New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

How to Perform a Nonauthoritative Restore of Active Directory in Windows Server 2012 R2

How can I restore Active Directory in Windows Server 2012 R2?

A nonauthoritative restore of Active Directory (AD) is the default restore mode for Windows Backup and most third-party backup utilities. It is commonly used in cases where there has been a hardware or software failure on the server, or where Active Directory must be restored and then updated by authoritative versions of the AD database running on other domain controllers (DCs) in the forest. Any needed updates to AD on the restored DC are automatically replicated once the restore operation has completed.

Perform a Nonauthoritative Restore

Log on to the DC that you want to restore with a domain administrator account:

Open a command prompt using the blue PowerShell icon on the desktop taskbar, or from the Start screen.
In the PowerShell console window, type bcdedit /set safeboot dsrepair and press Enter.
Reboot the server and it will start in Directory Services Restore Mode (DSRM). You can do this quickly from the command prompt by typing shutdown -t 0 –r and pressing Enter.

Wait a few minutes for the DC to reboot. You can log on locally or remotely, but remember that you will need to supply the DSRM password you set when promoting the server to a DC. The username for DSRM is administrator. If the server is booted in safe mode, this will be displayed on the desktop.

Open a command prompt again using the blue PowerShell icon on the desktop taskbar, or from the Start screen.
In the PowerShell console, type wbadmin getversions to show the available backups. The latest backup will be shown last in the list. Make a note of the version identifier for the backup you want to use for recovery, as it will be needed in the next step.
Now type wbadmin start systemstaterecovery –version:12/23/2013-10:40 and press Enter, replacing the date and time with the version identifier for the backup that you want to restore.
Answer Yes when prompted to confirm the restore operation.
You will be prompted to confirm again, answer Yes.

Wait for the recovery process to finish, it may take some time. You’ll be able to see the progress in the PowerShell console.

Reboot the system when prompted.
Log back on using the DSRM password and you’ll see a command prompt dialog confirming that the system state recovery operation completed successfully. Press Enter to continue.

Perform a Nonauthoritative Restore of Active Directory in Windows Server 2012 R2 successful

Open a command prompt again using the blue PowerShell icon on the desktop taskbar, or from the Start screen.
Type bcdedit /deletevalue safeboot and press Enter to remove the DSRM setting from the boot.ini file.
Type shutdown –t 0 –r and press Enter to restart the system and boot back to an operational domain controller.

by Russell Smith
Jan 13, 2014

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

Petri.com’s New Active Directory Outage and Disaster Recovery Survey

Feb 15, 2024
Apr 16, 2024
Get-ADComputer: The PowerShell Command for Managing Active Directory Computers

Nov 15, 2023
Essential Guide to Mastering Get-ADGroupMember (AD User Management)

Oct 12, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.