Microsoft Active Directory Restore
Best Practices
Veeam has two modes to restore Active Directory Domain Controllers, non-authoritative and authoritative. The default, and the most common used mode, is when Veeam performs a non-authoritative restore of the Active Directory Domain Controllers (DC), suggesting that the restore will be done to an existing environment where there will be other working Domain Controllers.
On the other hand, authoritative restores are not very common, as they are only performed when the user has already lost all the domain controllers.
In a non-authoritative restore, after the Domain Controller is restored, it will be aware that it was recovered from a backup and will sync the latest state of the Active Directory from the other Domain Controllers (DCs) in the environment.
In the case of restoring a Domain Controller after a complete domain failure or domain corruption, an authoritative restore must be used.
Recommendations to restore.
- Select the latest backup of a writeable domain controller that is configured as a global catalog.
- In the case of using an Active Directory Integrated DNS service, choose the Domain Controller that runs the DNS role, hosting the forest and domain(s) zone.
For more instructions about performing an authoritative restore of a Domain Controller, please check KB2119
After an authoritative restore, you might need to use ntdsutil seize command to transfer the FSMO roles. It’s recommended to deploy multiple domain controllers for high availability and redundancy.
Microsoft Active Directory Recovery Verification
When using Sure Backup to test the recovery of a single Active Directory Domain Controller, it will be faster to choose the authoritative restore mode, as it speeds up the process more than selecting the non-authoritative restore mode (Recovery Verification Options).