Problem solve Get help with specific problems with your technologies, process and projects.

Recovering from a server disk failure: The shortcomings of NTBCKUP

Recovering a server from a system volume failure can still be tricky, even if you have a backup. In this tip, learn how to recover a Windows Server 2003 with a full system state backup from a server disk failure, and read about some shortcomings of the NTBCKUP tool and how to get around those issues.

There are countless articles on the Internet related to ways of recovering from a system volume failure, but most of these articles seem to be focused on situations in which no backup is present. Although I am thankful for the existence of these types of articles, it has been my experience that recovering a server from a system volume failure can still be tricky, even if you have a backup. In this article, I want to share some of my experiences with you.

Before I get started, I should mention that this article assumes you are working with Windows Server 2003 and have a full system state backup available. I am also assuming that the server you are trying to recover is not a domain controller. I will talk about domain controllers in Part 2.

Learn more about disaster recovery planning
Register now for the Storage Decisions Disaster Recovery Virtual Seminar, then be sure to join us on March 27th from 9:00 a.m. to 5:00 p.m. ET.

The recovery process

A lot of people assume that when a system volume failure occurs, you can simply replace the hard disk and restore your backup. My experience has been that if you're using NTBACKUP, things aren't that simple.

1. Install Windows

Before you can restore a backup, you actually have to install Windows from scratch. The reason for this is that NTBACKUP runs on top of Windows, and you have to be able to run NTBACKUP in order to restore your backup. Besides, as I will explain a bit later, there are some parts of the Windows operating system that NTBACKUP does not back up. Installing Windows ensures that these components are in place prior to the restoration.

Once you've installed Windows, you must bring it up to date. Ideally, you'd want to install the same patches that were on the server at the time the backup was created. My personal experience has been that it is absolutely critical you install the same Windows service pack that was in use at the time the backup was made. Other patches beyond the Windows service pack are nice to have but are not usually critical. In case you're wondering, it usually causes severe problems if you attempt to restore a backup to a Windows installation running a different service pack level.

I haven't been able to find any hard documentation on why these problems occur, but I tend to think it has to do with the fact that certain parts of Windows are not backed up. This means that if you restore a backup made with Windows running a newer service pack than was in use at the time of the restoration, you'll end up with some of your system files running older versions while the rest run a more current version.

Below is a list of the various components that NTBACKUP does not back up:

  • Open files
  • Temporary files
  • Registry files on remote systems
  • The active Backup file
  • Pagefile.sys
  • EA data.sf
  • $RestoredActiveFile*
  • Data*.log files contained in \Documents and Settings\All Users\Application Data\Microsoft\Windows NT\NTBackup\Data
  • Backup related files in \Documents and Settings\All Users\Application Data\Microsoft\Windows NT\NTBACKUP\Catalogs51
  • NTdll.dll (related to the NT Kernel)
  • Smss.exe (the Session Manager Subsystem)

These are the main files NTBACKUP skips. The user interface also maintains its own list of files to exclude. You can see this list by choosing the Options command from the Tools menu and then going to the Exclude Files tab on the Options properties sheet.

2. Install device drivers

Once you've installed Windows and applied the correct Windows service pack, I recommend installing the device drivers for the server's various hardware components. I've never seen any documentation that states this is a requirement, but I have performed restorations with and without installing the various device drivers ahead of time, and I've found that for some reason the process just goes more smoothly if you take the time to install the drivers before initiating the restore operation.

Another important thing that you need to know about preparing your machine for a restoration is that you should not join it to a domain. If you must join a domain in order to access your backup file, then you must use a computer name that is different from the machine's original name. This is critically important.

3. Use Restore Wizard to catalog backup

Now it's time to restore your backup. To do so, you will have to log in using an account that has local administrative privileges.

Now, open NTBACKUP and run the Restore Wizard. The first thing you will have to do is catalog your backup and choose the files that you want to restore. You'll want to make sure that you restore the entire volume, plus the system state. In case you're unfamiliar with the system state, it includes the following components:

  • The registry
  • COM+ Class Registration Database
  • Boot files (including the system files)
  • The Certificate Services Database (only on servers acting as a certificate authority)
  • Active Directory Services (only on domain controllers)
  • The SYSVOL directory (only on domain controllers)
  • Cluster Service Information (only if the machine is a part of a cluster)
  • IIS Metabase (only if IIS is installed)
  • System files that are under Windows File Protection

It is important to keep in mind that restoring the system state is an all-or-nothing proposition. You can't choose individual parts of the system state to restore because the various system state components are related to one another and need to be kept in sync.

4. Restore files to their original location

If you look in the lower left corner of Figure A, you will notice that the Restore Wizard will prompt you for a location to which to restore the files. As you probably have guessed, you must restore the files to their original location.

Figure A
restore files
You must restore files to their original location. (Click image to view larger.)

One thing that you must pay attention to is that NTBACKUP is configured by default not to replace files currently residing on your computer, as shown in Figure A, just to the right of the "Restore Files" drop-down list. In order for the restore to be performed correctly, you must choose the "Always Replace Files on my Computer" option. You can set this option by choosing the Options command from the Tools menu. When you do, NTBACKUP will open the Options dialog box. The settings used to change this behavior can be found on the properties sheet's Restore tab.

If you follow these general guidelines, the restore process should go fairly smoothly. If you are attempting to restore a domain controller, read on.

About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, Brien has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at

This was last published in March 2008

Dig Deeper on Network management and monitoring

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.