Bare metal recovery (BMR) is a feature of Windows Server Backup that allows you to restore your operating system (OS) or the entire system to another machine with similar hardware referred to as bare-metal. It does not require any software to be installed on the destination machine. Bare metal recovery removes all existing partitions on the system disk and recreates all partitions, before restoring software onto the server (PCs’). Active Directory Domain Services provide functions for backing up and restoring data in the directory database. Backing up Windows Server is a very important part of everyday server management. Windows Server backup copies enable recovery after crashes. By default, the backup feature is not installed. Kindly refer to this guide on how to set up Windows server backup and create a backup job, and how to stop the Windows backup job via the wbadmin console.
This is just a test Domain Controller (DC) and restoring Active Directory from a backup should be your last resort. You should have multiple domain controllers running. This will allow for a single domain controller to fail and still provide full recovery without a backup. Do not rely on multiple controllers only. You should also pull backup regularly. All DCs' can fail, database corruption can occur, viruses, ransomware or some other disaster could wipe out all domain controllers. In this situation, you would need to restore it from a backup. Also backing up Active Directory is FREE so there is no reason not to do it. Kindly refer to the following related guides. Cloud Protection Manager: How to recover backup via N2WS Veeam CPM, SEP sesam Hybrid Backup and Disaster Recovery Solution, and Advantage of using a 3rd party software for Backup (N2WS by Veeam) over AMI.
Active Directory Full Backup vs System State Backup: This part outline the differences between a full server backup and a system state backup. We will see from the recovery steps that we can use both recovery types to restore Active Directory Domain Services. Refer to this official Microsoft link.
1: Full Backup: Backup all server data, including applications and the operating system which includes the system state. It also includes “bare metal recovery” which permits the recovery to an entirely different piece of hardware.
2: System State Backups: This backup includes only the components needed to restore your domain controller. The system state includes the following: Sysvol from the domain controller. The “
sysvol” includes group policy objects, Active Directory database and related files, DNS zones and records (only for Active Directory-integrated DNS), System registry, and Com+ Class registration database and System startup files. If you have an Advanced Group Policy Manager (AGPM), you can also restore policies from there. You can also use the GPMC to backup policies as well. The system state backup is best used for recovering Active Directory on the same server.
Make sure the destination hard drive to receive the bare metal recovery has enough disk space, else the backup will fail. If you want to restore to a new machine, the new hard drive needs to be in the same size or larger than the source disk that was backed up.
Part 1: To start the restoration of the Domain Controller, you will need the same hardware (server) version similar to the failed Domain Controller. Ensure you install the Active Directory Domain Services role installed only (Do not configure it). Lastly, you will ensure the Windows Server Backup feature is also installed on the Windows Server. These steps are easy and I will not be discussing them in detail.
Active Directory servers must be restored offline. The system must be restarted in Directory Services Restore Mode (DSRM). In this mode, the OS is running without ADDS and all user validation occurs through the Security Accounts Manager (SAM) in the registry. To restore ADDS, use the credentials of a local administrator on the domain controller that is restored. We have to boot the server in the DSRM.
msconfig and select the
– Option Safe Boot and
– Active Directory repair in the Boot tab as shown below.
Afterward, restart your server. This will ensure it boots into DSRM.
To launch the “
wdamin console“, there are many ways to do this. I will be showing you a different method instead of using the Server Manager. You could also fire it up via the following path “Control Panel\System and Security\Administrative Tools”
– Click on the start menu as shown and click on Windows Administrative Tools as shown below.
This will open the Windows Administrative Tools as shown below. If you are inquisitive, you can try to launch other tools to see what they do 🙂
This will open the Windows Server Backup Utility (
wbadmin). To restore the Domain Controller,
– Click on the “
Recover” button on the action panel on the right-hand side of the backup utility.
If you are doing this just to recover a single object that was deleted, you may want to enable the Active Directory Recycle Bin, this will give you the ability to restore deleted objects without the need for a backup, and also use Advanced Group Policy Management (AGPM) to ensure deleted Group Policies can be restored.
In the recovery wizard’s “Getting Started” page, select the backup location. I have the shared folder, therefore, I will click on click on “a backup stored on another location”.
When specifying the location type, select Remote shared folder if your System State backup was recovered to another server. If your System State was recovered locally, then select Local drives.
– I will be selecting a”Remote shared folder”.
Enter the path to the WindowsImageBackup directory, or choose the local drive containing this directory.
On the “Select Backup Date” page, select the most recent backup to restore:
The “Select Recovery Type” then allows you to select what you’re going to restore. I will be selecting system state since this is the backup I created successfully due to disk space. Note:
Exchange Server is regarded as an application, therefore, you can select “application” under-recovery type.
Select Original location and do check Perform an authoritative restore of Active Directory files
The system will display some warning messages that it is another server backup and if recovered on a different server it may not work. Click on ok on all the warning messages.
Note: Microsoft does not support restoring a system state backup from one computer to a second computer of a different make, model, or hardware configuration. The system state backup is best used for recovering Active Directory only on the same server.
Click on “Recover” to begin the process of System state recovery. The process of AD recovery on a new server will start. I omitted the automatic reboot option for some reason because I want to initiate this myself. You can check that button if you want.
A warning message will be prompted stating that System state recovery cannot be paused. Click on “Yes”.
As you can see, the recovery has started. When it is over, the server will require a reboot and the name of the new server will be changed to the DC hostname from the backup.
After you’ve successfully completed a restore, you need to restart the server in normal mode. Open a command prompt and type the following:
bcdedit /deletevalue safeboot or disable the DSRM using
MSConfig. Next, login to the server using an account with the domain administrator privileges.
Part 2: Restoring a crashed system: Make sure you have given the same or bigger storage space on the physical server you gonna perform the restore. the restore operation will create logical volumes and partitioning. You can use a recovery drive to bring your operating system back to normal.
Connect the Drive that contains backup files to the server. Boot from the “server 2019 media” and choose “Repair your computer” option
Since, I am using a VM, it brought me straight to the
Windows Recovery Environment (Win RE) to recover. – Select Troubleshoot from the three available options.
From the Advanced Options screen, select “System Image Recovery”
On the re-image your computer, select a system image as shown below and and then click Next.
Select the first option to search for a system image on the network
Click on Yes on the warning prompt if you want to connect to the network share
Enter the folder path as shown below.
Enter your domain credential in order to connect to the share.
All other steps are effortless. Please proceed with the rest recover steps. Tired of taking further screenshoots :) - After the restart, the server will be restored with the last backup state.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.