1

Day 1: Only one Domain Controller (DC1) is present. Windows Server Backup is configured on DC1 to save the system state. Delete an important user from AD.

Day 2: Promote additional Domain Controller (DC2).

Day 3: Boot DC1 into DSRM and revert to Day 1 via System State Recovery (non-authorative). Mark the important user for restore via ntdsutil (authorative). Reboot DC1.

DC1 does not sync with DC2 and DC2 does not know show up in Active Directory Users and Computers on DC1. Active Directory Sites and Services shows the NTDS object of DC2 (synced back to DC1 from other domains in the forest I assume), but we cannot run a metadata cleanup since it cannot find the computer object. At this point because DC1 does not sync with other Domain Controllers, the whole AD was reverted back to Day 1 instead of just restoring the important user.

Can we recover from this situation? Is this expected behavior or was there a prerequisite missing in the environment?

David Trevor
  • 205
  • 1
  • 12

2 Answers2

3

Your mileage may vary, but in Active Directory in my opinion there is no sane way to do single-object restores. Things are way to interconnected and objects are changing all the time (that's probably the "active" in Active Directory).

I would suggest to enable the Active Directory Recycle Bin for cases like the one you ran into.

Doing a System State Recovery is almost always only feasible for disaster recovery (i.e. when you've lost all your DCs). However, In such a case you have probably lost a lot more than that, so starting fresh may be the better option in that case.

Andreas Rogge
  • 2,853
  • 11
  • 24
  • A good point to be made. The System State Recovery for single object restore will be just one tool in our disaster recovery plan in case the Recycle Bin does not work. – David Trevor Aug 25 '23 at 06:04
0

The problem you have is that in your backup (day1) there was no 2nd DC. The method you took would normally work and would allow you to restore just the one object IF DC2 was part of the domain when you did the backup on DC1.

You kind of have a chicken and egg scenario - When you restore DC1 (as you righly pointed out), it isn't aware of DC2, so it won't trust it (for replication). And DC2 cannot make itself authoritive over DC1 for the same reason. So you end up with 2 separate versions of your AD because the DCs don't trust each other. You can't fix this, you were just unlucky in that you deleted an important object before you had your 2nd DC online.

Mucker
  • 382
  • 2
  • 10