Windows 2012 Authoritative Restore For Disaster Recovery


How to Perform Windows 2012 Authoritative Restore

This procedure is for performing an Authoritative Restore with multiple Domain Controllers. In a single Domain Controller environment you do not need to perform this procedure

There are 2 type of restore modes for Microsoft Windows Domain Controllers.

  • Authoritative
  • Non-Authoritative

An Authoritative restore means you set 1 Domain Controller as the master replica for all other Domain Controllers. This Domain Controller will not try to replicate from another Domain Controller.

A Non-Authoritative restore means that this Domain Controller will attempt to replicate from any other Domain Controller.

In this article we are going to simulate bringing up 2 Domain Controllers in an isolated Disaster Recovery Site.

1. Boot the first and second Domain Controllers into Directory Services Restore Mode by pressing F8 during bootup.

Windows 2012 Authoritative Restore

2. You will need to log into both Domain Controllers with the Directory Services Restore password you set during the Windows OS install. Use the username .Administrator

Windows 2012 Authoritative Restore

3. In the first Domain Controller, open up Regedt32 and browse to the following location:

HKLM SYSTEM Current ControlSet Services NTDSParameters

4. Here we will add the following Dword (32-bit) value: Repl Perform Initial Synchronizations (Leave this value on 0)

This key will allow the DNS zone to load without having to wait for replication partners

Windows 2012 Authoritative Restore

5. Browse to this location: HKLM SYSTEM CurrentControlSet Services NtFrs Parameters Backup/Restore Process at Startup

Change the value for BurFlags to d4 (This sets this Domain Controller to be Authoritative)

Windows 2012 Authoritative Restore
6. Reboot Domain Controller 1.

7. Domain Controller 2 should be logged in with Directory Services Restore Mode still.

8. Within Domain Controller 2 repeat step 5 above however instead of setting the BurFlags to d4 we are going to set it to d2 (d2 will make this Domain Controller Non-Authoritative and force it to sync to an Authoritative Domain Controller)

9. Once Domain Controller 1 is booted you can then reboot Domain Controller 2

10. Domain Controller 1 will not bring up Active Directory until it has successfully synced with at least 1 other Domain Controller. In this case it will sync with Domain Controller 2.

11. Open a CLI window and make sure the SYSVOL folder is being shared. You can do this by typing: net share.

12. Open Active Directory Users and Computers and make sure you can see the domain.

If you have any technical questions about this tutorial or any other tutorials on this site, please open a new thread in the forums and the community will be able to help you out.

All the tutorials included on this site are performed in a lab environment to simulate a real world production scenario. As everything is done to provide the most accurate steps to date, we take no responsibility if you implement any of these steps in a production environment.