Tag: Disaster Recovery

Systems Admin

Backup and Restore Group Policy Objects (GPOs)

GPOs can be deleted in two clicks; AD replicates the deletion to every DC, SYSVOL files vanish, and clients drop the policy at next refresh. AD Recycle Bin restores the container in AD but not the SYSVOL GPT files where the actual policy settings live - so per-GPO backup is its own discipline. Walks the full GPMC lifecycle: Back Up All... for a fleet snapshot, Back Up... for one GPO before a risky edit, Manage Backups... for preview-then-restore (View Settings opens an HTML report, Restore overwrites the live GPO), and the manual re-link step that the backup does NOT capture. Plus the PowerShell-only equivalent (Backup-GPO -All / Restore-GPO -Name) for scheduled / scripted use. Includes the four pitfalls (no description = uninformative Manage Backups list, backup-on-the-DC-fails-with-the-DC trap, untested-backup wishful thinking, View-Settings-first habit) and the link-map documentation gotcha.

12 min read
Read →
Systems Admin

Change the Retention Period in AD Recycle Bin

AD Recycle Bin defaults to a 180-day recovery window - long enough that 'please restore the user my predecessor deleted last quarter' lands on day 181. Two attributes on CN=Directory Service control end-to-end retention: msDS-DeletedObjectLifetime (Recycle Bin window, fully recoverable with Restore-ADObject) and tombstoneLifetime (permanent-death horizon, garbage collection cutoff). Walks the ADSI Edit edit: connect to the Configuration partition, navigate CN=Configuration / CN=Services / CN=Windows NT / CN=Directory Service, raise both attributes from 180 to 365 (always tombstoneLifetime first - the directory enforces DOL

9 min read
Read →
Systems Admin

Backup and Restore AD-Integrated DNS Zones

AD-integrated DNS zones live in the directory database, not in flat .dns files - which means a Windows Server system-state backup catches them but only restores via a full authoritative restore in DSRM. For per-zone recovery (accidental delete, single-zone corruption), the right tool is dnscmd /zoneexport (or Export-DnsServerZone) for backup and the New Zone Wizard + zone-type conversion for restore. This article walks the full round trip: export fortesting.local and _msdcs.fortesting.local to .dns.backup files, simulate the disaster by deleting both zones, restore each as a standard Primary zone via the New Zone Wizard (with the rename-the-backup-file trick the wizard requires), then convert back to AD-integrated and tighten dynamic updates to Secure only. Includes the forest-wide replication-scope gotcha for _msdcs (default is domain-wide after conversion - has to be manually widened to forest), the off-server-copy requirement (the export drops files on the DC's own disk), and the verification commands.

14 min read
Read →
Systems Admin

Reset the Directory Services Restore Mode (DSRM) Password

The DSRM password is the local-Administrator credential a domain controller uses when AD is offline - the only account that works during authoritative restores, ntds.dit corruption recovery, or last-DC rebuilds. Forgetting it means none of those recoveries work when you actually need them. This article walks the full reset + verify cycle on a real DC: rotate the password with ntdsutil (set dsrm password / reset password on server null - takes one minute, no reboot, no downtime), then prove the new credential works by rebooting into DSRM via F8 or 'bcdedit /set safeboot dsrepair', signing in as .\\administrator with the new password, observing the directory is offline (NTDS / Intersite Messaging / DFSR / KDC stopped, dsa.msc red-crossed), then rebooting back to normal with 'bcdedit /deletevalue safeboot'. Includes the multi-DC rotation pattern, the local-admin-vs-DSRM-vs-domain-admin distinction, and why storing the DSRM password in an AD-integrated vault is a circular dependency.

12 min read
Read →