0

Before I begin, I will be the first to admit that much of you this problem stemmed from failing to follow best practices pertaining to deployment and disaster recovery of AD servers. Much has been learned from this going forward, but right now I’m just trying to do damage control before reestablishing best practices.

Currently I have a WS2016 Domain Controller (unfortunately I failed to create a second one before my problem occurred). I seriously botched some DNS modifications and I’m needing to roll back to a snapshot I created shortly after setting up the AD/DNS/DHCP roles. My problem is that I do not have any backups/save states in between then and the botched DNS problem.

My hope was to backup and restore the different components individually (such as GPOs, DHCP configurations, registry, and AD database (especially Users and Computers)) without restoring the entire save state or server. As I don’t have any full backups or save states that include the users and computers from before this problem, I don’t believe restoring the server state backup I have would solve my issue.

I have already created individual backups for GPOs, DHCP configurations, and registry. However, I am struggling to figure out how to backup and restore the Users and Computers components.

I would rather not start completely over with a new AD, as migrating users would be cancerous. If there is not a way to backup and restore Users and Computers, I would also be comfortable with a solution that allows me to manually recreate every user and computer in such a way that would be compatible with the restored GPOs. Additionally, if there’s a way to backup the entire AD database without requiring a full server restore, that would also be acceptable.

After fixing this my plan is to setup a proper secondary DC, schedule regular backups, and require snapshots before every attempt to modify the server. But, I need to have this targeted restore handled first.

EDIT: Turns out my DNS problem was a lot easier to fix than I thought. I was getting access denied when trying to load several AD-related snap-ins, such as DNS or Active Directory Administrative Services. Additionally, joining new computers to the domain was resulting in errors. This was the solution: https://support.microsoft.com/en-us/help/2751452/dns-zones-do-not-load-event-4000-4007

Due to this fix, I no longer have this backup problem, but I have marked Massimo's answer as correct to my original question, as it is good to know that partial/separate backups of AD are not possible and that DNS is tied into AD database. Very much noted to take more regular state and full server backups!

Trent
  • 3
  • 4
  • 2
    It's not clear to me what you do and do not have a backup of and how you created those backups. Please clarify this. Also, what is the exact problem you're trying to solve? What DNS modifications did you make? What is the current stated of AD and DNS? – joeqwerty May 19 '19 at 19:25

1 Answers1

1

You can't export or import the contents of an Active Directory database; an AD backup can only be performed via a system state backup of a domain controller, and there is no supported way to extract AD data from it.

Also, if you are using AD-integrated DNS zones, DNS data are stored in the Active Directory database; an AD backup would thus also include your "botched" DNS data, and restoring it would also restore them.

Massimo
  • 70,200
  • 57
  • 200
  • 323