to Restore dialog, select Leave existing files, and press
Next.
8. On the Advanced Restore options dialog, check When restoring
replicated datasets, mark the restored data as the primary data
for all replicas, and press Next. This will mark the restored SYSVOL as
authoritative for the entire domain and start the restore.
9. Do NOT restart the GC at this time.
Authoritatively restore
the deleted object on
the GC
1. On CHILDDC1 (still in Directory Service Restore Mode), run NTDSUTIL.
2. At the ntdsutil prompt, type authoritative restore.
3. At the authoritative restore prompt, type restore subtree
<distinguished name>, where <distinguished name> is the DN of the
OU you deleted earlier, for instance OU=ChildOU1,OU=DelegatedOUs,DC=child,DC=drroot,DC=local.
4. Type quit twice to exit ntdsutil.
5. Note the creation of two LDIF files, one for each domain. These LDIF
files contain group and manager update operations to help recover the
group memberships of the restored users. Also note the creation of a
.txt file containing the objectGuid and DN of the restored objects. Use
NOTEPAD to look at the files to make sure the contents make sense. You
will find them in the directory from which NTDSUTIL has been executed.
Reboot CHILDDC1 into
normal mode
1. On CHILDDC1, edit the DC startup parameters by right-clicking My
Computer and selecting Properties/Advanced/Startup and Recovery.
2. Select Windows Server 2003, Enterprise from the Default
operating system drop-down list.
3. Save your changes by pressing Ok twice.
4. Restart CHILDDC1.
Verify restoration of OU
and its contents
1. Log in to CHILDDC1 using the domain administrator credentials provided
in the introduction.
Note: Be sure to allow enough time for replication to occur
before continuing. You can use REPLMON to check that
replication is complete.
2. Run ADSIEDIT to verify that the OU has been restored.
3. Log in to CHILDDC2 using the domain administrator credentials provided
in the introduction.
Copyright © 2008 NetPro
All rights reserved.
Page 11
Active Directory Disaster Recovery Lab Manual
4. Run ADSIEDIT and verify the OU you restored has been restored on
CHILDDC2.
5. Note the following:

The contents of the OU (user objects) have been restored as well.

The group memberships of the user objects have been restored as
well, including universal group memberships in the DRROOT domain.

The objects have replicated to CHILDDC2 and all of the CHILD
domain group memberships are properly replicated.
6. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
7. Run ADSIEDIT to verify that the restored OU has replicated to ROOTDC1
(the GC in the DRROOT domain). You will have to connect to the GC port
by clicking the Advanced button on the ADSIEDIT Connection Settings
dialog.
8. Note the following:

The objects contained in the OU have replicated to the GC as well.

Only the universal group memberships of the users have been
restored.

The domain local group memberships in the DRROOT domain have
not been restored, because there was no record of these
memberships in the CHILD domain.
Restore group
memberships in the
users domain
Note: This step is NOT necessary in our Disaster Recovery
Lab today because we are running in Windows Server 2003
Forest Functional Level enabling Link Value Replication
(LVR), and all of the links were created in that mode.
NTDSUTIL automatically recovers the local domain links
(e.g. group memberships) for you. We’ve included these
steps here as a reference for object recovery in non-LVR
forest, or in an LVR-forest where the links were created
before the upgrade to Windows 2003 FFL.
1. On CHILDDC1 (you should still be logged in as the domain
administrator), run LDIFDE to import the LDIF file created by NTDSUTIL
to restore the local domain group memberships. For instance:
C:\> ldifde –i –k –f ar_20061106123103_links_child.drroot.local.ldf
2. Run Active Directory Users and Computers, locate the restored user, and
verify that the user has been added to the appropriate groups in the
CHILD domain.
Copy NTDSUTILgenerated files to
ROOTDC1
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
2. Copy the NTDSUTIL-generated files from CHILDDC1, e.g.
C:\> COPY \\CHILDDC1\C$\ar_20061106123103_links_drroot.local.ldf C:\
C:\> COPY \\CHILDDC1\C$\ar_20061106122231_objects.txt
Copyright © 2008 NetPro
All rights reserved.
Page 12
Active Directory Disaster Recovery Lab Manual
Boot ROOTDC1 into
Directory Services
Restore Mode
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
2. On ROOTDC1, edit the startup parameters by right-clicking My
Computer, selecting Properties/Advanced/Startup and Recovery,
and selecting “Directory Service Restore Mode” from the Default
operating system drop-down list.
3. Restart ROOTDC1. When ROOTDC1 restarts, it will come up in Directory
Services Restore Mode.
4. Log in to ROOTDC1 using the DSRM credentials provided in the
introduction.
Perform a system state
restore on ROOTDC1
1. Log in to ROOTDC1 using the DSRM credentials provided in the
introduction.
2. From the Start menu, select Run, enter NTBACKUP, and press the Ok
button.
3. On the initial NTBACKUP dialog, click Next.
4. On the Backup or Restore Wizard dialog, select restore files and
settings and click Next.
5. On the What to Restore dialog, double-click the File entry on the left,
double-click on the appropriate backup file, check the System State
entry, and click Next.
6. On the Complete the Backup or Restore Wizard dialog, click the
Advanced button, ensure that the entry for Restore files to: is set to
Original location, and press Next.
7. On the How to Restore dialog, select Leave existing files, and press
Next.
8. On the Advanced Restore options dialog, check When restoring
replicated datasets, mark the restored data as the primary data
for all replicas, and press Next. This will mark the restored SYSVOL as
authoritative for the entire domain and start the restore.
9. Do NOT restart ROOTDC1 at this time.
Use NTDSUTIL to
create LDIF files
1. On ROOTDC1, run NTDSUTIL
2. At the ntdsutil prompt, type authoritative restore.
3. At the authoritative restore prompt, type create ldif file(s) from
<filename>, where <filename> is the name of the .txt file you copied
from CHILDDC1, for example ar_20061106-122231_objects.txt. This
will create LDIF files to run to restore group memberships in the
DRROOT domain.
Note: The only reason we perform an authoritative restore
on a DC in the DRROOT domain is so that NTDSUTIL can
create an LDIF file containing the group memberships in
the domain. Because we will not perform an authoritative
restore, the normal replication process in the DRROOT
domain will overwrite the data we have non-authoritatively
restored.
Reboot ROOTDC1 into
normal mode
1. On ROOTDC1, edit the DC startup parameters by right-clicking My
Computer and selecting Properties/Advanced/Startup and Recovery.
2. Select Windows Server 2003, Enterprise from the Default
operating system drop-down list.
3. Save your changes by pressing Ok twice.
4. Restart ROOTDC1.
Import LDIF files
created by NTDSUTIL
on ROOTDC1
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
2. Run LDIF to import the LDIF files created in the previous step, for
Copyright © 2008 NetPro
All rights reserved.
Page 13
Active Directory Disaster Recovery Lab Manual
instance:
ldifde –I –k – f ar_20061106124131_links_drroot.local.ldf
C:\>
3. Run Active Directory Users and Computers and verify the appropriate
DRROOT group memberships have been updated with the restored
users.
Summary
Copyright © 2008 NetPro
All rights reserved.
In this exercise we deleted an entire OU containing many users, and
recovered the users, along with their group memberships using authoritative
restore.
Page 14
Active Directory Disaster Recovery Lab Manual
LAB 3: Object Recovery Using Reanimation
Goals

Learn how to reanimate a deleted object.

Understand what happens when you reanimate an object.

Understand the benefits and limitations of object reanimation as a data recovery mechanism.

See how third-party tools can simplify data recovery using object reanimation.
Introduction
The lab focuses on recovering deleted Active Directory objects by reanimating them. You should have a good
understanding of the following concepts from the presentation:

Tombstoned objects and how they are created.

Linked attributes and how they are maintained, including forward links and backward links.

What happens when you reanimate an object.
Copyright © 2008 NetPro
All rights reserved.
Page 15
Active Directory Disaster Recovery Lab Manual
Copyright © 2008 NetPro
All rights reserved.
Page 16
Active Directory Disaster Recovery Lab Manual
Exercise 1: Recover User Object Using Object Reanimation
Select a user and
inspect its
memberships
1. On CHILDDC1 (the GC), find a user object, for instance CN=Simpson\,
Bart,OU=Accounts,OU=ChildOU1,OU=DelegatedOUs,DC=child,DC=drroot,DC=local, and note the content of its
memberOf attribute (the backlink). These are the groups in the CHILD
domain that Bart is a member of. Write these down for later.
2. On CHILDDC1, run ADSIEdit, locate the user object, and note the memberOf
attribute. The memberOf attribute will contain backlinks to the Universal
groups in the DRROOT domain that Bart is a member of. ADUC explicitly
filters these to provide a consistent view of the memberOf attribute.
3. On CHILDDC2, the non-GC, do the same thing. The memberOf attribute will
not contain the backlinks to the universal groups in the ROOT domain.
4. On ROOTDC1, run LDP.
5. Connect to ROOTDC1 and bind using adm.root credentials.
6. Search the DRROOT NC to find all the groups of which Bart is a member. Use
the following search filter:
(&(objectclass=group)(member=CN=Simpson\,
Bart,OU=Accounts,OU=ChildOU1,OU=DelegatedOUs,DC=child,DC=drroot,DC=local))
7. Note that the CN component of the DN has an embedded comma and space,
so type carefully! Or even better, cut and paste the DN from another app.
8. Note that Bart is a member of two universal groups and one local group in
the DRROOT domain.
Delete a user
object
1. On CHILDDC1, start Active Directory Users and Computers (ADUC).
2. Find a user object, for instance CN=Simpson\,
Bart,OU=Accounts,OU=ChildOU1,OU=DelegatedOUs,DC=child,DC=root,DC=net.
3. Delete the user object.
4. Use ADUC to verify that the user object has been deleted on CHILDDC2
Find the tombstone
of the deleted
object
1. On CHILDDC1, run LDP
2. Connect and bind to the local domain controller
3. On the menu bar, select Options/Controls and add the “Return deleted
objects” control to the active control list.
4. On the menu bar, select View/View Tree. Use the domain NC
DC=child,DC=drroot,DC=local as the BaseDN of the search.
5. Expand the tree on the left-hand side.
6. Double-click the “CN=Deleted Objects” entry to view the deleted objects.
7. Find the object you deleted, and double-click it to see its contents. Note that
most of its attributes have been removed, and that its CN has been changed.
Also note the value of the “lastKnownParent” attribute.
Reanimate the
deleted object
using ADRECOVER
1. On CHILDDC1, open a command prompt.
2. Use ADRestore from Sysinternals to reanimate the tombstone of the deleted
user object. You can find ADRecover.exe in C:\Workshop\Scripts\Lab 4
Reanimation. Use the –r switch to enable recovery. For instance, to recover
an object with a cn containing the text “bart”, you would use:
C:\Workshop\Scripts\Lab 3 Reanimation> adrestore –
r bart
3. Use ADUC to verify that the user object has been properly restored to its
original location in AD. Note that most of the attributes are still missing.
Object reanimation does not restore group memberships. To
restore group memberships and other linked attributes, you will
have to resort to another mechanism, for instance restoring
memberships from an LDIF file that you create periodically as a
Copyright © 2008 NetPro
All rights reserved.
Page 17
Active Directory Disaster Recovery Lab Manual
backup.
4. Use ADUC to restore the group memberships in the CHILD domain.
5. Login to ROOTDC1 and use ADUC to restore the group memberships in the
DRROOT domain.
Copyright © 2008 NetPro
All rights reserved.
Page 18
Active Directory Disaster Recovery Lab Manual
LAB 4: Group Policy Recovery
Goals

Understand the special challenges of Group Policy backup and recovery.

Learn how to leverage GPMC to script GPO backups.

Learn how to determine differences in current and backed-up GPOs.

Learn how to recover a GPO to its original state.
Introduction
The lab focuses on recovering Group Policy objects. You should have a good understanding of the following
concepts from the presentation:

Storage location for GPO data in AD and the File-System.

Recovering GPOs from a system state backup is a difficult process – better be prepared by performing
separate backups.

Capabilities and limitations of GPMC APIs.
This lab includes three exercises. The first exercise simply shows how to script Group Policy backup. The
second exercise will involve mis-configuring an existing GPO and evaluating the changes compared to the
backed up GPOs. Finally, we will restore a GPO.
Copyright © 2008 NetPro
All rights reserved.
Page 19
Active Directory Disaster Recovery Lab Manual
Exercise 1: Backup All Group Policies in the Forest
Back up GPOs and
create a GPO
report
1. Log in to ROOTDC1 using the domain administrator credentials provided in the
introduction.
2. Open a command window and go to the C:\Workshop\Scripts\Lab 5 GPO
Backup folder.
3. Back up the GPOs of the DRROOT domain and CHILD domain using the
following commands:
C:\Workshop\Scripts\Lab 4 GPO backup> GPO_Backup
drroot.local
C:\Workshop\Scripts\Lab 4 GPO backup> GPO_Backup
child.drroot.local
This will back up the GPOs of both domains to C:\Workshop\Backup as well as
create a GPO report for each. The output should look something like the following:
Figure 3 Backing up GPOs using the GPO-Backup command
4. Explore C:\Workshop\Backup. You should see a folder structure similar to the
following:
Copyright © 2008 NetPro
All rights reserved.
Page 20
Active Directory Disaster Recovery Lab Manual
Figure 4 Folder structure after backing up GPOs
Note: The reports for the GPOs in a domain do contain
information on where the GPO is linked (e.g. Default Domain
Controllers Policy) but they do NOT list links to sites. However,
these are contained in the _GPO-LinkTree.txt file in the same
directory.
Copyright © 2008 NetPro
All rights reserved.
Page 21
Active Directory Disaster Recovery Lab Manual
Exercise 2: Change existing GPO and Analyze Changes via GPO Reports
Change an existing
GPO
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
2. Run GPMC (Start Menu/Administrative Tools/Group Policy Management)
3. Edit the Default Domain Policy and change the Minimum Password
Length to 14.
Figure 5 Using GPMC to change the minimum password length
We’ve now made a policy change that will result in a lot of unhappy users!
Back up GPOs and
create a GPO report
1. On ROOTDC1, open a command window and go to the
C:\Workshop\Scripts\Lab 5 GPO Backup folder.
2. Back up the GPOs of the DRROOT domain and CHILD domain using the
following commands:
C:\Workshop\Scripts\Lab 5 GPO Backup> GPOBackup drroot.local
C:\Workshop\Scripts\Lab 5 GPO Backup> GPOBackup child.drroot.local
Use WINDIFF to
identify changes in
GPOs
The Windows Support Tools have been installed on all DCs in the lab. These
tools include the WINDIFF tool. We will use WINDIFF to find the difference
between the current and the previous settings in the GPOs leveraging the
GPO reports created during backup.
We can use WINDIFF to compare changes between directories and all their
files, or between specific files. Since the creation of a GPO will always write a
new "Data collected on" timestamp to each GPO, a directory compare will
always show changes for all GPOs in the report. In this task we will compare
the Default Domain Policy reports to see what's changed.
1. On ROOTDC1, start WINDIFF by selecting Run from the Start menu,
typing WINDIFF, and press Ok.
2. From the File menu, select Compare files.
3. In the "Select First File" window, navigate to the Report directory of your
first GPO backup and select the Default Domain Policy.html file
4. In the "Select Second File" window, navigate to the Report directory of
Copyright © 2008 NetPro
All rights reserved.
Page 22
Active Directory Disaster Recovery Lab Manual
your last GPO backup and also select the Default Domain Policy.html file
5. WINDIFF will report that it found differences between the files. Expand
the results (either double-click the line or click EXPAND)
6. From the Menu goto Options and unselect the "Show Identical Lines"
option – this will clean up the results. You should now clearly see the
changes between the two files:
Figure 6 Results of WINDIFF
You could of course simply edit the GPO setting back to its original value. We
will instead restore the GPO from backup.
Summary
Copyright © 2008 NetPro
All rights reserved.
We have used a command-line script to backup our GPOs, and used the
resulting report to identify what GPO settings were changed.
Page 23
Active Directory Disaster Recovery Lab Manual
Copyright © 2008 NetPro
All rights reserved.
Page 24
Active Directory Disaster Recovery Lab Manual
Exercise 3: Restore a GPO using GPMC
Use GPMC and the
Restore Group Policy
Wizard to restore a
GPO
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
2. Run GPMC (Start Menu/Administrative Tools/Group Policy Management)
3. Navigate to the Group Policy Object folder and right-click on the GPO to
be restored – in our case the Default Domain Policy
Figure 7 Using GPMC to restore a GPO from backup
4. Right-click on the Default Domain Policy and select Restore from
Backup… This will start the Restore Group Policy Object Wizard.
5. At the Backup location page, browse to Policies folder where the
backup was saved, and press Next.
Figure 8 Selecting the folder to restore GPOs from
6. Confirm the correct date and time of the backup, and press Next twice
to complete the wizard. This will restore the GPO from the backup copy.
Verify GPO restoration
Copyright © 2008 NetPro
All rights reserved.
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
Page 25
Active Directory Disaster Recovery Lab Manual
2. Run GPMC (Start Menu/Administrative Tools/Group Policy Management)
3. Find the Default Domain Policy and inspect the Minimum Password
Length setting. It should be restored to its original value of 0.
Summary
Copyright © 2008 NetPro
All rights reserved.
In this exercise we have used the Restore Group Policy Object Wizard of the
Group Policy Management Console to restore a GPO from backup.
Page 26
Active Directory Disaster Recovery Lab Manual
LAB 5: Forest Recovery
Goals

Learn the steps required to perform a full forest recovery after a forest-scope disaster.
Introduction
This lab covers the steps required to restore an entire Active Directory forest from backup. The forest
structure in our lab is relatively simple, but you will get a chance to perform all of the tasks you will need to
perform in a real environment (except dealing with angry users!). We will not cover restoring networking
infrastructure, nor will we cover restoring applications that depend on Active Directory such as Exchange.
In the first exercise we will corrupt the schema in such a way as to make Active Directory unusable. The
change will replicate, and all the DCs in the forest will become non-functional.
In the second exercise we will restore the first DC in the root domain
Exercise 1: Melt Down the Forest
Make sure you have a
system state backup of
each domain
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
2. Make sure there is a system state backup for the DC in
C:\Workshop\Backup. If there is no system state backup present, create
one.
3. Do the same thing on CHILDDC1.
Melt down the forest
1. Open a command window and go to C:\Workshop\Scripts\Lab 6 Forest
Recovery.
2. Run the Corrupt-Schema.cmd file:
C:\Workshop\Scripts\Lab 5 Forest Recovery>
Corrupt-Schema
The Corrupt-Schema command doesn’t actually do anything
nefarious. It simply displays a message.
Copyright © 2008 NetPro
All rights reserved.
Page 27
Active Directory Disaster Recovery Lab Manual
Exercise 2: Recover First DC of the Root Domain
Shut down all DCs in
the forest except
ROOTDC1
1. Shut down all DCs in the forest with the exception of ROOTDC1. Make
sure all DCs are completely shut down before continuing.
Boot ROOTDC1 into
Directory Service
Restore Mode
2. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
3. On ROOTDC1, edit the startup parameters by right-clicking My
Computer, selecting Properties/Advanced/Startup and Recovery,
and selecting “Directory Service Restore Mode” from the Default
operating system drop-down list.
4. Restart ROOTDC1. When ROOTDC1 restarts, it will come up in Directory
Services Restore Mode.
Perform a system state
restore of ROOTDC1
1. Log in to ROOTDC1 using the DSRM credentials provided in the
introduction.
2. From the Start menu, select Run, enter NTBACKUP, and press the Ok
button.
3. On the initial NTBACKUP dialog, click Next.
4. On the Backup or Restore Wizard dialog, select restore files and
settings and click Next.
5. On the What to Restore dialog, double-click the File entry on the left,
double-click on the appropriate backup file, check the System State
entry, and click Next.
Figure 9 Selecting System State restore
6. On the Complete the Backup or Restore Wizard dialog, click the
Advanced button, ensure that the entry for Restore files to: is set to
Original location, and press Next.
7. On the How to Restore dialog, select Leave existing files, and press
Next.
8. On the Advanced Restore options dialog, check When restoring
replicated datasets, mark the restored data as the primary data
for all replicas, and press Next. This will mark the restored SYSVOL as
Copyright © 2008 NetPro
All rights reserved.
Page 28
Active Directory Disaster Recovery Lab Manual
authoritative for the entire domain and start the restore.
9. Edit the startup parameters by right-clicking My Computer, selecting
Properties/Advanced/Startup and Recovery, and selecting “Windows
Server 2003, Enterprise” from the Default operating system drop-down
list.
10. Restart ROOTDC1. When ROOTDC1 restarts, it will come up in normal
mode.
Copyright © 2008 NetPro
All rights reserved.
Page 29
Active Directory Disaster Recovery Lab Manual
Disable Global Catalog
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
2. Run Active Directory Sites and Services, right-click the entry for
ROOTDC1, select Properties, uncheck the Global Catalog check box,
and press Ok.
Increase the RID pool
values for the domain
1. On ROOTDC1, run LDP, and connect to the DC using default credentials.
2. On the Browse menu, select Search.
3. Enter CN=Rid Manager$,CN=System,DC=drroot,DC=local for the base
DN, and select Base as the scope.
4. In the Search options dialog, add rIDAvailablePool to the attribute list.
5. Press the Run button. You should see the attributes of the Rid Manager$
object.
6. Copy the value of the rIDAvailablePool attribute to the clipboard, and
use the Large Integer Converter on the Utilities menu to inspect the
low part and the high part of the attribute. These are the RID starting
(low part) and ending values (high part) for the RID pool on the DC.
7. Add 100000 to the rIDAvailablePool value. For instance, if the large
integer value was 4611686014132522711, the new value should be
4611686014132622711.
This will increase the low part, which means that the next pool to be
allocated by the RID master would be 100000 plus the low part you’ve
previously evaluated. This ensures that no duplicate RID values would be
allocated in the forest due to the restore and thus no duplicate SIDs should
be created with the creation of new objects.
Seize all forest and
domain FSMO roles
8. On the Browse menu, select Modify.
9. In the Modify dialog, insert the DN for the Rid Manager$ object. You can
cut and paste it from the right-hand side.
10. Specify rIDAvailablePool as the attribute to modify.
11. Enter the new value for rIDAvailablePool.
12. Select Replace as the attribute operation and press the Enter button.
This adds the attribute replace operation to the operation list. If you
make a mistake, you can remove the operation from the list by selecting
and pressing the Remove button.
14. Press the Run button to update the object.
1. On ROOTDC1, check the ownership of the five FMSO roles using the
NETDOM command.
C:\> netdom query /server:rootdc1 fsmo
In this lab, ROOTDC1 should already hold all the FSMO roles, and you
should not need to take any further action. If another DC holds any of
the FSMO roles, seize them using the NTDSUTIL program, as described
in the following steps.
2. At the ntdsutil: prompt, type roles.
3. At the fsmo maintenance: prompt, type connections.
4. At the server connections: prompt, type connect to server
rootdc1.drroot.local. Seize any roles necessary using the appropriate
fsmo maintenance command.
5. At the server connections: prompt, type quit.
6. Type quit to exit fsmo maintenance menu
Clean up metadata for
all other DCs in the
DRROOT domain
Copyright © 2008 NetPro
All rights reserved.
You should still be running NTDSUTIL on ROOTDC1, and NTDSUTIL should
still be connected to rootdc1.drroot.local.
Note that in this lab we have only one DC in the root
domain, so there is no metadata to clean up. You can
safely skip this step.
Page 30
Active Directory Disaster Recovery Lab Manual
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
At the ntdsutil: prompt, type metadata cleanup.
At the metadata cleanup: prompt, type select operation target.
At the select operation target: prompt, type list domains.
At the select operation target: type select domain <number>,
where <number> is the number corresponding to the DRROOT domain.
At the select operation target: prompt, type list sites.
At the select operation target: prompt, type select site <number>,
where <number> is the number of the site where the other DCs in the
DRROOT domain are located (it should be the HubSite).
At the select operation target: prompt, type list servers in site.
At the select operation target: prompt, type select server
<number>, where <number> is the number of the server whose
metadata you want to clean. Note that we are cleaning up the metadata
of all the OTHER DCs in the DRROOT domain, i.e. ROOTDC2, not the
metadata of the DC we are restoring.
At the select operation target: prompt, type quit.
At the metadata cleanup: prompt, type remove selected server.
This will remove the metadata information for the last server you
selected.
In a real environment, you would remove the metadata for all the other
DCs in the DRROOT domain. But because we only have two DCs in the
DRROOT domain, you only have to remove the metadata for one DC.
At the metadata cleanup: prompt, type quit.
At the ntdsutil: prompt, type quit.
Note: The metadata cleanup process has been improved in
Win2003 SP1, as it will automatically delete the
corresponding FRS replication data and the computer object
in the domain of the DC to be cleaned. Only an empty
server object in the sites node of the Configuration NC
remains – this should be removed manually, but is not
critical for this lab.
Copyright © 2008 NetPro
All rights reserved.
Page 31
Active Directory Disaster Recovery Lab Manual
Reset the computer
account password for
ROOTDC1 twice
You should still be logged in as the domain administrator on ROOTDC1.
1. On ROOTDC1, run the NETDOM command to reset the ROOTDC1
computer account password:
C:\> netdom resetpwd /server:rootdc1 /userd:
adm.root /passwordd: *
2. Run the same NETDOM command again. This will clear the password
stored in the machine’s password history.
Reset the krbtgt
password of ROOTDC1
twice
You should still be logged in as the domain administrator on ROOTDC1.
1. On ROOTDC1, run Active Directory Users and Computers.
2. Find the krbtgt account in the CN=Users,DC=drroot,DC=local container.
Note: You have to have Advanced options enabled to see
this account.
3. Right-click on it and select Reset password. Enter a strong password.
4. Repeat to reset the password a second time, and enter a new password.
5. Close ADUC.
Reset all trust
passwords in the
DRROOT domain
You should still be logged in as the domain administrator on ROOTDC1.
1. At a command prompt, type the following:
C:\> netdom trust drroot /domain:child
/resetoneside /passwordt:<new trust password>
/usero:adm.root /passwordo:netpro
This command also resets the trust password history.
Note: Be sure to record the trust password you use; you
will need it again later when you set up the trust going the
other way.
Copyright © 2008 NetPro
All rights reserved.
Page 32
Active Directory Disaster Recovery Lab Manual
Exercise 3: Recover First DC of CHILD Domain
Boot CHILDDC1 into
Directory Service
Repair mode
1. Log in to CHILDDC1 using the domain administrator credentials provided
in the introduction.
2. On CHILDDC1, edit the DC startup parameters by right-clicking My
Computer and selecting Properties/Advanced/Startup and Recovery.
3. Select Directory Service Restore Mode from the Default operating
system drop-down list.
4. Save the changes by clicking Ok.
5. Restart CHILDDC1. When CHILDDC1 restarts it will be in Directory
Service Repair Mode
Perform a system state
restore of CHILDDC1
6. Log in to CHILDDC1 using the DSRM credentials provided in the
introduction.
7. From the Start menu, select Run, enter NTBACKUP, and press the Ok
button.
8. On the initial NTBACKUP dialog, click Next.
9. On the Backup or Restore Wizard dialog, select restore files and
settings and click Next.
10. On the What to Restore dialog, double-click the File entry on the left,
double-click on the appropriate backup file, check the System State
entry, and click Next.
Figure 10 Selecting System State restore
11. On the Complete the Backup or Restore Wizard dialog, click the
Advanced button, ensure that the entry for Restore files to: is set to
Original location, and press Next.
12. On the How to Restore dialog, select Leave existing files, and press
Next.
13. On the Advanced Restore options dialog, check When restoring
replicated datasets, mark the restored data as the primary data
for all replicas, and press Next. This will mark the restored SYSVOL as
authoritative for the entire domain and start the restore.
14. Edit the startup parameters by right-clicking My Computer, selecting
Copyright © 2008 NetPro
All rights reserved.
Page 33
Active Directory Disaster Recovery Lab Manual
Properties/Advanced/Startup and Recovery, and selecting “Windows
Server 2003, Enterprise” from the Default operating system drop-down
list.
15. Restart CHILDDC1. When it restarts, it will come up in normal mode.
Change the CHILDDC1
DNS resolver to refer to
ROOTDC1
In this version of the lab, the DNS resolver for CHILDDC1 is
already set to ROOTDC1, and this step is not necessary.
1. Log in to CHILDDC1 using the domain administrator credentials provided
in the introduction.
2. Modify the network configuration of CHILDDC1 to use ROOTDC1 as the
primary DNS server.
Disable the Global
Catalog on CHILDDC1
1. Log in to ROOTDC1 using the domain administrator credentials supplied
in the introduction.
2. On ROOTDC1, run Active Directory Sites and Services, right-click the
entry for CHILDDC1, select Properties, uncheck the Global Catalog
check box, and press Ok.
Increase the RID pool
values for the CHILD
domain
You should still be logged in to CHILDDC1 as a domain administrator.
Seize all domain FSMO
roles
1. Run LDP, and connect to the DC using default credentials.
2. On the Browse menu, select Search.
3. Enter CN=Rid Manager$,CN=System,DC=child,DC=drroot,DC=local for
the base DN, and select Base as the scope.
4. In the Search options dialog, add rIDAvailablePool to the attribute list.
5. Press the Run button. You should see the attributes of the Rid Manager$
object.
6. Copy the value of the rIDAvailablePool attribute to the clipboard, and
use the Large Integer Converter on the Utilities menu to inspect the
low part and the high part of the attribute. These are the RID starting
(low part) and ending values (high part) for the RID pool on the DC.
7. Add 100000 to the rIDAvailablePool value. For instance, if the large
integer value was 4611686014132522711, the new value should be
4611686014132622711.
This will increase the low part, which means that the next pool to be
allocated by the RID master would be 100000 plus the low part you’ve
previously evaluated. This ensures that no duplicate RID values would be
allocated in the forest due to the restore and thus no duplicate SIDs should
be created with the creation of new objects.
8. On the Browse menu, select Modify.
9. In the Modify dialog, insert the DN for the Rid Manager$ object. You can
cut and paste it from the right-hand side.
10. Specify rIDAvailablePool as the attribute to modify.
11. Enter the new value for rIDAvailablePool.
12. Select Replace as the attribute operation and press the Enter button.
This adds the attribute replace operation to the operation list. If you
make a mistake, you can remove the operation from the list by selecting
and pressing the Remove button.
14. Press the Run button to update the object.
You should still be logged in to CHILDDC1 as a domain administrator.
1.
2.
3.
4.
On CHILDDC1, run NTDSUTIL.
At the ntdsutil: prompt, type roles.
At the FSMO maintenance: prompt, type connections.
At the server connections: prompt, type connect to server
childdc1.child.drroot.local.
5. At the server connections: prompt, type quit.
Note: You will receive various errors during the role seizure
Copyright © 2008 NetPro
All rights reserved.
Page 34
Active Directory Disaster Recovery Lab Manual
process indicating that DCs cannot be contacted, or that
you don’t have the rights to perform an operation. Just
continue on regardless.
6. At the fsmo maintenance: prompt, type seize rid master
7. At the fsmo maintenance: prompt, type seize pdc.
8. At the fsmo maintenance: prompt, type seize infrastructure
master.
9. Type quit twice to exit NTDSUTIL.
Clean up the metadata
for all other DCs in the
CHILD domain
You should still be logged in to CHILDDC1 as a domain administrator.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
On CHILDDC1, run NTDSUTIL.
At the ntdsutil: prompt, type metadata cleanup.
At the metadata cleanup: prompt, type connections.
At the connections: prompt, type connect to server
childdc1.child.drroot.local.
At the connections: prompt, type quit.
At the metadata cleanup: prompt, type select operation target.
At the select operation target: prompt, type list domains.
At the select operation target: type select domain <number>,
where <number> is the number corresponding to the CHILD domain.
At the select operation target: prompt, type list sites.
At the select operation target: prompt, type select site <number>,
where <number> is the number of the site where the other DCs in the
CHILD domain are located (it should be the HubSite site).
At the select operation target: prompt, type list servers in site.
At the select operation target: prompt, type select server
<number>, where <number> is the number of the server whose
metadata you want to clean. Note that we are cleaning up the metadata
of all the OTHER DCs in the CHILD domain, i.e. CHILDDC2, not the
metadata of the DC we are restoring.
At the select operation target: prompt, type quit.
At the metadata cleanup: prompt, type remove selected server.
This will remove the metadata information for the last server you
selected.
In a real environment, you would remove the metadata for
all the other DCs in the CHILD domain. But since we only
have two DCs in the CHILD domain, you only have to
remove the metadata for one DC.
15. At the metadata cleanup: prompt, type quit.
16. At the ntdsutil: prompt, type quit.
Copyright © 2008 NetPro
All rights reserved.
Page 35
Active Directory Disaster Recovery Lab Manual
Delete server and
computer objects for
all other DCs in the
CHILD domain
1. Log in to ROOTDC1 using the domain administrator credentials provided
in the introduction.
1. Start Active Directory Sites and Services
2. Find the entry for CHILDDC2.
3. Delete the server object for CHILDDC2.
In a real environment you would continue to delete the
server objects for all the other DCs in the forest CHILD
domain.
4.
5.
6.
7.
Close Active Directory Sites and Services.
Start Active Directory Users and Computers
Find the computer object for CHILDDC2.
Delete the computer object for CHILDDC2.
In a real environment you would continue to delete the
computer objects for all the other DCs in the forest CHILD
domain.
8. Close ADUC.
Reset the computer
account password of
CHILDDC1 twice.
1. On CHILDDC1, open a command window and run NETDOM to reset the
computer account password:
C:\> netdom resetpwd /server:childdc1 /userd:
adm.child /passwordd:netpro
Note that the /passwordd switch does in fact have two “d”s.
2. Repeat the command to reset the password again.
Reset the krbtgt
password of CHILDDC1
twice
1. On CHILDDC1, run Active Directory Users and Computers.
2. Find the krbtgt account in the OU=Default,OU=Admin-child OU.
Make sure you have Advanced options enabled to see this
account.
3. Right-click on it and select Reset password. Enter a strong password.
4. Repeat to reset the password a second time, and enter a new password.
5. Close ADUC.
Reset trust password in
the CHILD domain
1. On CHILDDC1, open a command window and run NETDOM to reset the
trust password:
C:\> netdom trust child /domain:drroot
/resetoneside /passwordt:<new trust password>
/usero:adm.child /passwordo:netpro
Be sure to use the same password you used when setting
up the other side of the trust in the DRROOT domain.
This command automatically resets the trust password twice.
Copyright © 2008 NetPro
All rights reserved.
Page 36
Active Directory Disaster Recovery Lab Manual
Exercise 4: Recover CHILDDC2
Boot CHILDDC2 into
normal mode
1. Restart CHILDDC2 in normal mode
Demote the DC
1. Login with the CHILD domain administrator credentials provided in the
introduction.
2. Run DCPROMO /forceremoval to demote the DC to a normal server. Use
netpro as the new server administrator password.
3. Reboot CHILDDC2 as a normal server.
Promote the DC
1. Log in to CHILDDC2 with server administrator credentials.
2. Run DCPROMO, and re-promote CHILDDC2 as a domain controller in the
CHILD domain.
3. On the Domain Controller Type page, select Additional domain
controller for an existing domain.
4. On the Network Credentials page, specify adm.child as the user
name, netpro as the password, and CHILD as the domain.
5. On the Additional Domain Controller page, specify child.drroot.local
as the full DNS name of the domain.
6. On the Database and Log Folders page, accept the defaults.
7. On the Shared System Volume page, accept the defaults.
8. On the Directory Service Restore Mode page, specify netpro as the
restore mode password.
9. Press Next to start the promotion process.
10. Reboot the server as a domain controller.
Move the infrastructure
master role to
CHILDDC2
1. Login to CHILDDC2 using the domain administrator credentials provided
in the introduction.
2. Run NTDSUTIL
3. A the ntdsutil: prompt, type roles.
4. At the fsmo maintenance: prompt, type connections.
5. At the connections: prompt, type connect to server childdc2.
6. At the connections: prompt, type quit.
7. At the fsmo maintenance: prompt, type transfer infrastructure
master.
8. At the fsmo maintenance prompt: type quit.
9. At the ntdsutil: prompt, type quit.
Check for proper
replication
Various replication problems can occur immediately after
recovering the forest, as evidenced by errors in the Active
Directory event logs, and failed replication operations.
Usually these problems will sort themselves out over time,
but sometimes not. Microsoft KB 938704 provides a
solution for some of these problems.
1. On ROOTDC1, login as the domain administrator.
2. Run REPLMON, and add all three domain controllers to the domain
controller list
3. Open all replica entries and verify there are no replication errors. If there
are an errors, use REPLMON to start a replication
4. Start Active Directory Sites and Services, and add a new test site.
5. Login to the other domain controllers and verify the new site has
replicated properly.
Copyright © 2008 NetPro
All rights reserved.
Page 37