Which Active Directory backup to Restore?

Which Active Directory backup to Restore?

We know that backups are essential for Active Directory and are need to restore during any disaster. Before this article moves towards which backup to restore from previous backups, it is essential to understand that Active Directory recovery can be very easy or complex based on your Infrastructure size and the way it is deployed, and some restoration methods may fix one problem but may create additional problems. Therefore, it is extremely important to well plan Active Directory recovery and seek expert advice as necessary.

Some of the common Active Directory issues that can resolved by restoring backups are –

  • User Deletion / Group deletion
  • Complete Domain or Forest breakdown
  • SYSVOL corruption

Now let us assume that users object was modified or deleted, and you need to authoritatively restore it. There could be multiple backups and restoring each one of them to see if they contain Active Directory object in state you would need, requires long time.

Therefore, mount the Active Directory backup using DSAMAIN and compare the current state and backup state, and then restore the backup as needed.

In Screenshot given below, I have created a new folder for AD_Backup, stopped the NTDS service and copied the NTDS.DIT file to the backup folder.


We now have full functional backup of Active Directory. Let us assume that some user objects have been deleted from Active Directory, and before we go ahead with restoring, let us mount the backup on another port.

dsamain.exe is the command line utility for this. Command to mount backup NTDS.DIT is:

dsamain /dbpath <path-of-NTDS.DIT-file> /ldapPort <TCP-Port-Number>


In above screenshot, I have mounted backup taken previously on TCP Port 1234. Please note that now all LDAP traffic can also be sent to TCP 1234 for practical purposes, which means you could run LDAP queries against this port now. Let us now compare.

 Launch Active Directory Users and Computers snap-in, right click on domain name and select “Change Domain Controller”


In this example, it is localhost:1234 that is hosting the alternate LDAP service that we need to mount.

We now see that backup has more number of User objects that were deleted after the backup. We can now authoritatively restore this backup.


Changes and Port number that ADUC is connected to is highlighted in Yellow. This option could be very helpful in most of the scenarios.


About The Author

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *