Active Directory: copy and restore. How to restore Active Desktop? Recovery active

What to do and what dances to do with and without a tambourine if you see the message “Restore Active Desktop” on your desktop? Although fewer and fewer users are encountering this problem, since the main platform for this error is the Windows XP operating system, it is still relevant. After all, this system is still relevant, although...

Why does desktop recovery fail?

The problem is this: due to some error, the desktop as we know it stops working. And along with our favorite background image we see the inscription “Restore Active Desktop”, which we must agree is unpleasant. But it doesn’t seem to be all that scary, since you can immediately see the restore desktop button there. And I am seriously interested in the question, did this button help anyone? At least once?

The reasons why the desktop goes out of order are unknown to me. I didn't go through the FAQ looking for an interpretation. But I know how to solve such a problem, and I think that is what you came here for, and not for a boring theory.

Methods to restore your desktop

The easiest way to restore Active Desktop is to log in as a local administrator and delete the problematic user's folder. If you are an administrator, you can create a new administrator and, again, delete the folder of the problematic user. This folder is stored in c:\users. Then log in again using the problematic account. The account folder will be recreated. And since it is created by copying a folder Default then there will be no problems with it. Since the folder Default This is the default folder, based on which all new user folders are created, there is nothing from the user in it. No settings, no documents, no saved passwords - absolutely nothing that is gained during the life of the account. Therefore, this is the easiest option to solve the problem. And the flip side of lightness is the demolition of all your settings to zero. If this suits you, go ahead and sing.

Well, there is always a more difficult solution to the problem. But this option will allow you not only to restore your desktop, but also to save all your settings with you. To do this, open Registry editor ah, let's go to the registry branch
hkey_current_user\softvare\microsoft\internet explorer\desktop\scheme
There we find the parameter displays. The parameter value must be savemode. This parameter is from the registry and notifies the system that there is an error related to the desktop. And therefore it indicates that you need to turn on this very savemode. Uh then it’s exactly the same screen with the error. We don't need such a screen. Therefore, we clear this parameter.

After that we go to the folder
c:\documents and settings\%user%\appdata\microsoft\internet explorer\
and delete the file desktop.htt. It is also possible that this file will not be there. Then remove all restrictions on showing hidden and system files in this folder. This can be done through the command line using a command or, for example, using a program such as Total commander. Once we find this file, we delete it. By the way, this file can be deleted simply through , since we know the entire path to it. To do this use the command del.

After all this, update the desktop. If the actions are performed correctly, the error screen about the need to restore the Active Desktop will disappear. Good luck!

UPDATE: The solution to the problem is for the laziest: try simply selecting any image as your desktop background. Sometimes such a simple action gives the very desired result.

Active Directory in Windows Server 2008. There should be more than one domain controller, this is the golden rule that must be followed in all medium and large organizations. The principle of recovery in the presence of several controllers changes significantly. Let's try to understand why. Let's imagine that you have two domain controllers named DC1 and DC2 (these are controllers of the same domain). Both will have an identical Active Directory database and if you change it on one it will automatically update on the other, this is a replication process.

Now let's decide on the backup schedule:

Sunday- full backup of the system partition (described in the first part of the article)

Monday - Saturday- creating a system state systemstate (described in the first part of the article)

Everything was fine, but on Thursday the DC1 domain controller stopped working due to problems. You have several ways to restore the controller, let's look at them.

• The first way: Restore the systemstate that was made on Wednesday. To do this, you will need to start the controller in DSRM mode (Directory Service Restore Mode) and use the Windows Server Backup program to restore the state. But for this, the controller must boot into DSRM; this may not be possible.
• Way two: if loading the controller into DSRM fails, the recovery procedure begins by starting the recovery of the system partition, the archive of which was created on Sunday. After you restore DC1 from this archive, your computer starts to boot normally.

And here, with the first option and with the second, two controllers appear that do not have synchronized Active Directory databases. DC1 has the database version on the day of the backup, and DC2 has the current, newest version.

Which version will take precedence?

If you carry out recovery in the way I described in the first part of the article, then priority will be given to the controller that remained working, in our situation it is DC2. Everything that is in Active Directory on DC1 after recovery will be updated to the state of DC2. This method is called non-forced recovery.

Or maybe this Windows Server Backup?

Recently I came across the position of a Microsoft employee who, when asked how to restore a domain controller, answered “Why?” At first I wondered a little if he was joking, but then his arguments became clear to me. The idea goes like this. In medium-sized organizations, as a rule, there are 3-4-5 or more domain controllers and the chance of losing them at once is close to 0. To avoid this chance, we back up only 2. In this case, backup occurs of one or those controllers that own FSMO roles and are of particular value. Everyone else just lives their lives and if one fails, we simply install a new OS and raise a new domain controller, it should be noted that in terms of time these will be equivalent procedures.

There may be a desire to stop making copies altogether, maybe we won’t lose everything, and FSMO roles can be captured if desired. Desire is completely harmful and here's why. The loss of Active Directory objects is not only the accidental deletion of a user, you can accidentally erase an organizational unit with all its contents with a script and simply return it from the container of deleted objects; you will not be able to get everything in its original form. And the changes have already been replicated. And every controller knows about the deletion. In this situation, you will need a backup copy.

Follow the rule - “There are no extra backups”

Replication priority

Since standard recovery replicates Active Directory from working controllers to a “repaired” controller, this method will not work for us. We need to force the replication priority to change and replicate information from the restored controller to the rest. This is called forced recovery.

In Windows Server 2003, we could perform a force restore in three ways:

Forced recovery of the entire database.

This procedure was done using the ntdsutil utility. In Windows Server 2008, the ntdsutil utility remains, but now we cannot forcefully restore the entire database.

Only:

Forcibly restore an organizational unit with content

Force recovery of a single object

Therefore, we must always know which objects have been deleted. Naturally, you won’t be able to keep such information in your head. For this purpose, the Active Directory database mounting tool was created in Windows 2008.

The Active Directory database mounting tool is designed to improve, and specifically simplify, the directory service recovery process. In Windows 2003, if we had many archives and did not know which one contained the information needed for recovery, we had to play roulette, restoring this or that archive and checking its contents.

In Windows 2008 the situation changes. Using the Database Mounting Tool we can view the contents of the database for a particular process of time.

Unfortunately, we cannot view the contents of AD for any period of time of interest, but only at those moments when the Snapshot was created. I’ll say right away that Snapshot is not the Snapshot that we are used to using VmWare. It contains information about the presence of objects in the database, but is in no way involved in restoring these objects.

From the above we can conclude:

In order to have an up-to-date idea of ​​the contents of the backup made, a Snapshot must be created before it. The text of the batch file that is run before creating a backup should be as follows:

ntdsutil.exe "activate instance NTDS" snapshot create quit quit

The finished batch file can be downloaded “here”. Be sure to ensure that Snapshot finishes before starting the backup.

Rice. 1. Creating an Active Directory Snapshot

The process of forcing a domain controller recovery using system state. (systemstate)

The background is that one of the administrators deleted the “BetaTesters” organizational unit, which contained an account or records. We don't know this for sure. Information about the deletion has already been replicated to all domain controllers. We have several archives from Systemstate from previous days. We do not know exactly when the organizational unit was removed.

First, we need to choose what state of the system we will restore. We do not know the date of deletion. To do this, we will use Snapshots, which are created shortly before the backup. Having launched the ntdsutil utility, we look at the list of snapshots of our AD.



Rice. 2. View available Active Directory snapshots

To do this, on the command line we type ntdsutil -> snapshot -> Activate Instance NTDS -> list all . As a result, we will receive a list of created Active Directory snapshots. The first image was taken on April 13th. That's where I'll start.

I edit there with the team mount with the substituted identifier the first snapshot of Active Directory. An example in Figure 3. After this operation, you will have a reference object on drive C: called $SNAP_date. By going into it, you will see the structure of your system disk at the time the copy was created.

Rice. 3. Mounting an Active Director Snapshot

The photo has been edited. I open a second command line window and run the dsamain utility. We execute a tricky command that allows you to connect a snapshot as an LDAP server. In the command, specify the path to the ntds.dit file in the mounted snapshot and the LDAP server port (I recommend 50001)

Rice. 4. Using dsamain.

Without closing the window, launch the “Active Directory Users and Computers” snap-in. Select a connection to another domain controller.



Rice. 5. Change domain controller.

In the menu that appears, indicate the connection to “ Server name: specified port in dsamain", in my situation it is " DC:50001»

Rice. 6. Selecting an LDAP server

By clicking “OK” we are taken to the “Active Directory Users and Computers” snap-in, which contains data to read as of the time the Active Directory snapshot was created. I find the organizational unit “BetaTesters” and there is a user “Rud Ilya” in it. The conclusion can be drawn as follows: since the snapshot was created on April 13 and contains a deleted organizational unit, we need to restore the system state to April 13.



Rice. 7. View AD snapshot information.

Before you reboot into Directory Services Restore mode, be sure to unmount the snapshot. This is done with the unmount command with the snapshot identifier.

Rice. 8. Unmounting a snapshot

Now we are ready to reboot one of the domain controllers into Directory Services Restore mode. I wrote how to do this in the first part of the article. Please note that when uploading to DSRM, you must use the admin DSRM, not the domain DSRM.



Rice. 9. Login to DSRM. Specify Computer_Name\Administrator



Rice. 10. List of system states (SystemStates)

We need to restore the system state to April 13th, so the following command would be: wbadmin start systemstaterecovery -version:archive_creation_time

Rice. 12. The process of restoring the system state.

Each Active Directory object has a version number, and if two controllers have different version numbers for one object, then the correct (newer) object is the one with the higher version. After the recovery process is completed, you need to run the utility ntdsutil and raise the version number for the remote Active Directory branch. That is, for our container.

This is done as follows: ntdsutil -> Activate Instance NTDS -> Authoritative restore -> restore subtree “ And indicate what should be restored forcibly ”. Example in Figure 13.

Rice. 13. Selecting what will be restored forcibly.

Result: We forcibly restored the organizational unit with all its contents using system state and Active Directory snapshots. In Windows Server 2008, we can force restore either organizational units with all content or specific objects. The “restore database” command from ntdsutil has been removed, so we will not be able to forcefully restore the entire Active Directory database.

If you are restoring the archive of the system disk of a domain controller and want to achieve a forced restoration of some part of AD, then immediately after the restoration, without allowing the controller to boot in normal mode, we enter the directory service restore mode. And using ntdsutil, we indicate which part of AD should be restored forcibly.

Material provided by resource

It is assumed that you have a backup of the domain controller.

Backup is done using the ntbackup utility (for Windows 2000/2003), or the archiving utility in Windows 2008/2008 R2. To restore, the System State option must be checked when archiving.

If archiving was done by third-party utilities, you need to refer to the help of these utilities for recovery.

Performing a traditional (non-authoritative) Active Directory restore

This restore restores all objects at the time of the AD backup.

1. Reboot the computer using the F8 key in Directory Restore Mode.
2. Run the NTDSUtil utility. At the ntdsutil prompt, type files and press Enter.
3. At the file maintenance prompt, run the Header command and read information about the most recently created backups. Information about your backup should be contained in the Previous Full Backup paragraph.
4. Issue the Quit command twice to exit the NTDSUtil utility.
5. Run the ntbackup utility. Follow the Advanced Mode link and in the Backup Utility window, go to the Restore and Manage Media tab.
6. On the Restore and Manage Media tab, expand the node of the backup you created and check the box next to the System State line, and then click on the Start Restore button. Click OK on the warning window. In the Confirm Restore window, click on the Advanced button and review the options in the Advanced Restore Options window. Close the Advanced Restore Options window and click OK in the Confirm Restore window.
7. After the backup process is complete, restart your computer as usual.

Recovery, where you can recover individually deleted Active Directory objects

1. Reboot the domain controller using the F8 key in Directory Restore Mode and perform a complete restoration of the domain controller in the same way as in the previous case, but do not reboot after the restoration is complete.

2. Run the NTDSUtil utility and enter authoritative restore at the ntdsutil prompt. Press Enter.

3. At the authoritative restore prompt, type a question mark and press Enter. Read the list of available commands for this mode.

4. At the authoritative restore prompt, enter the command restore subtree

OU=User_OU,DC=Domain,DC=local

5. Click Yes in the confirmation window.

OU=User_OU Name of the container to be restored:

DC=Domain Your domain name

DC=local domain name.

6. Run the quit command twice to exit NTDSUtil, and then restart your computer normally.

7. Force replication with other domain controllers and ensure that the User_OU organizational unit with all sub-objects is restored on both domain controllers.

There are no similar posts...

• Active Directory database and transaction logs;
• system and startup files protected by Windows;
• domain controller system registry;
• all DNS zone information integrated with Active Directory;
• Sysvol folder;
• COM+ class registration database;
• certificate service database (if domain controller is also a certificate service server);
• cluster service information;
• Microsoft Internet Information Service (IIS) metadirectories (if IIS is installed on the computer).

All of these components must be backed up and restored in their entirety due to their tight integration. For example, if a certificate was created on the Certificate Services server that was assigned to an Active Directory object, then the Certificate Services database (containing the record that the object was created) and the Active Directory object (containing the record that the certificate was assigned to the object) must be saved .

Backup programs can make different types of backups, including normal, incremental, differentiated, etc. Backup The domain controller's system state is always a normal copy when all files related to System State ( State of the system), are copied and marked as copied.

The general practice is that all domain controllers should participate in a regular backup cycle. One exception to this rule can be made if you have multiple domain controllers located in the same office. In this case, you can carry out a procedure for restoring domain controllers in which a new one will first be installed domain controller, and then its directory is populated by replication. However, even in this scenario, you should back up at least some of your domain controllers in case of a disaster that takes out all the domain controllers in your office. In either case, you must back up the operations master.

Another issue to consider with domain controller backup is the frequency of the backup. Active Directory assumes that a backup copy cannot be older than the lifetime of the memorial objects. By default, the lifetime of a monument object is 60 days. The reason for this limitation is due to the way Active Directory uses memorial objects. When an object is deleted, it is not actually removed from the catalog until the lifetime of the memorial object expires. Instead, the object is marked as a monument object and most of its attributes are removed. The memorial object is then copied to all other domain controllers. Once the lifetime of a memorial object has expired, it is finally removed from the directory on each domain controller. If you restore domain controller from a backup that is older than the lifetime of the monument object, you may find information in the directory that is inconsistent between domain controllers. Let's say that a user was removed from the directory one day after the backup was created, and the corresponding monument object remained in the directory for 60 days. If the backup was restored to a domain controller more than 60 days after the object became a memorial object, then the restored domain controller would have this custom object, and since the monument object no longer exists, then domain controller I wouldn't delete it. In such a scenario, the restored domain controller would have a copy of an object that does not exist in any other directory. For this reason, the backup system and restore program prevent attempts to restore a directory from a backup that has been stored for longer than the deletion period of the memorial objects.

Although the lifetime of monument objects places a hard limit on the frequency of backups, it is clear that it is better to back up domain controllers much more frequently than every 60 days. There will be many problems if you restore domain controller from a backup older than a couple of days. Because Active Directory recovery involves restoring all system state information, this information will be restored to its previous state. If the server is also a Certificate Services server, then any identities issued before the backup was created will not be included in the Certificate Services database. If drivers have been updated or any new applications have been installed, they will not be able to work because the system registry will be rolled back to the previous state. Almost all companies support a backup mode in which some servers are backed up every night. Domain controllers must be included in this redundancy mode.

Recovery process

There are two reasons why you may need to restore Active Directory [13].

• The first reason will occur when the database becomes unusable because one of the domain controllers has experienced a hard drive failure or the database has become corrupted to the point that it can no longer be loaded.
• The second reason will arise when, as a result of an error, someone deleted organizational unit, containing several hundred user and group accounts. In this case, it is better to restore the information rather than re-enter it.

If you plan to restore Active Directory because the database on one of the domain controllers is no longer usable, then the following two process options are available [13].

• The first option is not to restore Active Directory on the failed server at all, but to create another one domain controller by designating another server running Windows Server 2003 as a domain controller. This will restore the functionality of the domain controller rather than the Active Directory service on the specific domain controller.
• The second option is to recover the failed server and then restore the Active Directory database on that server. In this case, recovery will be performed in the absence of authority (non-authoritative). In this type of recovery, the Active Directory database is restored to the domain controller, and then any changes made to the Active Directory since the backup was created are replicated to the restored one. domain controller.

If you plan to restore Active Directory because someone has deleted a large number of objects from the directory, then you must restore the Active Directory database on one of the domain controllers using a backup that contains the deleted objects. You then need to do an authoritative restore, which marks all recovered data so that it is replicated to all other domain controllers, overwriting the deleted information.

To restore Active Directory, you must back up the service state data [4], [6]: the registry, the COM+ registration database, system boot files, and the certificate services database (if it is a certificate services server). When you restart your computer in Directory Services Restore mode, you must be logged on as an administrator using the correct Security Accounts Manager account name and password. However, you cannot use the Active Directory administrator account, since Active Directory services are disabled and cannot be used to verify the authenticity of the account. This is done using an account database.