Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2013-04-30) Active Directory Forest Recovery Guide For W2K3, W2K8, W2K8R2, W2K12

Posted by Jorge on 2013-04-30

This guide contains best-practice recommendations for recovering an Active Directory forest, if forest-wide failure has rendered all domain controllers in the forest incapable of functioning normally. The procedure steps in this guide, which you must customize for your particular environment, describe how to recover the entire Active Directory forest to a point in time before the critical malfunction. They also ensure that none of the restored domain controllers replicates from a domain controller with potentially dangerous data.

The procedures apply to Active Directory Domain Services (AD DS) in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and the Active Directory directory service in Windows Server 2003.

REMARK: Remember that this is a general guide to help you to create your own forest recovery for your own environment. No forest recovery plan from one environment can be fully used in another environment without customizations. Also remember it is not just about technology. When creating a forest recovery plan take everything into account that is specific to your environment such as for example location of IT staff, communications, logistics, procedures, security, etc. And when you do create a forest recovery plan that is specific to your environment make sure to keep it up-to-date, as your environment changes, and also make sure to perform periodic “fire-drills”. Those fire-drills help you to see what may need to change in the plan and it also keeps the plan as fresh as possible in the minds of everyone involved.

Get it here: Planning for Active Directory Forest Recovery

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########

2 Responses to “(2013-04-30) Active Directory Forest Recovery Guide For W2K3, W2K8, W2K8R2, W2K12”

  1. Diego said

    Hi. I am trying to use the guide (implement a real AD recovery test), however there is a sentence that is not really clear to me:

    Perform an authoritative (or primary) restore operation of SYSVOL only for the first DC to be restored in the forest root domain. Incorrectly performing primary restore operations of the SYSVOL on other DCs leads to replication conflicts of SYSVOL data.”

    Given that more than once in the guide (updated version in there was written that some actions were required even if somehow redundant, to avoid that the presence of some forgotten (with a corrupted schema or whatever created the need of the restore) DC still operating on the network would damage the recovery process itselft, there is the possibility that this sentence would be put there for that same reason but… SYSVOL isnt’it replicated just at the domain level? So, wouldn’t it be correct to perform an authoritative restore of one only SYSVOL for each domain of the forest (the one of the recovered DC for each domain of the forest) instead that just on the root domain? The conflict shouldn’t arise just only if I set as authoritative the SYSVOL folder in more than one DC in the same domain?

    It is only a Microsoft typo or am I missing something (it’s much more plausible this)?



    • Jorge said


      I do not fully understand the point you are trying to make

      DCs replicate at 2 levels using different repl mechanisms.
      * AD (database) data is replicated through AD replication andd it replicates at domain and forest level
      * SYSVOL data is replicated through DFSR or NTFRS and it replicates at domain level only

      Assuming a full forest recovery….
      For every single AD domain in the AD forest restore from backup 1 single RWDC where AD is restore non-auth and SYSVOL is restored auth. Then for every single AD domain in the AD forest, reinstall new DCs and/or also restore from backup (if trusted). However when restoring DCs ADDITIONAL DCs from backup AD and SYSVOL are both restored non-auth



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: