Recovery Procedure
·
Slow
System? = Ctrl/alt/del and/or Perfmon
·
Problems?
= Msconfig (disable services, boot.ini, system restore. If disabled services,
it is a temp/test, do it properly via Services)
·
Need
To Recover AD? = Via backup (system state), or multiple DC’s replication.
Recovering AD is a complex procedure; see “Restoring and Reconciling Server
Services” below for detailed information.
F8 Options:
·
Safe
Mode = Use this to fix network problems if cannot get onto network.
·
Safe
Mode with Network Support = Use this to fix problems if you know network is NOT
the problem, and you need network services.
·
Safe
Mode with Command Prompt = Cmd shell, but can still invoke gui apps.
·
Enable
VGA Mode = Can help sort display problems that prevent Windows from loading.
·
Last
Known Good Config = Do this FIRST! Any logons after problem has manifested
itself will LOSE setup data needed for successful boot. Unless you create more
than 1 hardware profile. LKGC will use drivers etc used in last successful
logon/alternative profile.
Emergency Repair Disk
·
ERD is made via
Backup. It includes the option Repair Installation, which can be run from
Setup/boot floppies or Installation CD. You can use Backup to create an Emergency
Repair Disk (ERD) to help repair problems with your system files (if they are
accidentally erased or become corrupt), your startup environment (if you have a
dual-boot or multiple-boot system), or the partition boot sector on your boot
volume.
·
ERD
contains copy of setup data, services, drivers, ntldr, etc. these can be
replaced (repaired) when ERD mode is chosen.
ERD Modes/Choices:
Manual Repair ----- allows more control i.e, choose: 1. inspect start-up environment
(corrupted
Windows files?)
2.
Verify Windows system files.
3.
inspect boot sector.
Fast Repair ----- inexperienced
admin doesn’t need all these. However, can only fix
REGISTRY
with fast repair, not manual repair.
Recovery Console
·
RC
can be run from Setup/boot floppies, installation CD, or installed on pc (via
\i386\winnt32 /cmdcons typed into start – run. Available as boot option).
·
Can’t
access non system partitions! But can do stuff if you’re familiar with it. Need
to log in as local admin.
·
Can
replace missing system files, can FIXMBR, FIXBOOT, (but check for viruses
first). Do boot first, THEN mbr.
For detailed information about using
Recovery Console, see “Recovery Console” below.
Boot Floppies
Made via app
on cd, which can be run on ANY W2K machine = drive:\bootdisk\makeboot on
install cd. It will produce 4 floppies, which have the same initial process as
installing W2K from cd, but doesn’t install, rather it leads you to the repair
W2K via:
·
Recovery
Console
·
ERD
Therefore
good when the PC won’t boot at all, either from hard disk or cd.
Windows 2000 Server Disaster Recovery
Guidelines
Here are
some guidelines for developing an effective backup strategy. Again, you should
adapt and expand these suggestions to suit your organization’s requirements and
goals.
·
Develop
backup and restore strategies with appropriate resources and personnel, and
test them. A good plan ensures that you can quickly recover your data if it is
lost.
·
Give
the responsibilities of backup and restore to an administrator.
·
Back
up an entire volume to prepare for the unlikely event of a disk failure—this
lets you restore the entire volume in one operation.
·
Back
up the directory services database (Active Directory) to prevent the loss of
user account and security information. This must be done locally.
·
Each
time the Backup utility completes a back up, it creates a log of the backed-up
files. Print this backup log each time you perform a backup. Keep a book of
logs to make it easier to locate specific files. The backup log is helpful when
restoring data; you can print it or read it from any text editor. In addition,
if the tape containing the backup set catalogue is corrupted, the printed log
can help you locate a file.
·
If,
while a backup is taking place, a file is being used (opened exclusively) by
another application, that file will not be backed up. Any file that is not
backed up for this reason appears in the log. It is extremely important to
understand which files are not being backed up and why—you use the logs to
determine this.
·
Keep
three copies of the backup media. Keep at least one copy offsite in a properly
controlled environment.
·
Perform
a trial restoration periodically to verify that your files were properly backed
up. A trial restoration can uncover hardware problems that do not show up with
software verifications.
·
Secure
both the storage device and the backup media to prevent an administrator for
another server from restoring stolen data onto your server.
·
The
updated Backup utility is integrated with the core Windows 2000 Server
distributed services, which include Active Directory, File Replication Service
(FRS), and Certificate Services. Active Directory and FRS can exist only on a
Windows 2000 domain controller, not on a member server. This integration means
that—when run locally on a domain controller—Backup lets you back up or restore
these services by checking the
Windows 2000 Backup offers three
wizards:
·
Backup
Wizard. Helps you create a backup of your programs and files to help prevent
data loss and damage caused by disk failures, power outages, virus infections,
and other potentially damaging events.
·
Restore
Wizard. Helps you restore your previously backed-up data in the event of a
hardware failure, accidental erasure, or other data loss or damage.
·
Emergency
Repair Disk. Helps you create an Emergency Repair Disk (ERD) that you can use
to repair and restart Windows if it is damaged. This option does not back up
your files or programs, and it is not a replacement for regularly backing up
your system.
Backup Issues:
As
soon as you successfully install Windows 2000, back up the
Never
delete Boot.ini, Ntldr, Bootsect.dos, Ntdetect.com, or Ntbootdd.sys (if Windows
is installed on a SCSI disk) in the root directory of the system volume. If
these hidden system files are deleted, Windows will not start.
When
you choose to back up (or restore) the System State, all of your computer’s
System State data is backed up or restored together as a set. You cannot choose
to back up (or restore) individual components of the
When
restoring System State, your recovery plan should take into account the fact that
the age of the backup tape should not exceed the Active Directory Tombstone
Lifetime (this is the length of time that deleted objects are maintained in
Active Directory before the system permanently removes them; the default is 60
days). If a tape older than the tombstone is restored, the restore APIs will
reject all of the data as out of date. Backups must be done on a regular basis.
Backup
and restore operations are performed by the following types of users:
·
Data. Members of the Backup Operators group can
back up and restore data. The Backup Operators group is one of the built-in
groups provided by Windows 2000. Any domain user or group granted the user
rights Back up files and directories
and Restore files and directories can
also back up and restore data. To grant a user (or, more typically, a group)
these backup and restore rights, use the Group Policy snap-in, which is
accessed through the Active Directory Users and Computers tool.
·
By
default, backup files have the extension .bkf. However, you can use any
extension you like.
You
can use Backup to back up and restore data on either FAT or NTFS volumes. If
you back up data from an NTFS 5 (Windows 2000 NTFS) volume, you should in most
cases restore the data to an NTFS 5 volume. If you restore the data to a FAT or
Windows NT 4.0 or earlier NTFS volume, you will lose certain file and folder
features and you could lose data as well. For example, file permissions, EFS
settings, disk quota information, mounted drive information, and Remote Storage
information will be lost.
Note: File permissions should be restored only if the
files are restored to a computer in the same domain as that of the original
owner’s account.
Administrators and backup
operators can back up (and restore) encrypted files and folders without
decrypting them.
If
you have to perform a restore, several server services require special
attention to make them operational. The following lists the services that
require additional effort. The subsections that follow the table provide additional
information about restoring each service. The final subsection tells you how to
verify the successful restoration of distributed services.
|
Component |
Issue |
|
WINS |
The WINS database
is restored to the state it was in at the time of the backup. This may not
represent the current state. (See WINS subsection below.) |
|
DHCP |
DHCP
leases are restored to the state at the time of the backup. You must perform
several steps to reconcile the state of this database to the current state of
the network. (See DHCP subsection below.) |
|
Remote Storage |
During a restore operation, the Remote Storage database is recalled
from tape media upon restarting the service—but only if the tapes are
available. (See Remote Storage subsection below.) |
|
Certificate Services server |
After a restore operation, the Certificate Services server may have
outstanding certificates that are now unknown. You can revoke and reissue these
certificates or leave the old certificates orphaned. (See Certificate
Services Server subsection below.) |
|
Windows Media Services server |
After a restore operation, you may have to reinstall the Windows Media Services
server because the database containing setup information may be lost. (See
Windows Media Services Server subsection below.) |
|
Internet Information Services server (IIS) |
If you perform a complete restore, no problems with IIS should arise.
If you perform a partial restore, you must follow the backup/restore
procedures specific to the IIS service. (See IIS subsection below.) |
|
Active Directory |
In a network with more than one domain controller, the default restore
method (non-authoritative) is generally the preferred method to restore a
failed server. Use the authoritative restore process outlined later in this
paper only if you want to get the system back to the state at the time
the backup was made(which you would want to do in the case when you
erroneously deleted Active Directory objects from the database and you would
find it difficult to re-create them). (See Active Directory subsection
below.) |
|
Sysvol |
If the machine being restored is the only domain controller on the network,
you must select a primary restore under the advanced restore options in
Backup. Otherwise, use the default (non-authoritative) restore. (See Sysvol
subsection below.) |
WINS
On a TCP/IP network,
the Windows Internet Naming Service (WINS) dynamically maps IP addresses to
computer names (NetBIOS names). Because of this, WINS lets users access
resources by name, instead of requiring them to use IP addresses that are
difficult to recognize and remember. WINS servers support clients running
Windows NT 4.0 and earlier versions of Microsoft operating systems.
When a
server receives a request from a client machine asking for a mapping from a
friendly name to an IP address, WINS responds. When a restore is completed, the
WINS database is restored, but this database may be out-of-date because the
information on the network is dynamic. The database updates itself over time
and within a day or two should be consistent. During this time, some name requests
may go unanswered or contain incorrect mappings. If the WINS database is
replicated among several WINS servers (the recommended procedure), you should
initiate replication, which synchronizes the database with the up-to-date
server. If no other server is available, it is best to let the database
synchronize on its own.
The Dynamic
Host Configuration Protocol (DHCP) is a networking protocol that offers dynamic
configuration of Internet Protocol (IP) addresses for computers. DHCP ensures
that address conflicts do not occur and helps conserve the use of IP addresses
through centralized management of address allocation.
The DHCP
server allocates IP addresses and other network configuration information to
DHCP-aware network clients. Using DHCP is the most common way to distribute IP
addresses in a modern network. The DHCP database is restored by the recovery
process. However, the database will be out of date back to the date the backup
was performed, and this can result in the issuing of duplicate IP addresses.
Having
duplicate addresses causes those machines to cease all network operations. To
avoid this, DHCP has a “safe mode of operations.” In this mode, DHCP broadcasts
on the network to verify that the IP address it is about to issue is not already
in use. After a restore, the database should be reconciled and safe mode should
be entered for a period of one-half of the IP lease duration. Because this mode
significantly reduces network and server performance and because entering safe
mode for this period of time is sufficient to ensure that DHCP functions
properly, Microsoft recommends that you quit this mode as soon as the one-half
lease duration is met.
To reconcile
the DHCP database, choose the Action menu from the DHCP snap-in and select Reconcile
while the scope is highlighted. Then, choose Conflict Detection in the scope
properties under Advanced and set the number of attempts to 1.
The Remote
Storage service (the Windows 2000 version of Hierarchical Storage Management) frees
up disk space by moving data from the local hard disk to a remote storage
device (such as tape) from which it can be recalled whenever needed. Users
still see and access the data without knowing that it has been archived.
The Remote
Storage service cannot recall its database from the Remote Storage tape during
the restore operation unless the Remote Storage tape is in the correct drive,
that is, the drive configured to be the Remote Storage device or in the robotic
library. If any issues with the service exist, the tapes will restore by using
the database copy that it stores on the tape. This is an automatic process that
requires no user intervention.
Certificate
Services is the Windows 2000 service that issues certificates for a particular
Certificate Authority. It provides customizable services for issuing and
managing certificates for the enterprise.
After
performing a restore operation, you do not have to take any special steps for
the Certificate Server service. However, on the network, certificates may exist
that were issued prior to the restore operation. Although the Certificate
Server service is now unaware of these certificates, they are valid and will
continue to function.
Internet
Information Services (IIS) is a set of software services that support Web site
creation, configuration, and management, along with other Internet functions.
If you
perform a complete system restore, you do not need to take additional steps to
restore IIS. If you perform a partial restore of a file only, you may need to
use the IIS MMC snap-in to restore the IIS database. You can find instructions
about how to do this in the IIS help pages.
The two
methods to restore Active Directory are a non-authoritative restore (the
default) and an authoritative restore. The authoritative restore can be done
only following a regular (non-authoritative) restore and you must use the
Ntdsutil utility to accomplish it. Therefore, the default (non-authoritative)
restore process is the only option that Ntbackup provides for restore.
Note: In order to restore Active Directory while in Directory Services
Restore Mode (described next), you must have Local Administrator credentials.
·
Use
these steps to perform a non-authoritative restore of Active Directory:
·
Boot
into Directory Services Restore Mode. This ensures that the directory is
offline. In order to do this, during the normal boot menu (Please select the operating
system to start) while restarting the computer, notice the message at the
bottom of the screen: For troubleshooting and advanced startup options for
Windows 2000, press F8. Do so, and then select Directory Services Restore Mode
from the Safe Mode and Other Startup Options list.
·
Select
the Windows 2000 operating system and logon with the standalone server's local
administrator account.
·
When
a dialog box warns you that you are in Safe Mode, click OK.
·
When
the computer starts (you should see "Safe Mode" on all four corners
of the desktop), start the Backup utility (click Start, then Programs,
Accessories, System Tools, and Backup).
·
Click
the Restore Wizard button to start the restoration process. Click Next.
·
At
the Restore Wizard screen, called "What to Restore," expand File,
expand the appropriate Media created <date> at <time> entry
(probably the most recent one), and then checkmark the System State entry (if
you had backed up individual files or folders at the same time you backed up
System State, you should also check the drive those files are on). Click Next.
·
Click
the Advanced button and select any other options you wish.
·
Click
Finish.
·
When
you are prompted to re-start the computer, click No if you wish to perform an
Authoritative Restore of Active Directory objects (see next subsection.)
·
Close
the Backup utility.
To
authoritatively restore Active Directory data, you need to run the Ntdsutil
utility after you have non-authoritatively restored the
You can find
help for how to use the Ntdsutil utility by typing ntdsutil /? at the command
prompt. For additional information about Ntdsutil, refer to Windows 2000 online
Help.
When reading
the steps described in the example below, assume that the administrator has
inadvertently deleted an organizational unit (OU) called Marketing in a domain
called Antipodes.com. Both “
When
restoring a domain controller's System State in Safe (Active Directory Restore)
Mode in the last subsection, the last step was to click No (if you want to
perform an Authoritative Restore) when prompted to re-start the computer.
Continuing from that point, here are the steps to authoritatively restore
Active Directory objects:
·
From
the Start menu, point to Programs, point to Accessories, and click Command
Prompt.
·
At
the command prompt, type ntdsutil.
·
At
the NTDSUTIL prompt, type authoritative restore.
·
At
the authoritative restore prompt, type restore subtree OU=Marketing,DC=
·
To
exit the authoritative restore prompt, type quit. To exit the Ntdsutil prompt,
type quit. To exit the command prompt, type exit.
·
If
you wish to perform advanced Active Directory verification, you must remain in
Safe Mode while you do so (see the section called “Performing Advanced
Verification (Optional),” later in this document, for instructions). However,
typically you would just reboot and logon normally at this point.
Note: While authoritatively restoring an object using Ntdsutil, the leaf
objects are also authoritatively restored.
Caution: Many applications depend on Active Directory as a source of data, such
as user account information and distributed file system (Dfs) references. If
the database is rolled back, it can result in loss of this data. Some of this
data, such as user accounts, cannot be restored once lost. Therefore, an
authoritative restore should be performed only by an experienced administrator.
The Sysvol
is a replicated data set that contains the policies and scripts that are used
by Active Directory. Sysvol uses Windows 2000 file replication for distribution
throughout the network. The three options for Sysvol restore are identical to
the options for file replication: the primary, non-authoritative (the default),
and authoritative restores.
Note.
Although typically you restore Sysvol and Active Directory together, this paper
explains them separately in order to clarify the issues involved for each
process.
Perform a
primary restore when all domain controllers in the domain are lost and you want
to rebuild the domain from backup (do not perform a primary restore if any
other working domain controller in this domain is available). Use primary
restore for the first domain controller, and then, later, select
non-authoritative restore (described next) for all other domain controllers.
A primary restore
builds a new FRS database by loading the data present under Sysvol onto the
local domain controller.
To perform a
primary restore, use the Backup utility to restore the System State (described
above), select the Advanced option to access the Advanced Restore Options
dialog box, and then select the checkbox When restoring replicated data sets,
mark the restored data as the primary data for all replicas.
Select this
option to select Sysvol primary restore mode.
Important: If this domain controller is a member of FRS replica sets other than
the Sysvol replica set, those other replica sets will also be restored as
primary. If you want to restore only the Sysvol replica set, select the option
as shown in Figure 4, and then, after the restore is complete, delete the other
replica sets.
Perform a
non-authoritative (normal) restore when at least one other domain controller in
the domain is available and working (do not perform a non-authoritative restore
when this domain controller is the only domain controller in the domain). You
use a non-authoritative restore when you want this domain controller to receive
the Sysvol data from a non-failed domain controller.
A
non-authoritative restore ignores all the Sysvol data that is restored locally.
After reboot, FRS receives all the Sysvol data from its inbound partner domain
controllers. After the non-authoritative restore completes, the Sysvol tree on
the local machine is the mirror image of the Sysvol tree on the inbound
partners.
To perform a
non-authoritative restore, use the Backup utility to restore the
Perform an
authoritative restore when you have accidentally deleted critical Sysvol data from
the local domain controller and the delete has propagated out to other domain
controllers (do not perform an authoritative restore if the local domain
controller is not a working domain controller or if it is the only domain
controller in the domain). You can perform an authoritative restore of Sysvol
only on a working domain controller (that is, changes to Sysvol are replicating
from this domain controller to other domain controllers).
An
authoritative restore replicates any changes made to the current Sysvol tree to
its outbound replication partners.
Use these
steps to perform an authoritative restore of the Sysvol:
·
Use
Ntbackup to restore the
·
Use
Ntdsutil to authoritatively restore Active Directory (described earlier). This
step is required because it is always advisable to restore Active Directory
along with Sysvol, so that they are not out of sync.
·
Reboot
the system to normal mode and allow the Sysvol to be published (this may take
several minutes).
·
Copy
the old Sysvol (from the alternative location) over the existing one.
·
Important:
You should always authoritatively restore the Sysvol whenever you
authoritatively restore Active Directory, and vice-versa. This ensures that the
Sysvol and Active Directory are in sync.
Verifying Distributed Services
Restoration
Two methods
to verify Active Directory restoration exist, called basic verification and
advanced verification. Basic verification also includes verifying that FRS and
Certificate Service restoration completed successfully. Advanced verification
is optional and can usually be omitted. However, if you wish to perform
advanced verification, you must do it first.
Performing Advanced Verification (Optional)
Advanced
verification is not usually required for normal recovery operations. Incorrect
usage of the utility described in this subsection may corrupt the Active
Directory database, which means you will have to restore the database from
backup again.
Whether you
did or did not perform an authoritative restore, follow these steps to perform
an advanced verification:
Note: Before you perform these steps, ensure that you are in Directory
Services Restore Mode.
·
Click
Start, click Run, type regedit, and then click OK.
·
Select
the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS.
Check that there is a subkey called Restore In Progress. This key,
automatically generated by Backup, indicates to Active Directory that the
database files have been restored and that it should perform a consistency
check and re-index the next time the directory is started. This key is automatically
removed upon completion of this check—DO NOT ADD or DELETE this key manually.
·
Close
regedit.
·
To
check for the recovered Active Directory database files using the utility
Ntdsutil, click Start, then click Programs, and then click Command Prompt. At
the command prompt, type ntdsutil.
·
At
the Ntdsutil prompt, type files. At the file maintenance prompt, type
info.
·
DO
NOT SELECT ANY OTHER OPTIONS.
·
To
exit the file maintenance prompt, type quit. To exit the Ntdsutil prompt, type quit.
To exit the DOS prompt, type exit.
·
Restart
the server in normal mode and logon to the system normally and perform basic
verification (described next).
Basic
verification consists of initiating automatic steps by rebooting and logging on
normally and then confirming that the restored distributed services are in a
state consistent with a successful restoration.
Restart the
computer. After you complete the restore operation and restart the computer
normally, Active Directory will automatically detect that it has been recovered
from a backup, will perform an integrity check, and will re-index its database.
Both Active Directory and FRS will be brought up-to-date from their replication
partners using the standard replication protocols for each of those services.
Confirm
distributed services successfully restored. You should be able to browse the
directory and confirm that all the user and group objects that were present in
the directory prior to backup were restored. Similarly, confirm that files that
were members of an FRS replica set and certificates that were issued by the
Certificate Service are present.
Most of the above is from: http://www.globalcontinuity.com/thought_leadership/windows_2000_server_disaster_recovery_guidelines
Recovery Console
The Recovery
Console is a feature of the Windows 2000, Windows XP and Windows Server 2003
operating systems. It provides the means for administrators to perform a
limited range of tasks using a command line interface. Its primary function is
to enable administrators to recover from situations where Windows does not boot
as far as presenting its graphical user interface.
How to invoke the Recovery Console:
The recovery
console may be entered in one of two ways:
·
From
the operating system installation CD-ROM
·
Via
the boot-time menu presented by NTLDR
Invoking the Recovery Console from
the Installation CD-ROM
The recovery
console is always available from the operating system installation CD-ROM. To
invoke it, an administrator simply boots the computer from the CD-ROM. From the
operating system setup utility, Windows 2000 users have to select two menu
options ("To repair a Windows 2000 installation, press R." and then
"To repair a Windows 2000 installation by using the recovery console,
press C.") whereas Windows XP users have to select just one ("To
repair a Windows XP installation using recovery console, press R.")
Invoking the Recovery Console from the NTLDR Menu
The recovery
console can also be configured as an option on the boot-time menu that is
presented by NTLDR. This is not included by default when the operating system
is first installed. Instead,
With Windows
running, insert the Setup CD into your CD-ROM drive.
Start/Run/X:i386\winnt32.exe /cmdcons. Follow the instructions on the screen.
Administrators have to run the winnt32 utility with the /cmdcons switch, which
adds the recovery console to the NTLDR menu, ready for when the machine is next
bootstrapped.
This
requires that the system is not damaged to the extent that the Windows NT
Startup Process cannot even reach the point of running NTLDR.
Tasks that can be Performed via the Recovery Console
The recovery
console has a simple command line interpreter. Many of the available commands
closely resemble the command line commands that are normally available on
Windows, namely attrib, copy,
From the
recovery console an administrator can:
·
create
and remove directories, and copy, erase, display, and rename files
·
enable
and disable services (which modifies the service control database in the
registry, to take effect when the system is next bootstrapped)
·
write
a new Master Boot Record to a disc, using the fixmbr command
·
write
a new Volume Boot Record to a volume, using the fixboot command
·
format
volumes
·
expand
files from the compressed format in which they are stored on the installation
CD-ROM
·
perform
a full CHKDSK scan to repair corrupted disks and files, especially if the
computer cannot be started properly
·
Filesystem
access on the recovery console is by default severely limited. An administrator
using the recovery console has only read-only access to all volumes except for
the boot volume, and even on the boot volume only access to the root directory
and to the Windows system directory (e.g. \WINNT). This can be changed by
changing Security Policies.
Most of the Recovery Console section
is from: http://en.wikipedia.org/wiki/Recovery_Console