Determining which backups to useīack up at least two writeable DCs for each domain regularly so you have several backups to choose from. This group has full control of all DCs in the domain. The Administrator account is a member of the built-in Administrators group by default, as are the Domain Admins and Enterprise Admins groups. Synchronizing the DSRM account must be done in advance of the forest recovery, as part of preparation. For more information, see KB article 961320. You can also synchronize the DSRM password with a domain user account in order to make it easier to remember.
In general, it's a good practice to archive the Administrator account and DSRM password history in a safe place for as long as the backups are valid, that is, within the tombstone lifetime period or within the deleted object lifetime period if Active Directory Recycle Bin is enabled.
You must also know the DSRM password to perform a system state restore of a DC. Preferably, this is the password of the built-in Administrator account. All changes that were made to either the configuration partition or the schema partition in AD DS (such as schema changes) since the last trusted backupįor each domain in the forest, the password of a Domain Admin account must be known.All updates that were made to existing objects since the last trusted backup.
All objects (such as users and computers) that were added after the last trusted backup.Consequently, the restore operation will result in the loss of at least the following Active Directory data: Recovering the forest restores each domain in the forest to its state at the time of the last trusted backup. Recovering an entire Active Directory forest involves either restoring it from backup or reinstalling Active Directory Domain Services (AD DS) on every domain controller (DC) in the forest. Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 20 R2, Windows Server 20 R2
0 kommentar(er)
