Backup and Restore Considerations for Virtualized Domain Controllers

Bijgewerkt: januari 2009

Van toepassing op: Windows Server 2008, Windows Server 2008 R2, Windows Virtualization

Backing up domain controllers is a critical requirement for any environment. Backups protect against data loss in the event of domain controller failure or administrative error. If such an event occurs, it is necessary to roll back the system state of the domain controller to a point in time before the failure or error. The supported method of restoring a domain controller to a healthy state is to use an Active Directory–compatible backup application, such as Windows Server Backup, to restore a system state backup that originated from the current installation of the domain controller. For more information about using Windows Server Backup with Active Directory Domain Services (AD DS), see the AD DS Backup and Recovery Step-by-Step Guide (

With virtual machine technology, certain requirements of Active Directory restore operations take on added significance. For example, if you restore a domain controller by using a copy of the virtual hard disk (VHD) file, you bypass the critical step of updating the database version of a domain controller after it has been restored. Replication will proceed with inappropriate tracking numbers, resulting in an inconsistent database among domain controller replicas. In most cases, this problem goes undetected by the replication system and no errors are reported, despite inconsistencies between domain controllers.

There are two supported ways to perform backup and restore of a virtualized domain controller:

  1. Run Windows Server Backup in the guest operating system.

  2. Run Windows Server Backup on the host. This action calls the Volume Shadow Copy Service (VSS) writer of the guest to make sure that the backup is performed properly.

Backup and restore practices to avoid

As mentioned, domain controllers that are running in virtual machines have restrictions that do not apply to domain controllers that are running in physical machines. When you back up or restore a virtual domain controller, there are certain virtualization software features and practices that you should not use:

  • Do not copy or clone VHD files of domain controllers instead of performing regular backups. If he VHD file is copied or cloned, it becomes stale. Then, if the VHD is started in normal mode, there might be a divergence of replication data in the forest. You should perform proper backup operations that are supported by Active Directory Domain Services (AD DS), such as using the Windows Server Backup feature.

  • Do not use the Snapshot feature as a backup to restore a virtual machine that was configured as a domain controller. Problems will occur with replication when you revert the virtual machine to an earlier state. For more information, see Appendix A: Virtualized Domain Controllers and Replication Issues. Although using a snapshot to restore a read-only domain controller (RODC) will not cause replication issues, this method of restoration is still not recommended.

Restoring a virtual domain controller

To restore a domain controller when it fails, you must regularly backup system state. System state includes Active Directory data and log files, the registry, the system volume (SYSVOL folder), and various elements of the operating system. This requirement is no different for a domain controller that is running on a virtual machine than it is for a domain controller that is running on native hardware. System state restore procedures that Active Directory–compatible backup applications perform are designed to ensure the consistency of local and replicated Active Directory databases after a restore process, including the notification to replication partners of invocation ID resets. However, using virtual hosting environments and disk or operating system imaging applications makes it possible for administrators to bypass the checks and validations that ordinarily occur when domain controller system state is restore.

When a domain controller virtual machine fails and an update sequence number (USN) rollback has not occurred, there are two supported situations for restoring the virtual machine:

  • If a valid system state data backup that predates the failure exists, you can restore system state by using the restore option of the backup utility that you used to create the backup. The system state data backup must have been created using an Active Directory–compatible backup utility within the span of the tombstone lifetime, which is by default, no more than 180 days. You should back up your domain controllers at least every half tombstone lifetime. For instructions about how to determine the specific tombstone lifetime for your forest, see Determine the Tombstone Lifetime for the Forest (

  • If a working copy of the VHD file is available, but no system state backup is available, you can remove the existing virtual machine. Restore the existing virtual machine by using a previous copy of the VHD, but be sure to start it in Directory Services Restore Mode (DSRM) and configure the registry properly, as described in the following section. Then, restart the domain controller in normal mode.

Use the process in the following illustration to determine the best way to restore your virtualized domain controller.

Herstel van schrijfbare domeincontroller met Hyper-V

For RODCs, the restoration process and decisions are simpler.

Herstel van alleen-lezen domeincontroller met Hyper-V

Restoring the system state backup of a virtual domain controller

If a valid system state backup exists for the domain controller virtual machine, you can safely restore the backup by following the restore procedure prescribed by the backup tool that you used to back up the VHD file.

To properly restore the domain controller, you must start it in DSRM. You must not allow the domain controller to start in normal mode. If you miss the opportunity to enter DSRM during system startup, turn off the domain controller’s virtual machine before it can fully start in normal mode. It is important to start the domain controller in DSRM because starting a domain controller in normal mode increments its USNs, even if the domain controller is disconnected from the network. For more information about USN rollback, see Appendix A: Virtualized Domain Controllers and Replication Issues.

To restore the system state backup of a virtual domain controller
  1. Start the domain controller’s virtual machine, and press F5 to access the Windows Boot Manager screen. If you are required to enter connection credentials, immediately click the Pause button on the virtual machine so that it does not continue starting. Then, enter your connection credentials, and click the Play button on the virtual machine. Click inside the virtual machine window, and then press F5.

    If you do not see the Windows Boot Manager screen and the domain controller begins to start in normal mode, turn off the virtual machine to prevent it from completing startup. Repeat this step as many times as necessary until you are able to access the Windows Boot Manager screen. You cannot access DSRM from the Windows Error Recovery menu. Therefore, turn off the virtual machine and try again if the Windows Error Recovery menu appears.

  2. In the Windows Boot Manager screen, press F8 to access advanced boot options.

  3. In the Advanced Boot Options screen, select Directory Services Restore Mode, and then press ENTER. This starts the domain controller in DSRM.

  4. Use the appropriate restore method for the tool that you used to create the system state backup. If you used Windows Server Backup, see Performing a Nonauthoritative Restore of AD DS (

Restoring a virtual domain controller when an appropriate system state data backup is not available

If you do not have a system state data backup that predates the virtual machine failure, you can use a previous VHD file to restore a domain controller that is running on a virtual machine.

Do not use this procedure if the copy of the VHD that you are about to restore has been restarted in normal mode by any virtual machine.

To restore a previous version of a virtual domain controller VHD without system state data backup
  1. Using the previous VHD, start the virtual domain controller in DSRM, as described in the previous section. Do not allow the domain controller to start in normal mode. If you miss the Windows Boot Manager screen and the domain controller begins to start in normal mode, turn off the virtual machine to prevent it from completing startup. See the previous section for detailed instructions for entering DSRM.

  2. Open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. In Registry Editor, expand the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. Look for a value named DSA Previous Restore Count. If the value is there, make a note of the setting. If the value is not there, the setting is equal to the default, which is zero. Do not add a value if you do not see one there.

  3. Right-click the Parameters key, click New, and then click DWORD (32-bit) Value.

  4. Type the new name Database restored from backup, and then press ENTER.

  5. Double-click the value that you just created to open the Edit DWORD (32-bit) Value dialog box, and then type 1 in the Value data box. The Database restored from backup entry option is available on domain controllers that are running Windows 2000 Server with Service Pack 4 (SP4), Windows Server 2003 with the updates that are included in article 875495 in the Microsoft Knowledge Base ( installed, and Windows Server 2008.

  6. Restart the domain controller in normal mode.

  7. When the domain controller restarts, open Event Viewer. To open Event Viewer, click Start, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.

  8. Expand Application and Services Logs, and then click the Directory Services log. Ensure that events appear in the details pane.

  9. Right-click the Directory Services log, and then click Find. In Find what, type 1109, and then click Find Next.

  10. You should see at least an Event ID 1109 entry. If you do not see this entry, proceed to the next step. Otherwise, double-click the entry, and then review the text confirming that the update was made to the InvocationID:

    Active Directory has been restored from backup media, or has been configured to host an application partition. 
    The invocationID attribute for this directory server has been changed. 
    The highest update sequence number at the time the backup was created is <time>
    InvocationID attribute (old value):<Previous InvocationID value>
    InvocationID attribute (new value):<New InvocationID value>
    Update sequence number:<USN>
    The InvocationID is changed when a directory server is restored from backup media or is configured to host a writeable application directory partition.
  11. Close Event Viewer.

  12. Use Registry Editor to verify that the value in DSA Previous Restore Count is equal to the previous value plus one. If this is not the correct value and you cannot find an entry for Event ID 1109 in Event Viewer, verify that the domain controller’s service packs are current and then repeat the procedure by starting over at step 1.

  13. Close Registry Editor.