How to Restore Active Directory (Full Restore & System State)

by Robert Allen

In this guide, you will learn how to restore Active Directory from a Windows Server Backup.

You will need to have a full server backup or a system state backup to continue. If you need backup instructions then check out my how to backup Active Directory guide.

I’m going to show you two options for restoring an Active Directory server:

  1. Full Server Restore
    • Requires a Windows full server backup.
    • Allows recovery when the machine won’t start.
    • Allows bare metal restore which means you can restore it to a different machine or hardware.
  2. System State Restore
    • Allows recovering important system files such as Active Directory, registry, and sysvol.
    • Does not work well when restoring to different hardware. Works best for restoring to the same machine.

Important: Make sure to test your backups at least once a year. You don’t want to have an incident that requires a restore and find out your backups are no good. If using VMs you can easily test both restore options in a lab environment.

In my testing, a full server restore works best and is far more flexible than a system state backup. If you take a full server backup it also includes a system state backup.

Video Tutorial

If you don’t like videos then continue reading the details below.

Option 1: Full Active Directory Server Restore

In this example, the network was hit with a virus, users can’t log into the network and the server keeps blue screening. I’ve tried to reboot and repair it with no luck. It’s time to completely restore the server from backup.

active directory server error

Step 1: Shutdown Server

Shut down the infected domain controller. It is no longer needed as we will be creating a new server from backup.

Step 2. Create New Server

I’m going to create a new server and attach my backup disk to it. I’m using Hyper-v but this will work with any hypervisor or a physical machine.

You must have your backup on a dedicated disk for this to work. If using a physical machine this could be a dedicated external drive or a secondary internal drive. For a VM this is a secondary attached drive.

dedicated backup disk
  1. Attach the backup disk to the new server.
  2. Boot from the Window ISO, just like you would for installing a new server.

Step 3: Repair Your Computer

Boot the server from the Windows Server ISO and select “Repair your computer”

select repair your computer

Click on “Troubleshoot”

select troubleshoot

Click on “System Image Recovery”

select system image recovery

Now you should get the option to use the latest backup or select a system image. I’ll choose the latest backup.

select backup image

Click “Next”.

Click “Finish”

The restore progress window will display.

restore progress

When the restore is complete you should now have a working server from the last good backup. I’m able to log in and Active Directory is working as expected. Restoring from a system image is very fast, the whole restore process took about 10 minutes.

active directory restore screenshot

Option 2: Active Directory System State Restore

In this example, something has gone badly wrong with Active Directory. Some critical services are will not start, no users or computers are displayed in Active Directory, and DNS is not working. The server boots fine and I can log into the server so the operating system is ok. In this case, I can do a system state restore to repair the Active Directory Domain Services.

active directory users and computers

1. Boot into Directory Services Restore Mode (DSRM)

Reboot the server and start pressing f8 to access the Advanced Boot options.

Select “Directory Services Repair Mode’ and select enter.

directory services repair mode

Log into the server with the local administrator account. The domain services will not be available so the local account will be the only account available.

2. Open Windows Server Backup.

Select Recover.

select recover

Select “This Server” for where the backup is stored.

Select the backup you want to restore then click next.

Select “System state” and click “next”.

select system state recovery

Select “Original Location”. You need to consider if an authoritative restore of Active Directory is needed. If you have other sites that contain healthy domain controllers then you may not need an authoritative restore. In this example, I have one site so I want to reset all replicated content.

restore to original location

On the confirmation page click the “recover” button to start the restore process. The restore will now start, and will you have a process page. The system state restore takes much longer than a full restore (not sure why).

system state recovery progress

When the restore is complete, reboot and log into the server as normal. You should get a command line showing that the restore was completed. Mine says it was completed with errors but everything seems to be working fine now.

recovery process after reboot

That is it.

I just showed you two options for restoring Active Directory from backup. I recommend using the full server option for backing up Active Directory. It will allow you to restore the full server or just the system state. There may be an incident that requires a full server recovery and if you just have a system state backup then you are in big trouble.

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

2 thoughts on “How to Restore Active Directory (Full Restore & System State)”

  1. Hello, which is the proper method for restoring a lone domain controller – it’s the only dc in the network (very small site), thus no replication…

    Kind regards,

    Reply

Leave a Comment