HOWTO: Restore Active Directory to a different server

This HOWTO is a proof of concept to demonstrate a way to take an Active Directory environment on one server and restore it to a different server on an entirely different network.  The scenario in this example is we have a domain controller which has a number of other third party applications installed and we wish to migrate just the AD portion to a new dedicated Active Directory server in a separate environment.  Once completed, the old server will be permanently powered off.

We will have two systems, one called PRODDC1.  This is our production system hosting Active Directory and all of our other applications.  The second system is called initially NEWDC1.  This is a fresh copy of Windows 2012 R2 with no configuration of any kind, not even a hostname or IP assigned.  Crucially, these two systems are on isolated networks and cannot see each other.

On PRODDC1

• From Server Manager, installed the Windows Server Backup Feature
• Once installed, run Windows Server Backup and from the left menu choose Backup Once
• Choose Custom and select only System State

• The backups cannot be written to the local drive so write the backup either to a second drive (such as a E: drive) or to a network share

• Once completed, copy the backup files to a second network drive or network share accessible by the target system.  (Note the files will be likely at a minimum at least 15GB)

On NEWDC1

• In order to complete the restore, we have to boot the new system in Directory Services Restore Mode.  It turns out we can do this even if Active Directory Domain Services is not installed.  Open an administrative command prompt and type:

bcdedit /set safeboot dsrepair

shutdown –r –t 0

• Once booted, Install the Windows Server Backup feature from Server Manager, open and it choose Recover from the the menu
• Browse to wherever you saved the backup to and select it and restore only the System State

• Choose Perform an authoritative restore of Active Directory Files

• You will get a warning that restoring to different hardware is not supported.  We’ll give it a try anyway

• Once completed, the system will reboot automatically.  When it comes back up log in as a local user.  You’ll see a message that the backup was completed

• You will still be in Directory Services Restore Mode.  To end it, open an administrative command prompt and type:

bcdedit /deletevalue safeboot
shutdown –t -0 -r

• Once the system comes back up, log in with your domain admin account using the production password from your production system
• If you try to open any Active Directory components such as Users and Computers you’ll get this error message

• You’ll also find that the SYSVOL and NETLOGON folders are not shared.  To resolve, open regedit and browse to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

• You should find the SysvolReady entry is set to 0.  Modify this and change it to 1

• Open an administrative command prompt and type:

net stop netlogon

net start netlogon

• Try opening your Active Directory components now.  Everything should now work as expected.

Congratulations, you have successfully restored your Active Directory environment to a new server.