I'm curious about restoring a domain controller (DC), especially when it comes to Flexible Single Master Operations (FSMO) roles and Primary Domain Controllers (PDC). If I restore a non-PDC or non-FSMO DC from a backup, will that backup have the authority to overwrite its old information in the domain? What if it's a PDC or FSMO role holder? Could restoring it lead to users having to revert to old passwords or other issues? Just trying to understand the implications of this process in a multi-DC environment and if it's ever a bad idea to restore one that isn't critical.
2 Answers
When it comes to restoring a DC that's not a PDC, the best practice is to avoid restoring from backup altogether. Instead, you can set up a new DC in about 30 minutes, which is generally safer. If your backups are application-aware, the DC will recognize it’s been restored and initiate an Initial Synchronization to update its information before functioning as a DC. If not, it's usually best to just skip the restore to avoid potential issues.
It's essential to understand the difference between authoritative and non-authoritative restores for domain controllers. That can impact what happens to all devices and users in your network.
So if we have at least one DC operational, we can rebuild others. But if the last DC fails and I only have an old backup, can I restore it without losing trust relationships? What's the time frame for that to be okay, as I'm working in disaster recovery?
Totally agree! For PDC restorations, though, it gets trickier. I'd prefer to hear from someone with more experience before jumping in.