AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I use Windows Server Backup to restore Active Directory domain controllers that I built on Amazon EC2 instances?

14 minute read

I want to restore the domain controllers in a Microsoft Active Directory domain that I built on Amazon Elastic Compute Cloud (Amazon EC2) instances.

Short description

To use Windows Server Backup to restore a single domain controller, at least one domain controller must work as expected.

To restore multiple domain controllers, use a backup of the domain controller that has the Flexible Single Master Operation (FSMO) roles. If you don't have a backup of the domain controller with the FSMO roles, then you must restore another backup. Then, move the FSMO roles to the restored domain controller.

Finally, delete the previous domain controller's server metadata, and then build a new domain controller instance to replace it.

After you restore your domain controller or controllers, perform a domain controller status health check on all domain controllers.

Resolution

Note: It's a best practice to use Windows Server Backup to back up your domain controllers. However, to restore a deleted EC2 instance, you must restore from an Amazon Machine Image (AMI) backup. For instructions, see How do I use an AMI to restore Active Directory domain controllers that I built on Amazon EC2 instances? It's a best practice to test the backup and restore process in a test environment first.

Restore one domain controller in a domain that has multiple domain controllers or a domain with a single domain controller

Complete the following steps:

Use Remote Desktop Protocol (RDP) to connect to your instance.
Configure the instance to boot into Directory Service Repair Mode (DSRM).
Note: If your instance is offline and unreachable, then see To boot an offline instance into DSRM on Configure an instance to boot into DSRM.
Restart your computer.
Connect to the instance as the DSRM administrator.
Note: To log in as an administrator, enter your username in the Hostname\Administrator format.
Run the following command to check the version identifier of the backup:
```
wbadmin get versions
```

Run the following command to restore the system state:

wbadmin start systemstaterecovery -version:version_identifier -quiet

Note: Replace version_identifer with the backup's version identifier.

After DSRM completes the restore, press Y at the following prompt to restart your computer:

A computer restart is required to complete the system state recovery operation.
Press [Y] to restart the computer now.
[Y] Yes

Connect to the instance as the DSRM administrator, and then confirm that the command line lists the recovery as successful. To proceed, press Enter.
Choose the Start menu, and then enter Run.
Choose Run, and then run the following command:
```
msconfig
```
Under Boot options, clear Safe boot, and then choose OK.
To deactivate DSRM, choose Restart.
Proceed to Perform domain controller health checks to confirm that the domain controller works as expected.

Restore from a backup of the domain controller with the FSMO roles

Note: In the following resolution steps, DC01 is the domain controller with the FSMO roles. DC02 is another domain controller in the domain that doesn't have the FSMO roles.

Complete the following steps:

Use RDP to connect to DC01.
Configure DC01 to boot into DSRM.
Note: If your instance is offline and unreachable, then see To boot an offline instance into DSRM on Configure an instance to boot into DSRM.
Restart your computer.
Stop DC02.
Connect to DC01 as the DSRM administrator.
Note: To log in as an administrator, enter your username in the Hostname\Administrator format.
Run the following command to check the version identifier of the backup:
```
wbadmin get versions
```
Run the following command to do an authoritative restore of the system state:
```
wbadmin start systemstaterecovery -version:version_identifier -authsysvol -quiet
```
Note: Replace version_identifer with the backup's version identifier. After you complete the resolution steps, you must repeat them for DC02. For DC02, remove -authsysvol from the preceding command to do a nonauthoritative restore of the system state.

After DSRM completes the restore, press Y at the following prompt to restart your computer:

A computer restart is required to complete the system state recovery operation.
Press [Y] to restart the computer now.
[Y] Yes

Connect to DC01 as the DSRM administrator and confirm that the command line lists the recovery as successful. To proceed, press Enter.
Choose the Start menu, and then enter Run.
Choose Run, and then run the following command:
```
msconfig
```
Under Boot options, clear Safe boot, and then choose OK.
To deactivate DSRM, choose Restart.
Connect to DC01 as an administrator.
Modify the security group that's attached to DC02 or attach a new security group to make sure that DC02 can't communicate with the restored DC01.
Start DC02.
Configure DC02 to boot into DSRM.
Restart your computer.
Note: After launch, it might several minutes before you can log on to DC02.
Update the security group that's attached to DC02 to allow communication between DC01 and DC02.
Repeat steps 5-13 for the DC02.
Proceed to Perform domain controller health checks to confirm that the domain controller works as expected.

Restore when you don't have a backup of the domain controller with the FSMO roles

Note: In the following resolution steps, DC01 is the domain controller with the FSMO roles. DC02 is another domain controller in the domain that doesn't have the FSMO roles.

Move the FSMO roles to DC02

Complete the following steps:

Use RDP to connect to DC02.
Configure the instance to boot into DSRM.
Note: If your instance is offline and unreachable, then see To boot an offline instance into DSRM on Configure an instance to boot into DSRM.
Restart your computer.
Stop DC01.
Connect to DC02 as the DSRM administrator.
Note: To log in as an administrator, enter your username in the Hostname\Administrator format.
Run the following command to check the version identifier of the backup:
```
wbadmin get versions
```

Run the following command to restore the system state:

wbadmin start systemstaterecovery -version:version_identifier -authsysvol -quiet

Note: Replace version_identifer with the backup's version identifier.

After DSRM completes the restore, press Y at the following prompt to restart your computer:

A computer restart is required to complete the system state recovery operation.
Press [Y] to restart the computer now.
[Y] Yes

Connect to the instance as the DSRM administrator and confirm system state recovery is successful. To proceed, press Enter.
Choose the Start menu, and then enter Run.
Choose Run, and then run the following command:
```
msconfig
```
Under Boot options, clear Safe boot, and then choose OK.
To deactivate DSRM, choose Restart.
Connect to DC02 as the administrator.
Note: To log in as an administrator, enter your username in the DOMAIN\Administrator format.

Wait about five minutes, and then run the following command to confirm that SYSVOL and NETLOGON are shared on the domain controller:

net share

If the SYSVOL and NETLOGON shares are missing from the output, then proceed to Troubleshoot missing SYSVOL share.
Example output:

>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
D$           D:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
The command completed successfully.

Open Command Prompt as an administrator on DC02, and then run the following command:
```
ntdsutil
```
For each prompt, enter the following values:
```
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server dc02
```
Note: Replace dc02 with your server name. After you enter the preceding prompts, you receive the following message:
"Binding to dc02 ...
Connected to dc02 using credentials of locally logged on user."
To proceed, press q.

To move the FSMO roles to DC02, run the following commands:

fsmo maintenance: seize schema master

fsmo maintenance: seize naming master

fsmo maintenance: seize pdc

fsmo maintenance: seize rid master

fsmo maintenance: seize infrastructure master

Note: In the Role Seizure Confirmation Dialog box, choose Yes to seize the FSMO role.
Example output:

Attempting safe transfer of schema FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210550, problem 5002 (UNAVAILABLE), data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of schema FSMO failed, proceeding with seizure ...
Server "dc02" knows about 5 roles
Schema - CN=NTDS Settings,CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=example,DC=com
Naming Master - CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=example,DC=com
PDC - CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=example,DC=com
RID - CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=example,DC=com
Infrastructure - CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=example,DC=com

To confirm that DC02 has the FSMO roles, run the following command:

netdom query fsmo

Example output:

> netdom query fsmo
Schema master               DC02.corp.example.com
Domain naming master        DC02.corp.example.com
PDC                         DC02.corp.example.com
RID pool manager            DC02.corp.example.com
Infrastructure master       DC02.corp.example.com
The command completed successfully.

Delete domain controller server metadata

Complete the following steps:

Delete the computer object. For instructions, see Clean up server metadata using Active Directory Users and Computers on the Microsoft website.
Delete the connection objects of all the domain controllers that you forcibly removed. For instructions, see Clean up server metadata using Active Directory Sites and Services on the Microsoft website.
Note: To delete a domain controller object, under Server, open the context (right-click) menu for NTDS Settings, and then choose All Tasks. Choose Check Replication Topology, and then choose Ok. To validate that you deleted the object, open the context (right-click) menu for NTDS Settings, and then choose Refresh.
Delete the DNS records. For instructions, see Delete DNS resource records on the Microsoft website.
To open the Active Directory Service Interfaces (ADSI) editor, run the following command:
```
adsiedit.msc 
```
Open the context (right-click) menu for ADSI Edit, and then choose Connect to...
In the Connection Settings dialog box, choose Select a well known Naming Context.
Under Connection Point, choose Default naming context, and then choose OK.
In the navigation pane, expand Default naming context - DomainName -CN=DFSR-GlobalSettings - CN=Domain System Volume - CN=Topology.
Check for objects with the CN-DomainControllerToDelete naming convention. Open the context (right-click) menu of the object from the domain controller, and then choose Delete.
Note: Replace DomainControllerToDelete with the name of the domain controller that you want to delete.
In the ADSIEdit dialog box, choose Yes to delete the object.

Build a new domain controller to replace DC01

After you clean up the metadata, terminate the original DC01 domain controller instance.

Then, complete the following steps to create a new domain controller to replace DC01:

Launch a new instance with an AMI that uses the same Windows operating system (OS) version as the original DC01.
(Optional) Attach Amazon Elastic Block (Amazon EBS) volumes to the new instance that are the same size as the volumes in DC01.
To keep the same IP address as DC01, specify the IP address at launch or use the elastic network interface that you attached to DC01.
Change the instance's hostname to the same name as the original DC01 instance, and then join the instance to the Active Directory domain.
Promote DC01 to a domain controller.
Proceed to Perform domain controller health checks to confirm that the domain controllers works as expected.

Perform domain controller health checks

After you restore your domain controllers, run the following commands on your new domain controller or controllers to perform a domain controller health check. For more information about each command, see Net share, Repadmin, and DCDiag on the Microsoft website.

To validate that the NETLOGON and SYSVOL shares are in your system, run the following command:

net share

Example output:

>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
NETLOGON     C:\Windows\SYSVOL\sysvol\corp.example.com\SCRIPTS
                                             Logon server share
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share
The command completed successfully.

If the SYSVOL and NETLOGON shares are missing from the output, then proceed to Troubleshoot missing SYSVOL share.

To verify that replication between the domain controllers works as expected, run the following command:

repadmin /showrepl

Example output:

DC=ForestDnsZones,DC=corp,DC=example,DC=com
    Default-First-Site-Name\DC02 via RPC
        DSA object GUID: e721c73e-c6ed-420b-98d1-b7cc4f231f86
        Last attempt @ 2025-07-07 12:58:21 failed, result 1908 (0x774):
            Could not find the domain controller for this domain.
        1 consecutive failure(s).
        Last success @ 2025-07-06 14:48:34.
Source: Default-First-Site-Name\DC02
******* 1 CONSECUTIVE FAILURES since 2025-07-06 14:48:34
Last error: 1908 (0x774):
            Could not find the domain controller for this domain.

If the command output shows errors similar to the preceding example output, then wait several minutes and try again. These errors occur if you're actively running replication between domain controllers.

To check the domain controller's operating status, run the following command:

dcdiag /v

Note: The output might contain test failures for SystemLog or DFSREvent. This typically occurs because of errors that the event log recorded during the restore process. If the event log doesn't record more errors after the restore completed, then ignore the test failures.

Example output:

......................... DC01 failed test DFSREvent
...
......................... DC01 failed test SystemLog

Also, check Windows Event Logs such as System, Directory Service, DNS Server, and DFS Replication for errors that you must resolve.

Troubleshoot missing SYSVOL share

Complete the following steps:

To check the state of the initial domain controller replication, run the following command as an administrator:
```
Get-CimInstance -Namespace "root\microsoftdfs" -ClassName "DfsrReplicatedFolderInfo"
```
In the output, if the State isn't 4, then there are issues with the Distributed File System Replication. To troubleshoot this issue, open an AWS Support case.

Open a Command Prompt as an administrator, and then run the following command to check whether SYSVOL is shared:

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters | findstr SysvolReady
    SysvolReady    REG_DWORD    0x0

In the output, confirm that SysvolReady has the value of 0. If SysVolReady is 1 and SYSVOL isn't shared, then the issue is a corrupted Distributed File System database or Active Directory synchronization issues. For troubleshooting assistance, open an AWS Support case.

To set SysvolReady to 1, run the following command:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters /v SysvolReady /t REG_DWORD /d 1

Note: Respond yes to the Value SysvolReady exists, overwrite(Yes/No)? prompt.

To confirm your changes, run the following command:

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters | findstr SysvolReady
    SysvolReady    REG_DWORD    0x1

To restart the netlogon service, run the following commands:

net stop netlogon

net start netlogon

To confirm that both SYSVOL and NETLOGON are shared, run the following command:

net share

Example output:

> net share
Share name   Resource                        Remark
-------------------------------------------------------------------------------
C$           C:\                             Default share
D$           D:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
NETLOGON     C:\Windows\SYSVOL\sysvol\corp.example.com\SCRIPTS
                                             Logon server share
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share
The command completed successfully.

To confirm that SYSVOL replication between DC01 and DC02 is working as expected, complete the following steps:

Connect to DC01, and then add a test file in C:\Windows\SYSVOL\sysvol\domain_dns_name\.
Note: Replace domain_dns_name with your domain's DNS.
Connect to DC02, and then check C:\Windows\SYSVOL\sysvol\domain_dns_name\ to confirm SYSVOL replicated the file.
Note: Replace domain_dns_name with your domain's DNS. Based on your replication interval settings, it might several hours for SYSVOL replicate.
Repeat steps 1-2 but add the test file to DC02 and check DC01 for replication from a backup of the domain controller with the FSMO roles.

Topics: Compute
Tags: Amazon EC2 Windows
Language: English

AWS OFFICIALUpdated 2 months ago

No comments

Relevant content

Restore best practice for AWS Backup and Windows domain joined EC2 instances?
bitesizedbytes
asked 4 years ago
Need to Downgrade m6a.large instance running as an Active Directory Domain Controller on AWS to t3a.medium.
Amandeep
asked 3 years ago
AWS Microsoft Active Directory - how to access the domain controllers to define groups and users
Accepted Answer
msutherland25
asked 4 years ago
"Amazon FSx is unable to communicate with your Microsoft Active Directory domain controller"
rePost-User-2446986
asked 3 years ago
How to join ec2 instance to local MS Active Directory manually without AWS Directory services
Joachim
asked a year ago
How do I back up Active Directory domain controllers that I built on Amazon EC2 instances?
AWS OFFICIALUpdated a month ago
How do I use an AMI to restore Active Directory domain controllers that I built on Amazon EC2 instances?
AWS OFFICIALUpdated a month ago
How do I use group policy in AWS Managed Microsoft AD or Simple AD to allow domain users RDP access to an EC2 Windows instance?
AWS OFFICIALUpdated 2 years ago
How do I use Systems Manager to join a new EC2 Windows instance to my Directory Service domain?
AWS OFFICIALUpdated 2 years ago
Extend Self-Managed Microsoft Active Directory on EC2 into a new AWS Region
EXPERT
Greg Vinton
published a year ago