The AD DS domain/forest recovery is a very complex procedure that requires regular hands on and proper isolated recovery environment (hyper/V or vmware isolated LAN).
AD DS forest recovery guidelines and procedures:
http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery%28WS.10%29.aspx
Some best practices for backing up and recovering AD DS:
- Backup DNS integrated zone data:
- dnscmd /enumzones > C:\Script\AllZones.txt
for /f %%a in (C:\Script\AllZones.txt) do dnscmd /ZoneExport %%a Export\%%a.dns
- dnscmd /enumzones > C:\Script\AllZones.txt
- Backup all Group policies and links
- Backup all distinguished name of objects in the domain:
- dsquery * domainroot -scope subtree -attr modifytimestamp distinguishedname -limit 0 > DNlist.txt
- Store operating system files, the Active Directory database (Ntds.dit), and SYSVOL on separate volumes that do not contain other user, operating system, or application data.
- For domain controllers, perform regular backups of system state data by using the wbadmin start systemstatebackup command or prefer BMR (bare metal restore backup) using wbadmin (http://blogs.technet.com/b/askcore/archive/2011/05/12/bare-metal-restore.aspx). For more information, see Wbadmin start systemstatebackup (http://go.microsoft.com/fwlink/?LinkId=111741).
- For domain controllers, you can also use the other variant wbadmin start backup command to include other drives or folders. For more information, see Wbadmin start backup (http://go.microsoft.com/fwlink/?LinkId=111741).
- Create a backup volume on a dedicated internal or external hard drive. On Vista or Win 2008, you cannot use a network shared folder as a backup target for a system state backup. To store a system state backup on a network shared folder, you must use a local volume as the backup target and then copy the backup to the network shared folder. But since Win 2008 R2, you can use a network share !!!!
example: For ADDS 2008 R2: wbadmin start systemstatebackup -targetserver:\\fileserver\adbackup -quiet
example: For ADDS 2008 R2: wbadmin start backup -targetserver:\\fileserver\adbackups -include:d: -systemstate -vssfull -quiet
- Turns out that Microsoft disabled the ability to save System State backups to the system volume (termed a “critical” volume here). There is a fix for this in the form of a registry change. The article is located here: http://support.microsoft.com/kb/944530. Note that to implement this change, you will need to create a new key under the HKLM\System\CurrentControlSet\Services\wbengine, as well as adding the necessary entry: AllowSSBToAnyVolume dword value =1.
- To avoid having to use the operating system media during recovery, use the Windows Automated Installation Kit to install Windows RE on a separate partition. Use that partition to access Windows Recovery options. For more information about the Windows Automated Installation Kit, see Windows Automated Installation Kit (Windows AIK) (http://go.microsoft.com/fwlink/?LinkId=90643).
