Tuesday, March 22, 2011

Unofficial backup and restore Active Directory Database for Windows Server 2008 and Windows Server 2008 R2 Domain Controller

Back up the Active Directory database

1. At domain controller, login as Domain Administrator.
2. Launch "Server Manager", expand "Roles".
3. Select "Active Directory Domain Services".
4. At the "Active Directory Domain Services" right pane.
5. Under "System Services", select "Active Directory Domain Services".

Figure 1: Active Directory Domain Services

6. Click "Stop".

Figure 2: Stop Dependent Services


7. Click "Stop Dependent Services".
8. Launch "Command Prompt", enter "ntdsutil".
9. Enter the following commands:

  • Ntdsutil: Active instance NTDS
  • Ntdsutil: Files
  • File maintenance: compact to c:\
  • File maintenance: quit
  • Ntdsutil: quit

Figure 3: The process of Ntdsutil

The Active Directory Database file was back up to C:\ntds.dit

Restore the Active Directory database
1. At domain controller, login as Domain Administrator.
2. Launch "Server Manager", expand "Roles".
3. Select "Active Directory Domain Services".
4. At the "Active Directory Domain Services" right pane.
5. Under "System Services", select "Active Directory Domain Services".
6. Click "Stop".
7. Click "Stop Dependent Services".
8. Copy you previous backup "ntds.dit" to replace "%windir%\ntds\ntds.dit".

Figure 4: Replace the ntds.dit

9. Launch "Registry Editor".
10. Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NTDS\Parameters

11. At right pane, delete "DSA Database Epoch".

Figure 5: DSA Databae Epoch

12. Back to "Server Manager", start the "Active Directory Domain Services" service.
13. Next to "Events", if the restoration successes, there is "Event ID 1000" in the "Events".

Figure 6: Event ID 1000
This posting is provided “AS IS” with no warranties, and confers no rights!
at

14 comments:

  1. AnonymousJuly 8, 2011 at 3:55 PM

    Nice :) When restoring from the backup onto a fresh install of Windows, are you just installing a dummy AD and then replacing the ntds.dit?

    ReplyDelete
    Replies
    1. AnonymousOctober 29, 2014 at 2:03 AM

      Regardless of what you do, you'll need to have or configure valid DNS servers to point to the correct Zones. This won't work for restoring a domain from scratch if you just have the .dit file. Also, SYSVOL and other workings would be missing too. You policies wouldn't be in place. Don't think you can use this if you are restoring a downed domain.

      Delete
  2. Terry LauJuly 8, 2011 at 4:25 PM

    The domain controller is the same as previous one.

    ReplyDelete
  3. AnonymousJuly 8, 2011 at 4:31 PM

    I guess I could just do a quick lab of this, but what I was trying to ask you was how this would work in a disaster scenario when you have the ntds.dit file but had to resore it on a completely fresh install of Windows.

    Could you just install 2008 R2, add the domain controller role, install a dummy domain in a dummy forest and copy the file in?

    ReplyDelete
  4. Terry LauJuly 8, 2011 at 5:52 PM

    You can't install to a dummy domain in a dummy forest. The server can't boot up.

    ReplyDelete
  5. AnonymousDecember 20, 2011 at 7:12 PM

    This is my first time i visit here. I discovered a lot of interesting things within your blog especially its discussion.
    domain service

    ReplyDelete
  6. Nomin nomin@mta.mnNovember 11, 2012 at 11:30 AM

    my Primary DC failed. it doesn't work again. i tried to change slave DC to primary. But still couldn't change schema master role. Now what should i do. PLEASE HELP ME.

    ReplyDelete
    Replies
    1. Terry LauNovember 11, 2012 at 11:39 AM

      Hello,
      Do you seize the schema master role by ntdsutil?

      Please read the following web sites for your information:

      Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
      http://support.microsoft.com/kb/255504

      Seize the schema master role
      http://technet.microsoft.com/en-us/library/cc783650(v=ws.10).aspx

      Ntdsutil
      http://technet.microsoft.com/en-us/library/cc753343(v=ws.10).aspx

      Delete
  7. Nomin nomin@mta.mnNovember 11, 2012 at 12:03 PM

    i just did everything what you show. but i my domain controller failed.

    ReplyDelete
    Replies
    1. Terry LauNovember 11, 2012 at 12:44 PM

      Hello,

      Could you provide more information about the domain controllers version, forest functional level, domain functional level?

      IF you perform "netdom query fsmo" in a domain controller, what is the result?

      Delete
  8. Milind NaphadeJanuary 7, 2013 at 3:13 AM

    I did the actions completely but my Windows 2008 SP2 continues to reboot automatically after replacing the database file. Any idea?

    ReplyDelete
  9. Terry LauJanuary 7, 2013 at 10:48 AM

    Hello Milind,

    Could you provide more information in your environment?

    Do you restore the back up and restore the nrds.dit in the original one domain controller?

    ReplyDelete
  10. AnonymousFebruary 17, 2016 at 6:50 PM

    This method quickly got me out of trouble after messing around with service principal names on DC. Luckily i did IFM export shortly before, so this method worked a treat!!

    Thank You so much!

    ReplyDelete