In Backing Up and Restoring AD, I wrote that Windows 2000 Backup is a significant improvement over Windows NT 4.0's version. While true, Win2K Backup's one limitation is that you can’t use it to perform a remote backup or a system state data restore on a domain controller (DC), which is a problem if you're trying to recover a DC at a remote site. Fortunately, you can use Win2K Server Terminal Services to overcome this limitation.

Terminal Services and Win2K Backup
Before you can use Win2K Backup remotely, enable Terminal Services in Remote Administration mode on the remote DC. From the Control Panel Add/Remove Software applet, click Add/Remove Windows, check the Terminal Services box, and click Next to launch the Terminal Services wizard, which will walk you through the setup. With Terminal Services enabled, you can establish up to two terminal connections to the remote machine and perform almost any task as if you were logged on locally, including running Win2K Backup. Win2K Backup lets you back up to multiple media types, and supports scheduling so you have to connect to the remote DC only once to configure a regular backup.

Performing a Remote Recovery
Performing a remote recovery is trickier than running a backup because you have to boot the DC in Directory Service Restore Mode, which leaves Active Directory (AD) offline and lets the system overwrite the necessary files. Usually, you boot a machine in Directory Service Restore Mode by pressing F8 and choosing the appropriate option from the Advanced Startup Options menu. You can force a system restart from a Terminal Services connection, but of course you'll lose your connection to the remote machine until it comes back up. To overcome this problem, you can add the /safeboot:dsrepair switch to the DC's boot.ini file to direct the remote system to boot into Directory Service Restore Mode. You can add the switch from a Terminal Services session and force the DC to restart. After the DC restarts, you can reestablish your terminal connection even though the DC in safe mode.

At this point, you can use a terminal connection to perform an authoritative or non-authoritative restore using Win2K Backup, just as if you were logged on locally. When you finish the backup, remember to remove the /safeboot:dsrepair switch from the boot.ini file so that the machine doesn't continue to boot in Directory Service Restore Mode.

You can also run dcpromo from a Terminal Services session to demote and then promote a DC, which would trigger a full AD replication from another DC in the domain. However, this technique isn't the best solution if you're restoring a site's only DC or if you're concerned about saturating your WAN link. In such cases, it's better to perform a non-authoritative restore, which uses the WAN connection only to replicate changes that occurred since the backup.

Because you can easily enable and disable Terminal Services, you can quickly close the potential security vulnerability when you no longer need to administer your DC remotely. The more time I spend with Win2K, the more I appreciate the inclusion of Terminal Services. If you've ever had to walk an inexperienced user through a restoration over the phone or travel to a remote location to perform the procedure yourself, I bet you agree.