Restoring Active Directory

Active Directory must be restored offline. The system must be rebooted in Directory Services Restore mode. In this mode, the operating system is running without Active Directory and all user validation occurs through the Security Accounts Manager (SAM) in the registry. To restore Active Directory, use the credentials of a local administrator on the domain controller that is restored.

The caller of the restore functions must have the SE_RESTORE_NAME privilege. Use the DsSetAuthIdentity function to set the security context under which the directory backup and restore functions are called.

Be aware that when you restore Active Directory, you must also restore the other system state components.

To restore Active Directory, perform the following steps

1. Call the DsIsNTDSOnline function to determine if Active Directory is running.
2. If Active Directory is not running, the DsRestorePrepare function is called to initialize the restore operation and obtain a backup context handle. If Active Directory is running, it cannot be restored and the restore application must fail the restore operation. The DsRestorePrepare function requires that the expiry token be obtained from the DsBackupPrepare function during the backup operation.
3. Call the DsRestoreGetDatabaseLocations function to determine the directories where the files are to be restored. If this function fails, restore the data back to the original backup source directory; that is the directory from which the data was backed up.
4. When the restore is complete, call the DsRestoreRegister function to specify which database and which log files were restored.
5. Use standard Win32 functions to restore the files. First, delete all files in the destination directory; then copy the backup files to the destination directory.
6. Call the DsRestoreRegisterComplete function to indicate that the restore has completed.
7. Call the DsRestoreEnd function to release any resources associated with the context.

After a restore in Directory Services Restore mode, the domain controller should be rebooted in normal mode. When the directory service starts, the domain controller will perform the normal consistency check and the restored directory will then be online.

Be aware that restoring an Active Directory is always a two-part operation. First, restore the database to a time when the backup was taken and not beyond. Second, replicate the directory, where the newly restored DSA replicates post-backup updates from other DSAs in the domain and enterprise forest.

Any computer running on Windows® 2000 or Windows Server 2003 family that contains a replica of the directory service is a domain controller.

The DsRestoreRegister function adds data to the registry that must survive the registry restoration process for the Active Directory restoration to work correctly. To ensure this registry data is preserved, restore Active Directory with the DsRestore* functions prior to rebooting the computer after the RegReplaceKey function has been called. This process works because RegReplaceKey does not actually replace the registry hive until the computer is rebooted and the registry data added by the DsRestoreRegister function is specifically excluded from being replaced during a registry restore operation.