Skip to content

Latest commit

 

History

History
178 lines (131 loc) · 8.41 KB

New-ADDBRestoreFromMediaScript.md

File metadata and controls

178 lines (131 loc) · 8.41 KB
external help file Module Name online version schema
DSInternals.PowerShell.dll-Help.xml
DSInternals
2.0.0

New-ADDBRestoreFromMediaScript

SYNOPSIS

Generates a PowerShell script that can be used to restore a domain controller from an IFM-equivalent backup (i.e. ntds.dit + SYSVOL).

SYNTAX

New-ADDBRestoreFromMediaScript [-BootKey <Byte[]>] [-SysvolPath <String>]
 -SafeModeAdministratorPassword <SecureString> -DatabasePath <String> [-LogPath <String>] [<CommonParameters>]

DESCRIPTION

The New-ADDBRestoreFromMediaScript cmdlet was created to save the day under certain specific circumstances. Imagine a company that had been attacked by some ransomware to the extent that all their domain controllers have been wiped. Moreover, no proper System State backups of DCs are available, only file-level ones. As a consequence, they are not able to restore Active Directory, the time is ticking and their only option seems to be reinstalling the entire AD forest from scratch. It might be hard to believe that someone would have violated all the best practices and neglected planning for disaster recovery, but, alas, such situations have occurred in large enterprises during the 2017 NotPetya outbreak. I have therefore come up with a domain controller recovery method that I call Restore from Media (RFM). As already hinted, this method can be used to restore domain controllers from file-level backups.

Unlike the Install from Media (IFM) method, the Restore from Media method does not require network connectivity to a live writable domain controller. Nevertheless, the same installation source (IFM backup with SYSVOL) can be used with both methods of DC installation.

To perform the Restore from Media operation, you need to have the following:

  • A full Install from Media (IFM) backup of a domain controller or equivalent file-level backup. The backup must contain these files:

    • Domain database file (ntds.dit)
    • SYSTEM registry hive or a corresponding Boot Key / SysKey
    • SYSVOL directory

  • A freshly installed Windows Server of the same version as the domain controller originally running the database that is to be restored. This information can be retrieved from the corresponding ntds.dit file using the Get-ADDBDomainController cmdlet.

  • An isolated VLAN / virtual network as connectivity to any existing production domain controllers would have unforseen consequences.

Follow these steps on the target server in order to restore the domain controller:

  1. In case of Windows Server 2008 (R2), run the $PSVersionTable.PSVersion to verify that at least PowerShell 3 is installed. Upgrade if necessary.
  2. Verify that the PowerShell Script Execution Policy is set to RemoteSigned, Unrestricted or Bypass in the LocalMachine scope.
  3. Install the DSInternals PowerShell module for all users.
  4. Copy the backup data to a local drive, e.g. C:\Backup.
  5. Run the New-ADDBRestoreFromMediaScript -DatabasePath 'C:\Backup\Active Directory\ntds.dit' > C:\Backup\Restore-ADDomainController.ps1 command.
  6. Review the freshly generated PowerShell script and execute it.
  7. Sit back and watch the magic happen. Up to 3 reboots will follow and the entire process may take up to 20 minutes to finish. You should then end up with a fully functional domain controller.

The script that is generated by the New-ADDBRestoreFromMediaScript cmdlet does the following actions:

  • Rename the server to match the original domain controller.
  • Install a new forest by promoting the server to a domain controller.
  • Replace the newly generated database file (ntds.dit) and SYSVOL directory by the original ones.
  • Re-encrypt the database using the local Boot Key.
  • Update the LSA Policy to match the SID and GUID of the domain that is being restored.
  • Reset the Invocation ID of the domain controller.
  • Reconfigure SYSVOL replication in case it has been restored to a different path.

A sample PowerShell script generated by the New-ADDBRestoreFromMediaScript cmdlet is in the New-ADDBRestoreFromMediaScript.Sample.ps1 file.

EXAMPLES

Example 1

PS C:\> New-ADDBRestoreFromMediaScript -DatabasePath 'C:\IFM\Active Directory\ntds.dit' > C:\IFM\Restore.ps1

Generates a domain controller restoration script from a previously created IFM backup. The script can then be reviewed, modified if necessary, and executed manually.

Example 2

PS C:\> New-ADDBRestoreFromMediaScript -DatabasePath 'C:\IFM\Active Directory\ntds.dit' -BootKey 610bc29e6f62ca7004e9872cd51a0116 -SysvolPath 'C:\IFM\SYSVOL' > C:\IFM\Restore.ps1

Same as the previous example, but with explicitly provided SYSVOL directory path and boot key.

Example 3

ntdsutil.exe "activate instance ntds" ifm "create sysvol full C:\IFM" quit quit
icacls.exe C:\Windows\Sysvol\domain\Policies\* /save C:\IFM\SYSVOL\PolicyPermissions.txt

Creates an Install From Media (IFM) backup of a running domain controller and exports Group Policy ACLs. This backup can later be used by the New-ADDBRestoreFromMediaScript cmdlet.

PARAMETERS

-BootKey

Specifies the system key that encrypts secrets stored in the database specified by the -DatabasePath parameter. If none is specified, it is automatically extracted from a backup of the SYSTEM registry hive, provided that it is present in the ..\registry\SYSTEM path relative to the -DatabasePath parameter.

Type: Byte[]
Parameter Sets: (All)
Aliases: key, SysKey, SystemKey

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-DatabasePath

Specifies a non-UNC path to the backup of domain database (ntds.dit file) that will be used to restore the domain controller.

Type: String
Parameter Sets: (All)
Aliases: Database, DBPath, DatabaseFilePath, DBFilePath

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-LogPath

Specifies a non-UNC path to a directory that contains the backup of domain log files. If not specified, the value of the DatabasePath parameter is used.

Type: String
Parameter Sets: (All)
Aliases: Log, TransactionLogPath

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SafeModeAdministratorPassword

Supplies the password for the administrator account when the computer is started in Safe Mode or a variant of Safe Mode, such as Directory Services Restore Mode. If no value is specified for this parameter, the cmdlet prompts you to enter and confirm a masked password. If specified with a value, the value must be a secure string.

Type: SecureString
Parameter Sets: (All)
Aliases: SafeModeAdminPassword, AdminPassword, DSRMPassword

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-SysvolPath

Specifies a non-UNC path to a directory that contains the backup of Sysvol data. If none is specified, the ..\SYSVOL\ path relative to the -DatabasePath parameter is used.

Type: String
Parameter Sets: (All)
Aliases: SysVol

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

None

OUTPUTS

System.String

NOTES

This recovery procedure is NOT SUPPORTED by Microsoft. Use at your own risk in situations when Active Directory forest reinstallation is the only other option.

RELATED LINKS

Get-BootKey Get-ADDBDomainController