Pre- and post-configuration runbook steps are executed on domain controllers and in Active Directory before and after a DC is recovered.
The steps are listed in runbook order.
|
Step |
Description |
Mandatory, recommended, or skippable |
Links to the Active Directory forest recovery guide and other Microsoft content |
|---|---|---|---|
|
Install latest Commvault Cloud updates |
This step checks whether the latest Commvault Cloud software is installed on the recovered server, and if not, installs the updates. |
Skippable, if you are confident that the backup used to restore the domain controller contains the latest Commvault Cloud software |
None |
|
Disable Windows Update service |
Disables the Windows Update Service on recovered domain controllers. Forest recovery is intensive on the servers that are recovered and must be completed quickly. Disabling the Windows Update Service prevents the DCs from installing updates during the recovery, reducing load and preventing reboots. |
Skippable, if you are confident that the backup used to restore the domain controller contains the latest Windows updates |
None |
|
Mark SYSVOL as authoritative for the first DC in the domain |
An authoritative restore of SYSVOL is necessary on the first domain controller that is restored. All other recovered domain controllers resynchronize their copy of SYSVOL from the authoritative copy. |
Mandatory |
|
|
Suspend initial replication synchronization |
A DC with a Flexible Single Master Operations (FSMO) role must complete inbound and outbound replication with its replica partners before providing services. This step enables DCs that had an FSMO role when the backup was created to provide services during forest recovery, when replica partners are unavailable. This step configures the following registry key:
|
Mandatory |
|
|
Seize FSMO roles |
FSMO roles provide critical AD services. The first DC restored in the forest must seize all FSMO roles. |
Mandatory |
|
|
Raise RID pool |
New AD objects require unique IDs. Recovering AD reverts the RID pool; raising it by 100,000 prevents duplication and security risks. |
Mandatory |
|
|
Invalidate RID pool |
Invalidates the current RID pool to ensure the restored DC does not reuse old RIDs. |
Mandatory |
|
|
Reset computer account password |
Resets the recovered domain controller’s computer account password twice to ensure communication succeeds. |
Mandatory |
|
|
Remove global catalog |
Removes the global catalog role from DCs to prevent lingering objects during recovery. |
Mandatory |
|
|
Configure Windows Time service on PDC emulator |
Configures the PDC Emulator to synchronize time from an external source. Executed after FSMO seizure. |
Mandatory |
|
|
Reset the krbtgt service account password |
Resets the krbtgt account password twice to invalidate Kerberos tickets. |
Recommended, if you suspect the cause of failure involves intrusion |
|
|
Redistribute domain FSMO roles |
FSMO roles may be redistributed so they match pre-recovery placement. |
Not mandatory |
|
|
Configure DNS - post first DCs |
Reconfigures DNS server and client settings to align with IP changes in the restored environment. |
Mandatory if using AD-integrated DNS; external DNS may require extra steps. |
|
|
Clean up DNS for stale entries - post first DCs |
Removes DNS records for non-existent DCs. |
Mandatory if using AD-integrated DNS |
|
|
Rebuild global catalog |
Restores the GC role to DCs so they can provide directory lookup services. |
Mandatory |
|
|
Force replication |
Ensures all DCs replicate successfully after recovery. |
Mandatory |
None |
|
Verify global catalog is advertising |
Verifies that GC-enabled DCs successfully advertise their services. |
Mandatory |
|
|
Verify AD operational health |
Runs health checks on DNS and AD replication. |
Recommended |
|
|
Clean up metadata of all DCs not restored |
Deletes metadata of DCs not present in the recovered forest. |
Mandatory |
|
|
Resuming initial replication synchronization |
Reverts earlier configuration that allowed FSMO-role DCs to advertise before completing replication. |
Mandatory |
|
|
Re-enable Windows Update service |
Re-enables Windows Update on DCs so they can download and install updates. |
Not mandatory |
None |