Authoritative Restore

Restore from DSRM


For this to work Windows Backup must have taken backups for the ntds.dit file.


Browsing the Backups and the NTDS.dit file


Manual Snapshots of the drive can be done from

ntdsutil: act inst ntds

snapshot create

list all


Select the GUID of the backup and Mount it as follows:


Mount {GUID}


You can then browse the snapshot in the c:\


You can then mount the ntds.dit file inside the mounted backup as follows:


Exit ntdsutil and run:


dsamain -dbpath c:\$SNAP_65168161358_VOLUMEC$\Windows\ntds\ntds.dit -ldapport 5000


This will be mounted and then can be accesses from dsa.msc. You need to change domain controller to dc1.contoso.local:5000 to browse the NTDS.dit file.


Performing an Authorative Restore

If an OU or user or whatever needed to be restored authorativly do the following.


Restart DC in DSRM (Directory Services Restore Mode)


Open CMD


bcdedit /set safeboot dsrepair

shutdown /r /t 0

PKI Setup (Offline Root CA)

Place CAPolicy.inf in the c:\Windows folder on the CA

Install the Root CA

Configure the Root CA:

Remove ALL CRL Locations BEFORE issuing any certificates

On the root CA run  

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg ca\ValidityPeriodUnits "20"

 Copy files from Root CA from c:\windows\system32\certserv\ to the Sub-CA or Web server in c:\CertEnroll

Make CertEnroll Modify permissions for Cert Publishers and read for everyone.

Install the Sub-CA - Place the CAPolicy.inf file in the C:\Windows folder on the Sub-CA

Import the Request into the Root and Issue cert. The Save it to file and Install on the Sub-CA.

Start the CA Service on the SUB-CA - Errors will occur for the Sub CA in the PKI Hierarchy.

Go to the Webserver

Run Cmd:

C:\windows\system32\inetsrv\Appcmd set config "Default Web Site" /section:system.webserver/Security/requestFiltering -allowDoubleEscaping:True



Cd \CertEnroll

certutil -f -DSPublish CA-Root.contoso.com_CAROOT.crt RootCA

Finally configure DNS

if domain ends in .local an A record will need to be created to point to the websever.

Test SMTP Email with Telnet

In this example I'll email from [email protected] to [email protected]


First ID the SMTP server via it's MX record:


Nslookup -q=mx


From a Telnet client run:


Telnet 25


At this point you should get a 220 response which means everything is OK up to this point.


Helo    <  just type the domain after helo - (not important)


Mail from: [email protected]


250 OK


Rcpt to: [email protected]



This is a test - Ignore


    < Hit Enter then  <Period Key> then enter to submit.


250 OK