Restore a Domain Controller from a Snapshot

BlogAD

Reverting a snapshot of an active Domain Controller can be a risky and problematic issue.

If you are considering using this procedure it should be your very LAST option.  This is not a supported Microsoft procedure and use of it could cause fatal issues to Active Directory.
Reassessing your environment and take the proper steps to ensure this recovery model doesn’t have to be used again.

Use at your own risk!

1)      Revert to your last known good snapshot

2)      Disable your network card so that it is unable to talk to the network

3)      Note the value of your Invocation Id​

  • ​From a command prompt run the following command
  • Repadmin /showrepl

4)      Reboot your Domain Controller and make sure you boot into Directory Services Restore Mode

5)      Stop the NTFRS service

6)      From a command prompt start Regedit

  • Drill down to HKLM – System – CurrentControlSet – Services – NTDS – Parameters
  • Modify the RegKey “Database restored from backup” = 1
  • If this RegKey doesn’t exist create one as a DWORD and set to a 1
  • If the RegKey DSA Previous Restore Count exists in the same path, note its value.  Upon reboot it should increment by one.  If it didn’t exist it should be created and it should be set to a value of 1.
  • Drill down to HKLM – SYSTEM – CurrentControlSet – Services – NtFrs – Parameters – Backup – Restore – Process
  • Modify the RegKey BurFlags to D2

7)      Reboot the server

8)      Log back in to the Domain Controller

  • Verify that the Invocation Id has changed
  • In the Event Log look for the Event Id 1109 (AD restored from backup)

9)      If both events have occurred in bullet point 8 then, enable the network card again