Windows 2000 Active Directory Backup and Recovery

System State Backup

The Windows 2000 Active Directory contains a component known as the System State. The System State information includes the components that the Windows 2000 operating system relies on for normal operations. The System State data can be backuped up with the Windows 2000 Backup application.

System State data does not contain Active Directory data unless the server you're backing up is a domain controller. The backup tool only supports local backups of Active Directory. In order to get an entire backup of Active Directory, you must back up every domain controller in the enterprise. Active Directory cannot be backed up on a remote computer. Backup the System State data on all domain controllers in all domains.

Windows 2000 DC System State Data

Active Directory - The Active Directory data store.
Boot Files - The files required to boot the Windows 2000 operating system.
COM+ Class Registration Database - The registration database of various share code components.
Registry - The Windows 2000 operating system registry database.
SysVol - The data and files that are shared between the domain controllers within an AD domain.
System Startup Files -
Certificate Services Database -
DNS Data -
Cluster Service database -

     The Windows 2000 Backup application allows you to backup data to external media or the local hard disk as a file. It is recommended that you save the data on removable media and keep it in a safe location.

System State Recovery

     If your Windows 2000 operating system has corrupt System State information and must be restored (or you accidentally deleted an OU), and the operating system will still boot, restoration is easy. Boot into the Directory Services Restore Mode from the boot menu and simply restore the System State Information.

     If your Windows 2000 Server will not boot due to hardware failure or some other problem and a reinstallation of the operating system is required, the restoration of the System State information will be performed from within the Windows 2000 Backup application. If your domain has two domain controllers as recommended, once the reinstallation of Windows 2000 is completed, all you will have to do is promote the Server to a domain controller and the other domain controller will replicate the information to the failed server.

Authoritative Restore

     If you have accidentally deleted users or OU, and the changes have replicated throughout the domain, you will have to perform a restoration from backup. But, once the information is restored, it will be seen as out of date and then be replicated over. In this type of situation, when you want to restore AD data and have it replicated througout the domain, you must perform an authoritative restore. The Authoritative Restore process specifies a domain controller as having the authoritative (or master) copy of the Active Directory database. This AD restore will then be replicated througout the domain as usual.

     To perform an Authoritative Restore, restore the System State information as usual, which begins in the Directory Services Restore Mode during the bootstrap phase. Once you have restored the System State Data with Windows 2000 Backup, you are ready to place the domain controller in authoritative restore mode.

     To place the domain controller in authoritative restore mode, begin by opening a command prompt. At the command prompt, type ntdsutil.exe and press enter. At the ntdsutil command prompt, type "authoritative restore" and press enter. Next, at the authoritative restore prompt, type "restore database" and press enter. Click YES at the prompt. Once the restore process has completed, type quit twice and then exit. To finalize the process, restart the domain controller.


c:\>ntdsutil
ntdsutil.exe: authoritative restore
authoritative restore: restore database

If you wish to verify that the authoritative restore was successful by
checking the version number increase, you should use the repadmin tool.

Additionally, if you accidentally deleted an OU named "birmingham" from the "spcsys.com" domain, you can use the authoritative restore prompt to restore only that subtree. The syntax is as follows:


c:\>ntdsutil
ntdsutil.exe: authoritative restore
authoritative restore: restore subtree OU=birmingham,DC=spcsys,DC=com

You want to restore the entire directory and override the version increase:

	authoritative restore: restore database verinc [version increase]

You cannot restore the Active Directory from a backup if the backup is older than the tombstone lifetime (default: 60 days).

When authoritatively restoring a part of the Active Directory, you must also restore the SYSVOL directory to an alternate location. In the alternate location, copy the Group Policy folders corresponding to the restored Group Policy objects and place them in their original location in SYSVOL.

You cannot mark Schema partitions as authoritative, thus you cannot restore schema changes from backup.

When recovering System State information using Windows 2000 Backup, you have
the option of restoring data to an alternate location. This operation will
only copy some components from the System State backup, and it will not
restore the Active Directory.

You can use a batch file to backup with NTBACKUP.EXE and system state
switch: w/system state, only normal and copy backups are permitted.