Restoring all domain controllers in a Windows domain (on vmware)

In a smaller environment (35 workstations), with not a lot of new activity, what causes a trust relationship to get lost - are they renewed every few days or something?  Or would the only ones lost be those of any new PCs added to the domain?

I did this recently mid day in a HUGE environment after someone blew it up. 100’s of VM’s and file servers were not accessible and critical infrastructure was all down.(stressful)

1. YES make hosts files. Have EVERY Veeam server or other server you will need in it, Proxies, storage, Veeam server, SQL server, ESXI host, vCenter, file shares etc. I now have an updated copy in multiple spots if it happens again. Also keep a list of all your Veeam IP’s on hand so if you ever lose DNS.
2. Consider separating your DC’s and DNS servers. They don’t need to stay together. this makes life much easier going forward.  (Still keep a host file available if you need it)
3. Call Veeam support for help if you need. 

4. The easiest way for me would be to power down ALL of the DC’s and restore the master as authoritative. I’d then restore the other/rest and let them sync. Having the roles on on DC going forward lets you know that that is your master and you should always use it for restores. 
5. There is a procedure for this, Call Veeam and see what they say if your app aware processing doesn’t work.  You will be ok, but i don’t know if the procedure changes. 

Morning!

Veeam would be terrible backup software if you couldn’t recover your AD environment, so the answer is a definite YES!

Lets go over a few basic parts to this and build a strategy for you:

Firstly, you’ve quite rightly highlighted your DNS will be impacted. We need to consider the impact from a few perspectives:

• vSphere: Does vCenter manage the ESXi hosts via FQDN entries or IP addresses? If it’s via FQDN, you’ll be best avoiding using vCenter within Veeam for your recovery as you’d have to mess with your VCSA to avoid the DNS issues. We can just target an ESXi host via IP address within Veeam
• Veeam: Veeam needs to be able to talk to its components, is your Veeam server an “all in one” box? If not, are your components/servers being targeted via FQDN or DNS? If FQDN I would just edit the hosts file to ensure this continues to work.
• AD: What DNS configuration are you using here? Are all the domain controllers aiming at themselves (relying on DNS replication) within their DNS client/network config, are they all pointing to a central DNS server, or are they all aiming at each other. This could impact how you want to recover.

Secondly, what OS are your domain controllers? Windows Server 2012 R2 added some virtualisation safeguards for AD to help if you restored a DC out of sequence.

Thirdly, check your retention policy, make sure the backups you’ll need aren’t going to be deleted due to retention this week, if in doubt you could also export the backups you need for an extra layer of confidence.
 

Finally, are your DCs backed up at the same time or at different times? I’d want to use the latest backup available as my primary and reattach my older DC backups to that.

Once we’ve got some information here to play with, we can put together a more tailored plan.

I’d also suggest using virtual labs to test this in an isolated network prior to carrying out in production, so you can be confident you’ve hit any & all snags prior to doing it “for real”, and as you can do this with the same backups you’ll actually want to recover from (as you said you could be going back a few weeks), so it will be an identical process.

I had to do it once; after a ransomware hit.

we restored the backup of the primary dc, it was only 12 hours before (old) backup, but we faced some issues in trust and Kerberos authentication, but just making the gpupdate / force in most pcs with the problem it was fine, just one of them (they were 200 clients) needed to be kicked out of the domain and adopted back in.

after restoration ok, we deployed a new secondary domain controller, not restoring the backup, to avoid authoritative or sync issues.

hopefully helps you.

cheers.

Those articles look great for restoring a single object - but I might have to restore the entire AD database (for reasons too deep to go into here).  I wonder if I just restore the entire vm image?

Also, I have another potential problem: one of the 3 DCs did not have application aware processing turned on so it does not even show up in the restore wizard - turning that on tonight!  I think there was initially problems with that DC and somehow then it never got fixed or at least turned on.

Albert

Recently I restored a single AD on my homelab without any problems.

However, it was not a production environment like yours.

Take a look on this article:

https://www.veeam.com/blog/active-directory-domain-controller-backup-recovery.html