How to perform a manual disaster recovery in Backup Exec.

How to perform a manual disaster recovery in Backup Exec.

Article: 100011192
Last Published: 2025-01-07
Ratings: 1 2
Product(s): Backup Exec


Manual disaster recovery is needed in the following situations:

  • The Windows operating system has become corrupted and cannot be repaired using the Emergency Repair Disks.
  • The hard drive containing the Windows operating system has encountered an unrecoverable error that requires reformatting the disk.
  • The hard drive that contains the Windows operating system needs to be replaced.
  • The server has been hit by ransomware or any other virus attacks and it is better to recover the server from a good recent backup.

This document includes the following 2 manual disaster recovery procedures for Windows servers:

  • Manual disaster recovery of a local Backup Exec server. This can be a workgroup, member server or a domain controller.
  • Manual disaster recovery of a remote Backup Exec server or a server on which a remote agent has been installed to recover it. This can be a workgroup, member server or a domain controller.


Manual disaster recovery of a local Backup Exec server on a Windows computer

For the automated disaster recovery process, please review - Step by step guide for Simplified Disaster Recovery (SDR) with Backup Exec

This procedure restores the computer's operating system to a pre-disaster state. It also restores the data files, except for those that a Backup Exec agent protects, such as the Agent for Microsoft Exchange Server, Agent for SQL or Hyper V etc. If Backup Exec agents protect any of the data, refer to the section in the Backup Exec Administrator's Guide on how to restore the data that is protected by the agent before beginning disaster recovery.

The agent-protected data should be restored after the system recovery is complete. This procedure also includes a non-authoritative and authoritative restore of a Domain Controller.

Use a separate procedure for manual disaster recovery of a remote Windows computer. See Manual disaster recovery of a remote Backup Exec server or remote agent on a Windows computer.

These steps are intended for manual disaster recovery only. If Simplified Disaster Recovery (SDR) is enabled for the computer, you should use SDR for disaster recovery.

The following items are required for manual disaster recovery of a local system:

  • Latest full backup of the critical components of the server to be recovered and any subsequent incremental and differential backups to ensure server is recovered to its latest backup set state.
  • The Windows installation media to install the same version of the operating system as it existed at the time of the backup.
  • The Backup Exec installation media to install Backup Exec for reading from the backed-up media and perform the recovery.
  • For Backup Exec 15 and later, one must have the database encryption key that was used to encrypt the Backup Exec Database. You should have exported the key to a secure location. You must retrieve it from that location to complete the recovery process.
  • A storage device such as a tape drive, disk storage device, or a robotic library must be attached to the computer that you want to recover.  
  • If you are recovering a domain controller irrespective of whether an authoritative restore or non-authoritative restore is being performed, DSRM credentials is needed as the recovery will be performed by booting the freshly installed server into Directory Service Restore Mode. If recovery is performed in normal mode, then the domain controller may not boot post the recovery. The Active Directory Domain services should be installed from add roles and features wizard (server roles section). Promote this server to a domain controller is not required.

Note: If you recover a Windows computer that has BitLocker encryption enabled, you must enable BitLocker encryption again after the restore.

See Microsoft's documentation for more information on BitLocker drive encryption.

Always log on to Windows using the Administrator account or its equivalent during this procedure.

To run a manual disaster recovery of a local Backup Exec server on a Windows computer

  1. Install the original version of Windows which existed at the time of backup. The same Service Pack and patches need to be applied after Windows is installed.

Note the following scenarios:

If you recover from an entire hard disk failure, use Windows setup to partition and format the new disk during installation. This Windows installation is necessary to provide Backup Exec with a target to which it can restore the system. The computer name, Windows directory, and the file system (such as NTFS) must be the same as the previous Windows installation. This basic installation is overwritten by the backed-up version, which restores your system configuration, application settings, and security settings.

If the system was a domain controller, in a specific domain or workgroup, do not join the domain or workgroup. Use the More... option on the Computer Name Change dialog box to manually add a domain suffix to the computer name that matches the system's original domain or workgroup suffix.

Change the new system name to match the original system name by performing the following steps in the order listed:

  • Note: If you are recovering a domain controller irrespective of whether an authoritative restore or non-authoritative restore is being performed, DSRM credentials is needed as the recovery will be performed by booting the freshly installed server into Directory Service Restore Mode. If recovery is performed in normal mode, then the domain controller may not boot post the recovery. The Active Directory Domain services should be installed from add roles and features wizard (server roles section). Promote this server to a domain controller is not required.
  • From System Properties, on the Computer Name tab, click Change.
  • In the Computer Name/Domain Changes dialog box, click More.  
  • If necessary, select change primary DNS suffix when domain membership changes, and then click OK.  
  • Restart the system.  
  1. Install Backup Exec to a directory other than where it was originally installed (a temporary installation). Always log on to Windows using the Administrator account or its equivalent during this procedure.

Note: After recovery is complete, this temporary installation of Backup Exec can be renamed as a registry, service and installation directory is recovered from the backup set.

  1. Start Backup Exec, and then add the required Storage device by selecting the Storage tab and then Configure Storage.

This storage device will be the tape where your backup set resides or the disk path where your disk storage device backup files are located.

Note: If you are using a disk storage device to recover the local Backup Exec server, do not include the original disk storage device. If you cannot avoid restoring it, you will need to ensure that the disk storage device being used for the recovery does not conflict with the original disk storage device location.

  1. On the Storage tab, click Inventory and Catalog to both inventory and catalog the media that contains the latest full, incremental, and differential backups of the computer that you want to recover. 
  2.  Select the Backup and Restore tab, and then click Restore.  
  3. Do one of the following:  
If the restore method Complete online restore of a computer, or restore system component is available

Do the following in the order listed:

  • Click Complete online restore of a computer, or restore system component, and then click Next.
  • Click A Microsoft Windows computer that was fully selected for backup, and then click Next.  
  • Select the backup sets that you want to restore, and then click Next.  
  • Make sure you deselect the location for restore where your disk storage device backup files were located, or else they will be overwritten while restoring. Applications and data drives can be restored later once the server recovery is completed.  
  • Ensure that the option, Restore over existing files is selected, and then accept the default selections on the How do you want to maintain file integrity, hierarchy, and security for restore data panel.  
  • Click Next.  
  • On the How do you want to restore operating system features panel, click Next.
  • For an authoritative restore of a domain controller, select the Mark this server as the primary arbitrator for replication when restoring SYSVOL in the System State option on the How do you want to restore System State data? panel.    
  • On the What additional tasks do you want to perform before and/or after a restore panel, select any additional tasks that you want to run before or after a restore, and then click Next.  
  • Schedule the job to run, and then click Next.  
  • On the Restore summary panel, click Finish.
  • Do not restart the computer after the restore job finishes.
If the restore method Complete online restore of a computer, or restore system component is not available Create a restore job and manually select individual system components for recovery. Do not restart the computer after the restore job finishes.
  1. Your computer's operating system is now restored to a pre-disaster state, but you should not restart your system yet. Your data files have been restored if they were included in a restore job, except those protected by Backup Exec database agents.

Continue with one of the following:

For an authoritative restore of a domain controller Proceed to step 8.
If you are restoring a standalone server or a non-authoritative restore of a domain controller

The recovery is complete.

Restart the computer after the restore job successfully completes.

Also, if you have copied disk storage device files to another location for the purpose of a restore, you can remove them.

Proceed to step 9 to complete this procedure.

  1. For an authoritative restore of a domain controller, do the following:

Important: Make sure that the system is booted into Directory Services Restore Mode for the first restart after the restore. Failing to do so may replicate the Active Directory once the Active Directory services are online. To prevent this, you can isolate the system from the network temporarily.

  • Press F8 during startup. A menu appears that lets you diagnose and fix system startup problems.
  • Select Directory Services Restore Mode.  
  • Log in using your DSRM credentials.  

See Microsoft's documentation for running NTDSUTIL for Windows Server.

  • Open a command prompt.
  • Type NTDSUTIL, and then press Enter.
  • Type Activate Instance NTDS, and then press Enter.
  • Type Authoritative Restore, and then press Enter.
  • Type the following command, and then press Enter:

restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx

<ou_name> is the name of the organizational unit that you want to restore, <domain_name> is the domain name that the OU resides in, and <xxx> is the top-level domain name of the domain controller, such as com, org, or net.

  • Repeat these steps as many times as necessary for the specific objects that you need to restore. 
  • After you have finished restoring Active Directory information, exit NTDSUITIL.  
  • Restart the computer.

    Note: If you have copied disk storage device files to some other location to restore them, they can be removed.

  1. If you are recovering a server that runs Backup Exec 15 or later, Backup Exec prompts you for the database encryption key file when you launch it. Complete the following steps to import the database encryption key file:
  • Locate the database encryption key from the secure location to which you backed it up. Backup Exec indicates the name of the key that needs to be restored.
  • Copy the file and then paste it in the Data folder in the directory in which you installed Backup Exec.  
  1. Log in to Backup Exec.

Manual disaster recovery of a remote Backup Exec server or remote agent on a Windows computer

This procedure restores the computer's operating system to a pre-disaster state. It also restores the data files, except for those that a Backup Exec agent protects, such as the Agent for Microsoft Exchange Server, agent for SQL or Hyper V etc. If Backup Exec agents protect any of the data, refer to the section in the Backup Exec Administrator's Guide on how to restore the data that is protected by the agent before beginning disaster recovery.

The agent-protected data should be restored after the system recovery is complete. This procedure also includes a non-authoritative and authoritative restore of a Domain Controller.

Use a separate procedure for manual disaster recovery of a local Backup Exec server. See Manual disaster recovery of a local Backup Exec server on a Windows computer.

These steps are intended for manual disaster recovery only. If Simplified Disaster Recovery (SDR) is enabled for the computer, you should use SDR for disaster recovery.

The following items are required for manual disaster recovery of a remote system:

  • Latest full backup of the critical components of the server to be recovered and any subsequent incremental and differential backups to ensure server is recovered to its latest backup set state.
  • The Windows installation media to install same version of operating system as it existed at the time of the backup.
  • The Backup Exec installation media to install Backup Exec for reading from the backed-up media and perform the recovery.
  • For Backup Exec 15 and later, one must have the database encryption key that was used to encrypt the Backup Exec Database. You should have exported the key to a secure location. You must retrieve it from that location to complete the recovery process.
  • A storage device such as a tape drive, disk storage device, or a robotic library must be attached to the computer that you want to recover.  
  • If you are recovering a domain controller irrespective of whether an authoritative restore or non-authoritative restore is being performed, DSRM credentials is needed as the recovery will be performed by booting the freshly installed server into Directory Service Restore Mode. If recovery is performed in normal mode, then the domain controller may not boot post the recovery. The Active Directory Domain services should be installed from add roles and features wizard (server roles section). Promote this server to a domain controller is not required.

Note: If you recover a Windows computer that has BitLocker encryption enabled, you must enable BitLocker encryption again following the restore.

See Microsoft's documentation for more information on BitLocker drive encryption.

Always log on to Window using the Administrator account or its equivalent during this procedure.

To run a manual disaster recovery of a remote Backup Exec server or remote agent on a Windows computer

  1. At the remote computer, install the original version of Windows which existed at the time of backup. The same Service Pack and patches need to be applied after Windows is installed.

Note the following scenarios:

If you recover from an entire hard disk failure, use Windows setup to partition and format the new disk during installation. This Windows installation is necessary to provide Backup Exec with a target to which it can restore the system. The computer name, Windows directory, and the file system (such as NTFS) must be the same as the previous Windows installation. This basic installation is overwritten by the backed-up version, which restores your system configuration, application settings, and security settings.

If the system was a domain controller, in a specific domain or workgroup, do not join the domain or workgroup. Use the More... option on the Computer Name Change dialog box to manually add a domain suffix to the computer name that matches the system's original domain or workgroup suffix.

Change the new system name to match the original system name by performing the following steps in the order listed:

  • Note: If you are recovering a domain controller irrespective of whether an authoritative restore or non-authoritative restore is being performed, DSRM credentials is needed as the recovery will be performed by booting the freshly installed server into Directory Service Restore Mode. If recovery is performed in normal mode, then the domain controller may not boot post the recovery. The Active Directory Domain services should be installed from add roles and features wizard (server roles section). Promote this server to a domain controller is not required.
  • From System Properties, on the Computer Name tab, click Change.
  • On the Computer Name/Domain Changes dialog box, click More.
  • If necessary, select Change primary DNS suffix when domain membership changes, and then click OK.  
  • Restart the system.
  1.  Perform a local install of Backup Exec Remote Agent for Windows on the remote computer. Choose a different drive or folder other than where agent was installed earlier. Normally it is the default path C:\Program Files\Veritas\Backup Exec\RAWS\

Note: After recovery, the Backup Exec logon account will need to be updated, and the Backup Exec trust will need to be reestablished for the recovered remote server.

  1. On the Backup and Restore tab, select the computer name, and then click Restore.
  2. Do one of the following:    
If the restore method Complete online restore of a computer, or restore system component is available

Do the following in the order listed:

  • Click Complete online restore of a computer, or restore system component, and then click Next.  
  • Click A Microsoft Windows computer that was fully selected for a backup, and then click Next.  
  • Select the point in time, ensuring that only the critical set is selected, and then click Next.  
  • Select To the original location, and then click Next.
  •  Ensure that the option, Restore over existing files is selected, and then accept the default selections on the How do you want to maintain file integrity, hierarchy, and security for restore data panel.  
  • Click Next.
  • For an authoritative restore of a domain controller, select Mark this server as the primary arbitrator for replication when restoring SYSVOL in the System State option on the How do you want to restore System State data? panel.  
  • On the What additional tasks do you want to perform before and/or after a restore? panel, select any additional tasks that you want to run before or after a restore, and then click Next.
  • Schedule the job to run and then click Next.  
  • On the Restore summary panel, click Finish.
  • Do not restart the computer.
If the restore method Complete online restore of a computer, or restore system component is not available

Create a restore job and manually select individual system components for recovery.

Do not restart the computer.

  1.  Your computer's operating system is now restored to a pre-disaster state, but you should not restart your system yet. Your data files have been restored if they were included in a restore job, except those protected by Backup Exec database agents.

Continue with one of the following:

For an authoritative restore of a domain controller Proceed to step 6.
If you are restoring a standalone server or a non-authoritative restore of a domain controller

The recovery is complete.

Restart the computer after the restore job successfully completes.

Proceed to step 7 to complete this procedure.

  1. For an authoritative restore of a domain controller, do the following:

    Important: Make sure that the system is booted into Directory Services Restore Mode for the first restart after the restore. Failing to do so may replicate the Active Directory once the Active Directory services are online. To prevent this, you can isolate the system from the network temporarily.

    • Press F8 during startup. A menu appears that lets you diagnose and fix system startup problems.
    • Select Directory Services Restore Mode.
    • Log in using your DSRM credentials.

See Microsoft's documentation for running NTDSUTIL for Windows Server.

  • Open a command prompt.
  • Type NTDSUTIL, and then press Enter.
  • Type Activate Instance NTDS, and then press Enter.
  • Type Authoritative Restore, and then press Enter.
  • Type the following command, and then press Enter:

restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx

<ou_name> is the name of the organizational unit that you want to restore, <domain_name> is the domain name that the OU resides in, and <xxx> is the top-level domain name of the domain controller, such as com, org, or net.

  • Repeat these steps as many times as necessary for the specific objects that you need to restore. 
  • After you have finished restoring Active Directory information, exit NTDSUITIL.  
  • Restart the computer.
  1. If you are recovering a server that runs Backup Exec 15 or later, Backup Exec prompts you for the database encryption key file when you launch it. Complete the following steps to import the database encryption key file:
  • Locate the database encryption key from the secure location to which you backed it up. Backup Exec indicates the name of the key that needs to be restored.
  • Copy the file and then paste it in the Data folder in the directory in which you installed Backup Exec.
  1. Log in to Backup Exec.


UMI : V-79-1000-13321 UMI : V-290-706 Etrack : 4149762

Was this content helpful?