Restoring Active Directory

Active Directory must be restored offline. The system must be rebooted in Directory Services Restore mode. In this mode, the operating system is running without Active Directory and all user validation occurs through the Security Accounts Manager (SAM) in the registry. To restore Active Directory, you must be a local administrator on the DC being restored.

The caller of the restore functions must have the SE_RESTORE_NAME privilege. You can use the DsSetAuthIdentity function to set the security context under which the directory backup/restore functions are called.

Note that when you restore Active Directory, you must also restore the other system state components.

To restore Active Directory from backups

1. Call the DsIsNTDSOnline function to determine if Active Directory is running. If Active Directory is running, the application must fail the restore attempt.
2. Call the DsRestorePrepare function to get a backup context handle.
3. Call the DsRestoreGetDatabaseLocations function to determine the directories where the files are to be restored. If this function fails, restore the data back to the original backup source directory (the directory from which the data were backed up).
4. Once the restore is complete, call the DsRestoreRegister function to specify which database and which log files were restored.
4. Use standard Win32 functions to restore the files. First, delete all files in the destination directory; then copy the backup files to the destination directory.
6. Call the DsRestoreRegisterComplete function to indicate that the restore has been completed.
7. Call the DsRestoreEnd function to release any resources associated with the context.

After a restore in Directory Services Restore mode, the domain controller should be rebooted in normal mode. When the directory service starts, the domain controller will perform the normal consistency check and the restored directory will then be online.

Note that "restoring" an Active Directory is always a two-part operation. Part one is to restore the database up to the point in time when the backup was taken and not beyond. Part two is to replicate the directory, where the newly restored DSA replicates post-backup updates from other DSAs in the domain/enterprise.

Any Windows 2000® server that contains a replica of the Windows 2000® directory service is a domain controller (DC).

The DsRestoreRegister function adds a "Restore In Progress" key to the registry. If you commit the system hive of the registry after calling DsRestoreRegister, you need to move this key from the running hive to the restored hive. You can avoid this step by committing the system hive just before calling the DsRestore functions.