If you’ve been a network administrator for any amount of time, you know that performing a backup is no big trick. However, if you’ve recently upgraded to Windows 2000, you may be surprised to learn that a few things have changed when it comes to your backups. While the procedure for backing up your data remains basically the same, there are some very specific steps you must follow to back up or restore Active Directory. In this Daily Drill Down, I’ll explain how and why to back up your Active Directory.

Why bother backing up Active Directory?
If you were previously running Windows NT 4.0 on your network, then there’s a good chance that you may not be in the habit of backing up the Windows NT operating system itself. Instead, you probably just backed up the data files stored on the server. In Windows NT, it was really no big deal if you didn’t back up the operating system.

Even if your primary domain controller were to crash, you could simply promote another domain controller to the role of primary domain controller. You could then reinstall Windows NT on the failed machine and make that machine a backup domain controller. Doing so would copy all of the security information from the primary domain controller to the machine that you were rebuilding. When the process was complete, you could then promote the original primary domain controller back to the role of primary domain controller. Once you’d taken this final step, the network was back to normal, and you hadn’t lost anything.

In Windows NT, any time that an administrator makes a change to the security information, the change is applied directly to the primary domain controller and then replicated to all the backup domain controllers. This replication technique insures that the domain controllers are usually in sync.

Windows 2000 works a little differently, though. Windows 2000 uses what’s called a multimaster replication model. This new type of replication allows Active Directory changes to be applied to any domain controller and then replicated to the other domain controllers. This means that at any given time, each of the domain controllers could contain a different set of Active Directory changes that haven’t yet been replicated to the other domain controllers. Because each domain controller contains a potentially different copy of Active Directory, it’s important to back up Active Directory on each domain controller on a regular basis.

Backing up Active Directory
The process of backing up Active Directory is a little bit different from what you might be used to. In Windows NT 4.0, making a backup involves simply selecting the files you want to back up, selecting a destination for the backup, and then selecting the type of backup (differential, incremental, or normal).

In Windows 2000, this basic procedure remains the same if all you’re backing up is data. However, if you’re backing up Active Directory, there are a few things you need to know. First, you can’t back up Active Directory as a part of an incremental or differential backup. You can only back up Active Directory as a part of a normal backup.

Another thing that you need to know about the process is that in order to back up Active Directory, you must use a backup program that’s specifically designed for Windows 2000. If you’re using a backup program that was designed for Windows NT, it will probably work okay for backing up data, but it will lack the necessary code for backing up Active Directory.

Finally, you need to know that it’s impossible to back up just Active Directory. That’s because Active Directory contains too many dependencies. Other system components, such as the registry and the class registration database, are closely related to Active Directory. A change in Active Directory can result in a change in any number of other components, and vice versa.

Needless to say, it can be a bit confusing to know which components must be backed up in order to successfully back up Active Directory. To make it easy to back up the necessary components, Windows 2000-aware backup applications allow you to back up something called the System State Data. The System State Data is a collection of several Windows 2000 subcomponents (including Active Directory) that can’t be backed up separately. The System State Data includes such components as:

  • The registry
  • The system startup files
  • The class registration database
  • The Certificate Services database
  • The File Replication service
  • The Cluster service
  • The Domain Name Service (DNS)
  • Active Directory

Of course, not all of these components and services may exist on a single machine. However, a Windows 2000-aware backup program is smart enough to know which of the System State components need to be backed up.

Fortunately, Microsoft has provided a backup utility you can use to back up Active Directory. If you remember the backup utilities provided with earlier versions of Windows, you know that all they were really good for was taking up space on your hard drive. Microsoft fixed that problem. The version included with Windows 2000 is actually pretty decent.

The Windows 2000 Backup program includes two ways you can back up the System State Data. You can either use the Backup Wizard or the regular GUI.

To use the Windows 2000 Backup program and the Backup Wizard to back up System State Data, start Backup by selecting Run from the Start menu. Type ntbackup in the Run dialog box and click OK.

When the Backup program starts, select Backup Wizard from the Tools menu. After the wizard starts, click Next until you get to the What To Backup screen. Select the Only Back Up The System State Data radio button and click Next. Proceed through the rest of the screens in the Backup Wizard, telling it where to back up the data and finishing the process.

If you have an aversion to using wizards or just prefer to have a little more control over the process, you don’t have to use the Backup Wizard. You can just run a normal backup with a few modifications.

To do so, start Backup as mentioned above. However, rather than starting the wizard from the Tools menu, this time, click the Backup tab when Backup starts. Next, expand the Click To Select The Check Box For Any Drive, Folder, Or File That You Want To Back Up window and select System State as shown in Figure A. After you make that selection, you can just continue the backup as normal, selecting the devices and destination locations on the rest of the screen.

Figure A
To back up Active Directory, you must back up the System State Data.

Restoring Active Directory
Now that you know how to back up Active Directory, let’s discuss the procedures for restoring it. I say procedures because there are two different methods for restoring Active Directory. You can perform either an authoritative restore or a nonauthoritative restore, depending on your needs. In the sections that follow, I’ll explain each of these techniques.

Before I get into discussing the differences between the two restore techniques, though, there’s one important issue I should point out. If you find yourself in a situation in which you have to do a complete restore on the server, the server must be in a condition in which it’s capable of being restored. This means that all partitions that existed prior to the disaster must exist before the restore.

Each of these partitions must be as large or larger than they were at the time of the last backup. It’s also extremely important that Windows 2000 be loaded on the same partition that it previously existed on. Remember that you must have a working copy of Windows before you can restore anything. With that said, let’s look at the differences between an authoritative and a nonauthoritative restore.

Authoritative restore vs. nonauthoritative restore
To understand the difference between an authoritative and a nonauthoritative restore, you must again consider how Windows 2000 replication works. When an administrator makes a change to Active Directory, the change is time stamped. This allows Windows 2000 to figure out which change is the correct change in the event that two Active Directory changes are contradictory.

When you perform a nonauthoritative restore, Active Directory on the restored machine is returned to its state at the time of the backup. This could mean that the copy of Active Directory is a day old, a week old, etc. As soon as the restore process is complete, the server that you restored and the other domain controllers in the organization begin to replicate changes that have occurred since the time of the backup.

Because the information that was restored from tape is older than the information on the other domain controllers, there’s a good chance that much of the restored server’s Active Directory will be overwritten by more current data. This process is known as a nonauthoritative restore because the restored domain controller has no authority to overwrite other domain controllers with the restored information. The newest Active Directory information takes precedence.

An authoritative restore, on the other hand, is a process by which you replicate the newly restored Active Directory to the other domain controllers regardless of the age of the data. This process is very similar to doing a nonauthoritative restore, except that a few extra steps are added to the end of the process.

Performing a nonauthoritative restore
Restoring Active Directory is a little bit different from restoring other types of data, because Active Directory must be taken offline before the restore process can work. Therefore, to restore an Active Directory, you must reboot the server. When you see the screen that asks which operating system you want to use, press the [F8] key. You’ll now see a boot menu that offers several choices. Select the Directory Service Restore Mode option and press [Enter]. Windows 2000 will now boot in what appears to be the normal manner.

Because Active Directory isn’t loaded, you won’t be able to log into the domain. Therefore, log in by using the local Administrator’s account. You’re now free to use Backup to restore the System State Data. The easiest way to do this is to run the Restore Wizard from the Tools menu. Work your way through the wizard, making the selections necessary to choose the restore source and data you want to restore.

After the restore process completes, simply reboot your server in the normal manner. Doing so will trigger the directory replication process and will make Active Directory consistent across all of the domain controllers.

Performing an authoritative restore
As I mentioned earlier, doing an authoritative restore is almost identical to performing a nonauthoritative restore. The only difference is that when the restore completes, you don’t want to reboot the server into Normal mode. Instead, when you see the screen that allows you to select the operating system to work with, press [F8] again. When you see the boot menu, go into the Directory Service Restore Mode.

When the server finishes booting, log in as the local Administrator. Next, select the Run command from the Start menu. Type NTDSUTIL in the Run dialog box and click OK. NTDSUTIL is a command line utility, so it’s a bit more difficult to use than some Windows utilities.

You now have a choice to make. You can either make the entire restored Active Directory authoritative, or you can make only a portion of it authoritative. To make the entire Active Directory authoritative, type the following commands, pressing [Enter] after each one:

If you’d rather make only a portion of Active Directory authoritative, you must know the location of the section that you want to make authoritative. In the following example, I’ve used a generic representation of a location to make authoritative. You must substitute this generic representation with an actual location. Here are the commands you should type, again pressing [Enter] after each one:

Whether you’ve authoritatively restored the entire Active Directory or just a portion, you’re now free to reboot your server in the normal manner. When you do, Windows 2000 will begin to replicate the restored data to the other domain controllers.

Restoring without a backup
If this is the first time that you’ve worked with backing up and restoring Active Directory, you may not have known that you must back up the System State Data to back up Active Directory. This can be a scary revelation if you’re reading this Daily Drill Down while actually trying to figure out how to restore Active Directory (and you realize that you never backed it up to begin with). Fortunately, there’s a way to restore Active Directory, even without a backup.

Earlier I explained that in Windows NT, the primary domain controller can replicate its security information to any new backup domain controllers that are brought online. A similar technique applies to Windows 2000. To rebuild a corrupt Active Directory, take the server offline and remove references to the server from Active Directory Users And Computers console. Now, reinstall Windows 2000 on the machine. Be sure to install it as a domain controller for the domain that it was previously associated with. Doing so will cause the server to download a copy of Active Directory from another server.

The process of backing up and restoring an Active Directory is radically different from the procedures used to back up and restore typical data. In this Daily Drill Down, I explained why backing up Active Directory is important. I then went on to guide you through the process of backing up and restoring Active Directory.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.