The Windows System State

What is a System State?

A System State is basically a backup of the Windows operating system, that can be used to fully recover the system in a disaster. This is usually the first stage in system recovery. Once Windows is back you can then start to recover the applications.

The System State includes -

The Registry (contains configuration information, such as user profiles, installed programs and their properties, property settings for folders and icons, and hardware and port configuration) - Always included.

The COM+ Class Registration database - Always included.

Boot files (used by Windows to load, configure and run the operating system) - Always included.

Certificate Services database - Included if this is a Certificate Services server.

Active Directory (stores information about objects on a network, so administrators can access those objects from a single logon. - Included if this server is a domain controller.

SYSVOL (typically contains host logon scripts, user logon scripts for administrators who use active directory, policy objects for network client computers, and folders and files that must be available and synchronized between domain controllers) - Only included if this server is a domain controller.

Cluster service (controls and manages server cluster operation, including the cluster database. - Included if this server is within a cluster.

IIS (Internet Information Services, looks after Web site creation, configuration, and management, including the various transport protocols needed to support internet services) - Included if it is installed.

System files (various files used at initial startup, and configuration files used by Windows to run the operating system) - Always included.

back to top

System State Backups

You have lots of options for taking a System State, with Windows utilities you can use the Backup Schedule Wizard, the Backup Once Wizard, the Wbadmin start systemstatebackup command, the Wbadmin enable backup command, or the Windows PowerShell cmdlets for Windows Server Backup. You can also use third party tools like TSM or NetBackup.
Windows utilities require you to save a system state backup to a locally attached disk, either internal or external, or a remote shared folder. They do not allow you to save it to a DVD, optical media, or other removable storage media. Third party products do support tape backups.
Two Windows options are shown below, one to take a manual backup and one to schedule a regular backup. The TSM section describes how to take a system state using TSM.

Running a one-off manual backup

This example uses the Wbadmin start systemstatebackup command

Open a command prompt with elevated privileges by clicking Start , right-click Command Prompt , and then click Run as administrator.
The command to run a system state backup is shown below, you need to substitute your own volume name. The optional quiet tag suppresses prompting.

wbadmin start systemstatebackup -backupTarget:VolumeName [-quiet]

For example, to create a system state backup with no prompts to the user and save it to volume G, type:

wbadmin start systemstatebackup -backupTarget:G: -quiet

To view the complete syntax for this command type:

Wbadmin start systemstatebackup /?

Scheduling regular backups

This example createa a scheduled system state backup by using Wbadmin enable backup

Open a command prompt with elevated privileges by clicking Start , right-click Command Prompt , and then click Run as administrator.
The command to run a system state backup is shown below, you need to substitute your own time and volume name.

wbadmin enable backup -addtarget:BackupTarget -schedule:TimeToRunBackup -systemState [-quiet]

For example, to create a system state backup, daily at 22 P.M., with no prompts to the user, and save it to volume G, type:

wbadmin enable backup -addtarget:G: -schedule:22:00 -systemState -quiet

To view the complete syntax for this command type:

Wbadmin enable backup /?


System State Restores

Using the Recovery Wizard GUI

Recovering the system state by using the Windows Server Backup user interface.
From the Start menu, click Administrative Tools, and then click Windows Server Backup.
Open the Recovery Wizard by clicking 'Recover' in the Actions pane of the snap-in default page, under Windows Server Backup.
You now have 2 options for your restore, select either 'This Server' or 'Another Server' then click Next:

Now you need to select the backup that you want to recover from, which can be held either a local volume or a remote shared folder.
To restore from a backup on a local volume, on the Select Backup Location page, select the volume or drive that contains the backup from the drop-down list then select the server whose data you want to recover.
For a backup on a remote shared folder, on the Specify Remote Folder page, type the path to the folder that contains the backup. The path to the backup is normally \\RemoteSharedFolder\WindowsImageBackup\ComputerName\Backup_name.
On the Select Backup Date page, select the date from the calendar and the time that you want, from the drop-down list of available backups, then click Next.

On the Select Recovery Type page, click System state, and then click Next.
On the Select Location for System State Recovery page, do one of the following, and then click Next:
- Click Original location.
- Click Alternate location. Then, type the path to the location, or click Browse to select it.
On the Confirmation page, review the details, and then click Recover to restore the listed items.
On the Recovery Progress page, you can view the status of the recovery operation and whether or not it was successfully completed. After the operation completes, you will be prompted to restart your computer.

Command line Recovery

You can use the Wbadmin start systemstaterecovery command to recover the system state for a computer. To recover the system state by using a command line
To open a command prompt with elevated privileges, click Start, right-click Command Prompt, and then click Run as administrator.
The command to run a system state recovery is shown below, you need to substitute your own version identifier and destination name.

wbadmin start systemstate recovery -version:versionIdentifier --backupTarget:{BackupDestinationVolume

For example, to run a system state recovery of the backup from 04/12/2015 at 11:00 A.M. that is stored on the remote shared folder \\servername\share for server01, type:

wbadmin start systemstaterecovery -version:04/12/2015-11:00 -backupTarget:\\servername\share -machine:server01

back to top

Active Directory and Authoritative Restores

Why do you need an authoritative restore? The Active Directory replication system uses an update sequence number to decide which versions of the same object get replicated. The object with the highest update sequence number is replicated over the others. When you restore an older object, it will have a lower update sequence number and it will never get replicated or distributed to your other servers because it will appear to be older than the objects currently on your other servers. The Ntdsutil utility increments the update sequence number by several hundred, to make it the highest in the system, and ensure it gets replicated over the others. In fact, if you do not use an authoritative restore, your restore will probably be backed out by replication from other domain controllers.

Take the following steps to run an authoritative restore

  • Start your server in Directory Services Restore Mode.
  • Restore the system state either using Microsoft's Backup utility, or another backup utility. The TSM Restore page details how to do this with TSM. When the recovery is finished, you will be asked to reply 'YES' restart your computer.
  • Stop at this point and open an administrator command prompt then type 'ntdsutil' and press Enter. This will bring up an ntdsutil: prompt. Type in 'activate instance ntds' and then press Enter.
  • Now type 'authoritative restore' press Enter. You can now use the Ntdsutil utility to mark Active Directory objects you wish to restore. You can get full details of the command parameters by typing ntdsutil /? at the command prompt.
  • Once you mark the objects you can now go back to the system state restore prompt and reply 'Yes' for the reboot. This will replicate out the changes to the other Domain Servers.

For example, once you have the authoritative restore prompt type in

restore object “cn=Allan Brown,OU=Service Management,DC=thiscompany,DC=com”
restore subtree “OU=IT,OU=HeadOffice,DC=msserverpro,DC=com”

Then click Yes in the message box to confirm the Authoritative Restore. You should then see a message Authoritative Restore completed successfully and also a message stating that NTDSUTIL is increasing attribute version numbers by 100,000.

back to top

Automated System Recovery

Restoring a system stste backup requires an initial working Windows system, so what do you do if all you have is an empty server? This is called a bare metal restore and it requires Automated System Recovery (ASR). ASR was introduced in Windows 2003 and it simplifies the 'bare metal' recovery that is needed if a server is totally trashed. ASR is integrated with VSS on Windows 2012 servers.

In a disaster situation, you have to start with an empty disk. You need to partition that disk into the correct number of volumes with the correct sizes, and then install the registry, system files, and active directory if required. This information is known as the Windows System State as described above.

ASR consists of a supplied CD and a CD that you must create. ASR does not completely automate the bare metal recovery process, as it is up to you to take regular copies of the system state, though ASR does help you through the copy process. Go into the Accessories - System Tools - Backup window, and select the Automated System Recovery wizard.
The wizard will take a backup of all the system files first, and by default will want to put this onto the A drive. As the file size will be almost 2 GB, you should change this to a more suitable location, ideally on a remote server. Once ASR has finished the system backup, it will prompt you for a CD or DVD to store the ASR recovery data. After you finish taking the copy, remember not to leave the CD on top of the server, it needs to be kept off-site. This is process is fine for a PC user, if you want to take regular system state backups of several servers, you will want a more automated method.

If you need to recovery the server, you use the backup set on the CD along with the ASR restore CD to recover all the system state. ASR can also restore to different (but not too different) hardware.