Bare Metal Restore: The Full Procedure

The disaster: someone deleted the entire VM. Or the OS volume corrupted. Or a ransomware event encrypted the host. The procedure now is to bare-metal restore from the backup we created in Part 3. We’ll build a fresh empty VM, attach the backup disk, boot from the OS ISO into the Windows Recovery Environment (WinRE), point System Image Recovery at the backup, and watch the machine come back.

This is Part 4 of the AD Backup & Disaster Recovery pathway. The previous post produced the backup artifact; this post consumes it. If you completed Part 3, you have everything you need.

Scenario setup

For the lab: delete the source VM that you backed up in Part 3. Keep the backup VHDX file safe on the host. We’re going to build a replacement VM with the same name and identical configuration, attach the backup disk, and let WinRE drive the restore.

In real life: the source VM is gone for whatever reason — ransomware, host hardware failure, accidental delete. The backup VHDX is on a different physical disk (hopefully off-host).

Step 1 — Build the replacement VM

The replacement must match the original on critical attributes:

VM generation — Gen 1 or Gen 2. Critical, because boot data is generation-specific.
OS version matched by the ISO — you cannot restore a Windows Server 2019 image from a 2022 ISO’s WinRE.
vSwitch — same external vSwitch so the NIC reaches the network on first boot.
OS disk size — equal to or larger than the original.

New Virtual Machine Wizard with VM name entered for the replacement VM that will receive the bare metal restore — New Virtual Machine Wizard. Name matches the destroyed VM. **Same name is important** — the restored OS inside the VM still believes it’s the original; mismatched VM name in Hyper-V causes monitoring/scripts that target by Hyper-V name to silently break.

New Virtual Machine. Name matches the original.

Specify Generation step with Generation 2 selected to match the original VM UEFI boot configuration — Generation: **Generation 2**. Must match the original. Gen 1 vs Gen 2 = MBR vs UEFI — the restored boot data will not boot on the wrong generation.

Generation: Generation 2 (matches the original; Gen 2 = UEFI). Gen 1 = MBR. Wrong generation = boot fails after restore.

Assign Memory step for the replacement VM with the same memory as the original — Memory: same as original. Less and the VM may OOM during boot; more is fine, but matching keeps the test honest.

Memory: same as the original. Not strictly required for restore to work, but matching is closer to real-world.

Configure Networking step with the same external vSwitch chosen as the original VM — Network: **same external vSwitch**. The restored OS will try to bring up its NIC with the same MAC-stored config — wrong vSwitch and the NIC won’t see the network.

Network: same external vSwitch used by the destroyed VM.

Connect Virtual Hard Disk step showing a new fresh OS VHDX created for the restore target — Virtual hard disk: **create a new empty VHDX** sized large enough for the restored OS. WinRE will write the system image volumes into this disk.

Create a fresh, empty OS VHDX. Don’t reuse the original’s disk — we want to prove the restore actually writes the OS from scratch.

Installation Options step with the Windows Server 2019 ISO attached to match the original OS version — Installation Options: attach the **Windows Server 2019 ISO** — we’re using it only to get into the Windows Recovery Environment, not to install anything. **OS version must match the backup** — 2019 backup needs the 2019 ISO to boot WinRE that can read the image.

Installation Options: attach the matching ISO. Original was Server 2019 → attach the 2019 ISO. We’re only using the ISO to boot into WinRE, not to install Windows.

Step 2 — Attach the backup disk

VM Settings dialog SCSI Controller selected with Hard Drive Add option to attach backup disk — After VM creation: VM Settings > **SCSI Controller > Hard Drive > Add**. We attach the existing backup VHDX from the destroyed VM.

Browse virtual hard disk dialog with file picker for the backup VHDX — Use **Browse** to navigate to the backup VHDX on the host filesystem — not create new.

File picker showing the backup VHDX selected from the host file system — Pick the backup VHDX file. Hyper-V mounts the existing disk in addition to the empty OS disk.

VM Settings dialog with the backup disk attached and Apply button visible — Apply > OK. Replacement VM now has: empty OS disk (target) + backup disk (source).

VM Settings > SCSI Controller > Hard Drive > Add > Browse (not New) > pick the backup VHDX from the host filesystem > Apply. The VM now has two disks: empty OS VHDX (target) + backup VHDX (source).

VM Settings dialog Processor pane showing CPU core count being set to match the original VM — Processor: set vCPU count to match the original. Restore is faster with more cores but matching is what we want for a realistic test.

Bump vCPU to match the original. Apply > OK.

Step 3 — Boot into WinRE

VM console boot prompt asking to press any key to boot from CD or DVD during ISO start — Connect to the VM > Start. **Press the spacebar repeatedly** when the boot prompt appears — that’s the cue to boot from the attached ISO. Miss the window and Hyper-V falls through to the empty OS disk and hangs.

Connect > Start. Watch for the boot prompt — press spacebar repeatedly to boot from the attached ISO. The window is short.

Windows Setup language and keyboard selection screen with default options retained — Windows Setup boots from ISO. Language + keyboard > Next.

Windows Setup boots from ISO. Language + keyboard > Next.

Windows Setup Install Now screen with Repair your computer link highlighted at bottom left — **Repair your computer** — not Install Now. This drops you into the Windows Recovery Environment instead of the OS installer.

Repair your computer link — bottom left, easy to miss. Click it. Don’t click Install Now (that’s a fresh install path).

WinRE Choose an option screen with Troubleshoot option highlighted — WinRE: **Troubleshoot**.

WinRE Choose an option screen > Troubleshoot.

WinRE Troubleshoot Advanced options screen with System Image Recovery tile highlighted — Advanced options: **System Image Recovery**. This is the WinRE entry point for bare-metal restore.

Troubleshoot > System Image Recovery. This is the WinRE entry point that reads WindowsImageBackup folders and replays them onto the empty disk.

Step 4 — Run System Image Recovery

Re image your computer wizard with the latest available system image auto detected from the attached backup disk — Re-image your computer wizard. **Auto-detects** the attached backup VHDX and lists the latest system image — you don’t have to type any path. If it doesn’t find your backup, the backup disk isn’t attached properly or contains no valid `WindowsImageBackup` folder.

Re-image Your Computer wizard. Auto-detects the backup VHDX and lists the latest system image. If your backup doesn’t appear:

Backup disk isn’t attached — check VM Settings.
Backup disk has no WindowsImageBackup folder — you pointed at the wrong VHDX.
WinRE on the ISO is too old — mismatched OS version. 2019 backup needs 2019 ISO.

Re image your computer additional options step showing default selections with Next button — Additional options page. Defaults are fine for most cases. **Format and repartition disks** is the destructive option — it wipes the target OS VHDX and creates partitions matching the source. Leave it ticked for bare-metal.

Additional options. Format and repartition disks stays ticked — bare-metal restore needs to lay down the partition layout from the backup. Other defaults are fine.

Re image your computer final confirmation summary showing the system image to be restored with Finish button — Confirmation summary > Finish. Last sanity check: timestamp matches the backup you expected to restore.

Final summary > Finish.

Confirmation dialog warning that existing data will be replaced with Yes button to begin restore — **Yes** — restore begins. Cannot be cancelled once started.

Confirmation: target disk will be wiped. Yes — restore begins. Cannot be cancelled.

Step 5 — Wait for restore

Restore in progress screen showing percentage complete as Windows is being restored from the system image — Restore writes the saved volumes into the new OS VHDX. Time: depends on backup size. A 40 GB lab VM is 5–10 min on local storage. **Don’t touch anything until it completes**.

Restore progress screen. WinRE writes the partition layout, then streams the volume data back from the backup VHDX. Time depends on backup size:

Lab VM (~40 GB): 5–10 minutes on local NVMe.
Production VM (~150 GB): 30–60 minutes on a typical RAID-10.
From network share over SMB: figure 1 GB/min on a saturated gigabit link.

Don’t touch the console. Don’t move the mouse. Wait.

Restore completed dialog with Restart Now button to boot into the restored Windows installation — Completed. **Restart Now** — don’t wait the 10-second auto-restart; just click. VM reboots into the restored Windows.

Completed. Restart Now — don’t wait the auto-restart timer.

Step 6 — Verify the restored DC

Login screen of the restored Windows Server showing the same credentials work as before the restore — Login screen. **Same credentials as before the disaster** — SAM database came back with the rest of system state. AD database is identical to the backup point-in-time.

Login screen. Same credentials as before the disaster — the SAM database was part of system state, so the local Administrator password survived. AD database is at backup point-in-time, so domain admin works the same way.

Active Directory Users and Computers console after restore confirming all objects intact and Network IP needs to be reassigned — Inside the restored DC: all OUs, users, groups, GPOs are exactly as they were at backup time. **Only thing to fix: the IP address** — the new VM may have a different MAC, so DHCP gave it a different lease, or your static IP needs reassigning. Set the same IP as the original VM and replication resumes.

Inside the restored DC:

Active Directory Users and Computers — all OUs, users, groups, GPOs are exactly as they were at backup time.
DNS service — running and resolving.
NTDS service — running.
NIC IP address — this is the one thing that may need fixing. Hyper-V may have generated a new MAC for the replacement VM, which means DHCP gave a different lease (or your static config is on the new MAC). Re-apply the same IP and DNS settings as the original VM.

Once IP is fixed, replication with the surviving DCs picks up on its own. The restored DC is back online and serving the domain.

Verification checklist before declaring success

dcdiag /v
repadmin /replsummary
ipconfig /all
Get-Service NTDS, DNS, KDC, Netlogon

Look for:

dcdiag reports no critical errors — some warnings about time skew and replication-just-resumed are normal.
repadmin /replsummary shows recent successful replication with surviving DCs.
Services all Running.
IP matches the original.

Things that bite people

Mismatched VM generation

Backed up a Gen 2 (UEFI) VM, restored to Gen 1 (BIOS) replacement. Restore completes, then the VM won’t boot — UEFI boot files in the image can’t be parsed by Gen 1’s BIOS firmware. Always match generation.

Wrong ISO version for WinRE

Backup from Server 2019, replacement booted with Server 2022 ISO. WinRE 2022 can sometimes read 2019 images but it’s flaky. Always boot from the same OS version’s ISO as the backup.

Missed the spacebar boot prompt

VM falls through to the empty OS disk and hangs. Power off, restart, try again with quicker spacebar mashing.

Backup disk too small for restore

If the replacement OS VHDX is smaller than the source, restore can fail mid-run with cryptic errors. Always size the replacement OS disk ≥ the original.

USN rollback after restore

If the restored DC was offline for < tombstone lifetime (60 days by default), replication resumes cleanly. If it was offline longer, AD treats the restored DC as a USN-rollback source — replication breaks, and the only fix is metadata cleanup + force-demote and re-promote. Always check the backup age before restoring — an old backup may be worse than a clean re-promote.

IP collision

If the destroyed VM’s IP is now leased to a different machine, the restored DC will fail to acquire it and may get a different IP from DHCP. Reserve the DC’s IP in DHCP, or just use static. Always.

Forgetting this only does non-authoritative

A normal bare-metal restore is a non-authoritative restore. When the DC comes back, it pulls newer data from surviving DCs and overwrites anything in the backup that’s out of date. That’s usually what you want — but if you needed to undo a forest-wide deletion, this won’t work. See Parts 5 and 6 for the authoritative restore path.

What’s next

You’ve completed the backup-test-restore cycle on a VM. Part 5 is the conceptual post in this pathway — non-authoritative vs authoritative restore — the distinction that decides whether your restored data overwrites the rest of the domain or gets overwritten by it. Part 6 drives the authoritative procedure with ntdsutil.

Aside: who actually uses native Windows backup in production?

Mostly nobody, for primary backups. Enterprise shops use Veeam, Commvault, DPM, Rubrik, Cohesity, or similar. But Windows Server Backup is the universal floor — it ships with the OS, no licensing, no install. Knowing the bare-metal restore procedure with the in-box tool is the difference between “backup tool down, we’re stuck” and “backup tool down, here’s the manual fallback.” Worth knowing even if it’s not your daily primary.

Tags: #Active Directory #Bare Metal Recovery #Disaster Recovery #Hyper-V #Windows Server #Winre