Veeam 8 restoring Active Directory after DCs failure


With Veeam 8 restoring Active Directory functionality after Domain Controllers failure it's a matter of few clicks if supported by a working backup.

One of the most undervalued components of Veeam is the VBK Extract utility that helps fixing scenarios where the disaster recovery plan is not in place and the backup strategy is poor.



During a network maintenance, all Domain Controllers failed due to a wrong update causing the complete Active Directory failure.

After a quick check the network was working with very limited services:

  • No Domain Controllers available - AD authentication not working
  • No DNS service - most services not working, vCenter and Veeam servers as well
  • No replica available and no DR plan in place
  • All network servers are running except DCs
  • Backups available and backup storage accessible



The only way to recover Active Directory functionality is restoring at least the primary Domain Controller. Since Veeam Server and its components rely on DNS availability, VBK Extract utility is the first solution that come to my mind to quickly restore the environment.

To run the tool, the required files are located in Veeam Server under C:\Program Files\Veeam\Backup. Make a copy to the Veeam Proxy where the backup repository is connected to (via iSCSI in this example). Remember that both DNS and authentication services are unavailable.

The files to copy are the following:

  • Veeam.Backup.Extractor.exe
  • Extract.exe


Double click on Veeam.Backup.Extractor.exe to run the tool. Click Browse in the VBK file field to specify the full backup file to use (the extractor can recover VMs from full backups only) containing the primary Domain Controller. Click Open.


Click Browse and select the Extract folder with enough space to store the VM.


Select the VM to restore (i.e. w2k8r2-dc01) and click Extract.



Copy extracted VM to the storage

Extracted the VM, it must be copied to the shared storage where ESXi is connected to.


From the computer where vSphere Client is installed, map the disk of the machine where the VM has been extracted using the correct credentials.


Since users cannot be authenticated against Active Directory (no DCs are available), the local  Administrator account should be used instead.


The VM is now accessible from the computer with vSphere Client.


Select the storage to use and click on the upload icon. Select Upload Folder option.


Browse the folders and select the VM to upload then click OK.


Click Yes to continue.


The VM is being uploaded to the selected storage.



Add VM to Inventory

To make the VM visible to the ESXi, the VM must be added to the inventory. When the upload is complete, select the VM folder and right click the .vmx file. Select Add to Inventory option.


Give a Name for the virtual machine and click Next.


Select the resource pool to run the VM and click Next.


Click Finish to register the VM.


The virtual machine is now visible from the ESXi.


Right click the VM and select Power > Power On options.


The VM (Domain Controller) is now up and running restoring Active Directory authentication functionality.


Since the Extractor doesn't need to be installed, the tool can be stored anywhere and easily used in case Veeam Server is unavailable.