Operational Defect Database
BugZero found this defect 2977 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Veeam | kb2119
Restoring Domain Controller from an Application-Aware backup
Last update date:
10/10/2022
Affected products:
Veeam Backup & Replication
Veeam Agent for Microsoft Windows
Affected releases:
ALL
Fixed releases:
No fixed releases provided.
Description:
Challenge
This article documents Domain Controller restore scenarios and steps to perform proper DC recovery. Depending on the scenario, additional steps may be required to complete a DC restore. Note regarding restore of DC if VM was backed up with Veeam Backup & Replication: All scenarios below assume that if the DC was a VM and backed up using Veeam Backup & Replication, application-aware processing was enabled during backup. When application-aware processing is enabled for a DC VM, backed up by Veeam Backup & Replication, the post-restore boot procedure is modified so that the DC will restore into a non-authoritative state.For restores of Domain Controller backed up using Veeam Agent for Microsoft Windows: Veeam Agent for Microsoft Windows modifies the post-restore boot procedure regardless of application-aware setting. Meaning that the restore of a DC backed up using Veeam Agent for Microsoft Windows will always result in restored DC booting into a non-authoritative state.
Solution
Whenever you’re about to restore a DC, first determine whether a non-authoritative restore is sufficient or if you need to perform additional steps for an authoritative restore. The difference between the two restore types is that when performing a non-authoritative restore, the DC understands that it was out for a while and allows the other DCs in the domain to update its database with the changes that occurred while it was down. With an authoritative restore, the DC claims itself as the only one with correct information and a valid database, and it authoritatively updates other DCs with its data.
More Information
Restore of very old Domain Controller restore points can have some side effects due to Kerberos certificate updates and related trusts (check event logs of the restored server). See also: KB2226 In situations where data from very old restore points are needed, it is advisable to use Veeam Explorer for Active Directory for granular item-level AD restore methods. Check out the "compare" feature in the Active Directory Explorer.
