Please consider donating: https://www.corelan.be/index.php/donate/


7,052 views

How to restore a Windows 2003 DC using ASR and VMWare

The following procedure should work for any type of hardware, but I’ve used VMWare (so this procedure is also valid if you want to convert a physical Domain Controller to VMWare). Additionally, the procedure works for Windows 2003 server, but also for Windows XP (professional)

Prerequisites :

  • ASR backup .bkf file and the ASR floppy that corresponds with the ASR backup file. If you want to re-create the ASR floppy, have a look at http://support.microsoft.com/kb/325854/en-us
  • Converted ASR floppy (use a tool such as winimage to convert the floppy into a .ima or .img file, and then rename the .ima/.img file to .flp, or have a look at http://www.vmware.com/community/thread.jspa;jsessionid=9977DD123ECD2AA3C2E131C02E35998E?messageID=210767𳝏 or http://www.vmware.com/community/thread.jspa?threadID=18046 )
  • You will need to be able to have access to the .bkf file during the Windows setup in ASR mode.This is somewhat tricky. The only 2 ways I know of that work (read : that I have tested myself) is either back up to tape, and have the tape drive and tape available during the ASR restore; or back up to disk and put the bkf on a server in the vmware environment. Share the folder containing the bkf. Just don’t put the bkf file on the disks that will contain the Windows server afterwards, because all data will be removed during the ASR setup. According to some people, you should be able to put the bkf file on one of the disks in the server where ASR will run on. As long as it does not sit on the partition that has system files on it, and as long as the partition that will hold the bkf file is also available in the real DC, it should work. (But I tend not to believe this statement, because one of the first steps in the process is actually clearing the partitions and volumes on the disks… so the disk containing the bkf file would be emptied as well… right ?)
  • Disk configuration of the physical server (size of each disk)
  • Windows 2003 server CD
  • Make sure the vmware machine does not have access to the production machine, if you are trying this for simulation/testing purposes. Set the virtual machine to use a vmware internal network, without connection to the rest of the network.
  • Other backup sets (recent System State, Sysvol contents, …)

Before you start : Do not EVER EVER put the same machine twice on the same network. This will create havoc and in case of a DC, possible ruin your entire AD. Make sure to put the "to be restored" DC in an isolated network segment, without access to the real DC.

First all all, create a VMWare virtual machine, and make sure to create virtual disks that have at least the same size as the disks in the servers. (Note : I’m referring to disks, not partitions.) If your DC has 3 partitions of 12Gb, and the total disk is 36Gb, make sure to create 1 virtual disk of at least 36Gb.

Boot the vmware machine (boot from the Windows 2003 server CD.) When prompted, press F2 to enter ASR mode.

When you are prompted to insert the ASR Disk, mount the .flp file containing the ASR floppy. (Or just mount the physical floppy).

091407_2150_Howtorestor1

Windows setup will continue "loading files…", just wait until the following screen appears :

091407_2150_Howtorestor2

Press "C" to continue the setup. This step will remove everything that is on the disks listed in this view.

Next, the disks will be formatted and checked…

091407_2150_Howtorestor3

… and Windows setup will continue copying files :

091407_2150_Howtorestor4

Wait until this process has completed.

091407_2150_Howtorestor5

The system will reboot into the graphical mode of the ASR process. Make sure to change the BIOS not to boot from CD or floppy. (or press ESC at boot time to show the boot menu). You’ll end up at the ASR Welcome screen. Click next to continue (or just wait 90 seconds)

091407_2150_Howtorestor6

Select the path that contains the ASR .bkf file. If you have put the file on a fileserver in your vmware environment, you should be able to put in the UNC path to the folder (\\ip\sharename) and continue the restore process over the network. If you are doing this on a physical server and if you have put the asr backup on tape, the server should be able to detect the tape and find the asr backup automaticall. Of course, you can also browse to the bkf file over the network when you are performing a bare metal restore onto a physical server.

One more quick note on accessing a file server on the network. The network driver will be loaded in ASR mode, but you will need to make sure there’s a DHCP server in the network. If you are doing this in an isolated environment, you can put another 2003 server in the same isolated vmware environment, and install DHCP on that machine. The DHCP should be up and running at the time the "to be restored" server boots into ASR graphical mode. If DHCP doesn’t work, you can also rely on APIPA. Use a sniffer (wireshark) on the file server to see the APIPA address of the "to be restored" server :

091407_2150_Howtorestor7

Give the file server an apipa address in the same network range, and the two should be able to talk to each other. In my example, the file server (it actually is a Windows XP) has IP 169.254.145.192, the server has 169.254.145.191 (I got that address from the sniffer)

091407_2150_Howtorestor8

Go back to the ASR process. When you are at the dialog window to select your backup file, click "browse", and enter the UNC path to the share on the server. In my example, that is \\169.254.145.192\data. Provide a user/password to connect, when asked.

091407_2150_Howtorestor9

Select the bkf file that is stored on the server and click "open"

091407_2150_Howtorestor10

091407_2150_Howtorestor11
Click "next" to continue the process

Click "finish" to starting restoring

091407_2150_Howtorestor12

091407_2150_Howtorestor13

Wait until the process has completed. The ntbackup application will close and the server will reboot automatically.

When the machine reboots, a couple of things might happen

  1. The server boots and works fine. Congratulations. Even if you need to install display drivers or some other drivers after the boot, you still made it successfully. And if you planned for these types of scenario’s, you could restore your DC in half an hour or so…
  2. The server doesn’t boot. Try to repair the installation by booting with the 2003 server cd and go into repair mode. (You can choose to repair the Windows installation after the setup process has detected an existing Windows installation). If that doesn’t work, have a look at the following Microsoft KB’s :
    1. http://support.microsoft.com/kb/325375/en-us
    2. http://support.microsoft.com/kb/842009/en-us
    3. http://support.microsoft.com/kb/811944/en-us
    4. http://support.microsoft.com/kb/836421/en-us

              

If you get your DC to work, just check the Network Interface properties. If you do a ASR restore, odds are that the Firewall will be turned on again. Make sure to turn it off if that is what you need. You might need to reboot to get AD to run properly.

 091407_2150_Howtorestor14

        

Event log : MSDTC errors/warnings

Finally, check the event log. There’s a pretty good chance that you will see MSDTC errors/warnings in the event log. You can clean these up using the following procedures :

Error EventID 53258

If the Event Log Application contains :

Source: MSDTC
Type: Warning
Category: SVC
Event ID: 53258
Description: MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1

Start equipment Component Services (Start – Programs – Administrative Tools).
Expand Component Services.
Expand section Computers.
Right click on My Computer, select Properties, MSDTC tab.
Select Security Configuration, then OK.
Select OK again.
Right click on My Computer, and select Stop MS DTC. This will stop the Distributed Transaction Coordinator.
Right click again on My Computer, and select Start MS DTC.

Also, make sure "Network Service" has full control on HKLM\Software\Microsoft\MSDTC and everything below. Then restart the server.

Error EventID 4404

Source: MSDTC
Type: Error
Category: Tracing Infrastructure
Event ID: 4404
Description: MS DTC Tracing infrastructure: the initialization of the tracing infrastructure failed. Internal Information: msdtc_trace: File: d:\srvrtm\com\complus\dtc\dtc\trace\src\tracelib.cpp, Line: 1107, StartTrace Failed, hr=0x80070070

Start equipment Component Services (Start – Programs – Administrative Tools).
Expand Component Services.
Right click on My Computer, select Properties, MSDTC tab.
Choose Tracing Options.
Select Stop Session, New Session, Flush Data, and OK twice.
Right click on My Computer, and select Stop MS DTC. This will stop the Distributed Transaction Coordinator.
Right click again on My Computer, and select Start MS DTC.

        

Errors EventID 1058, 1030

Source: Userenv
Type: Error
Event ID: 1058
Description: Windows cannot access the file gpt.ini for GPO CN = {31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=test, DC=net. The file must be present at the location <\\ test.net \sysvol \test.net \Policies \ {31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (The network location cannot be reached. For information about network troubleshooting, see Windows Help.). Group Policy processing aborted.

or also

Source: Userenv
Type: Error
Event ID: 1030
Description: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

A full description of the solution is contained in article Microsoft #842804 at http://support.microsoft.com/?id=842804 . Be sure that:
Netlogon and DFS services are started.
The Controller of the domain valid reads and applies rules from Domain Controllers Policy.
The NTFS-rights to common resource Sysvol are configured correctly.
DNS records on server DNS are correct.

Other problems

If you try to open AD U&C, and you’re getting the following error : "Naming information cannot be located because the specified domain either does not exist or cannot be contacted. Contact your system administrator to verify that your domain is properly configured and is currently online.", check the Windows Time service and make sure it is running. Check DNS and make sure it does not contain any references to DC’s that are not available. Clean up AD (remove dead DC’s) using ntdsutil (see http://support.microsoft.com/kb/216498) and by removing entries in DNS. Reboot and wait for a little while.

Next, check if sysvol and netlogon shares are available. If not, check http://www.jsifaq.com/SF/Tips/Tip.aspx?id=7979, http://support.microsoft.com/kb/316790, http://support.microsoft.com/kb/836421 and http://support.microsoft.com/kb/315457/.
Reboot and see what happens. If it works, fill up the sysvol folder with the sysvol backup (so you’ll have your scripts and gpo’s back) .

Finally, watch out for events in the Directory Service event log that say that the net logon service was paused. (NTDS Event ID 2103 : The Active Directory database has been restored using an unsupported restoration procedure. Active Directory will be unable to log on users while this condition persists. As a result, the Net Logon service has paused.) If you start the netlogon service manually, you should have a working DC (but you won’t have solved the problem – but that’s ok for now. If you really want to solve this USN Rollback issue as well, check http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx, http://blogs.technet.com/petergal/archive/2006/02/04/418779.aspx, http://support.microsoft.com/kb/885875, http://www.ureader.com/message/1270504.aspx, http://www.mcse.ms/message1743890.html. Good luck)

Now run a dcdiag and look for errors and warnings.

        

2 more quick notes :

  1. The ASR Backup/Restore is based on a ASR backup. Odds are that the ASR backup is a bit older than the last System State backup, so it might be a good idea to take the last ntds.dit file, and perform a Authoritative Restore on this DC.
  2. If you had to restore one of the DC’s because all of the other ones died in a Disaster, and the DC you are restoring was not the primary DC, then you need to seize the FSMO roles to this DC. (depending on your environment, if this is the only DC in the forest left for example, you’ll need to seize ALL of the FSMO roles to this DC. You can do this using ntdsutil). http://support.microsoft.com/kb/255504 :

ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server yourservername
Binding to yourservername …
Connected to yourservername using credentials of
locally logged on user.
server connections: q
fsmo maintenance: seize domain naming master
fsmo maintenance: seize infrastructure master
fsmo maintenance: seize PDC
fsmo maintenance: seize RID master
fsmo maintenance: seize schema master
fsmo maintenance: q
ntdsutil: q
Disconnecting from yourservername…

Additionally, if this is the only DC that will be left over, you will have to clean up all of the other ones (if any) before promoting new servers into the domain. Otherwise, you’ll end up with a lot of errors and warnings, timeouts, … when this restored DC tries to contact other DC’s that aren’t there anymore. Look at Microsoft KB 216498 to remove the dead DC’s

        

Links :

How to move a Windows installation to different hardware : http://support.microsoft.com/kb/249694
How to perform a disaster recovery restoration of Active Directory on a computer with a different hardware configuration : http://support.microsoft.com/?id=263532
How to rebuild the SYSVOL tree and its content in a domain : http://support.microsoft.com/kb/315457/
The Sysvol and Netlogon Shares Are Missing After You Restore a Domain Controller from Backup : http://support.microsoft.com/kb/316790
A domain controller is not functioning correctly? : http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8320
windows_bare_metal_recovery:ntbackup : http://wiki.bacula.org/doku.php?id=windows_bare_metal_recovery:ntbackup
Recover from a system failure using Automated System Recovery : http://technet2.microsoft.com/windowsserver/en/library/e96185f5-50b7-4b14-a2fd-0155d6b174f91033.mspx?mfr=true
How ASR Works : http://technet2.microsoft.com/windowsserver/en/library/7b4f0436-cc90-4b52-b6ab-064f9db8d2721033.mspx?mfr=true
Restoring a Domain Controller Through Reinstallation : http://technet2.microsoft.com/WindowsServer/en/Library/2f44ad0e-f84d-47a2-956b-df3f8554ea541033.mspx
Performing an Authoritative Restore of Active Directory Objects : http://technet2.microsoft.com/WindowsServer/en/library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx
How backup works : http://technet2.microsoft.com/windowsserver/en/library/9143ba85-587e-409d-b612-617e6617fece1033.mspx?mfr=true

3rd party tools :
http://www.stratesave.com/html/htmlhelp/meba2d89.htm

© 2007 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories