A: ) Backup Active Directory

1. Open up your command prompt by clicking Start and type “cmd” and hit enter.
2. In your command prompt type “wbadmin start systemstatebackup -backuptarget:e:” and press enter.

Note: You can use a different backup target of your choosing

B: ) Authoritative Restore of Active Directory Objects

1. To do this you will need to boot into DSRM (Directory Services Restore Mode) by restarting your server and pressing F8 during the restart or enter the command “bcdedit /set safeboot dsrepair” to boot next time into the DSRM mode.
2. Choose Directory Services Restore Mode from the Advanced Boot menu.
3. Login to your server with your DSRM password you created during Active Directory installation.

Note: If you do not know the DSRM password you can restet the password. The procedure is descriped in the following link. ( [1] http://support.microsoft.com/kb/322672/en-us )

4. Once you’re logged into your server and in DSRM safe mode, open a command prompt by clicking Start, type “cmd“, and press enter.
5. To make sure you restore the correct backup it’s a good idea to use the “wbadmin get versions” command and write down the version you need to use.
6. Now we need to perform a non-authoritative restore of Active Directory by typing
“wbadmin start systemstaterecovery -version:07/08/2011-02:39“.

Note: The version of backup will vary depending on your situation. Type “y” and press enter to start the non authoritative restore.

7. Reboot the server again into the DSRM safemode to apply the systemstate backup.
8. To restore a specific Active Directory object we have to use the ever familiar ntdsutil.For this example we are going to restore a user account with a distinguished name of CN=Test User,CN=Users,DC=home,DC=local.

So the commands would be:
ntdsutil
activate instance ntds
authoritative restore
restore object “CN=Test User,CN=Users,DC=home,DC=local”

Note: The quotes are required
9. Reboot your server into normal mode and you’re finished. To disable the boot into the DSRM mode “bcdedit /deletevalue safeboot”.
The object will be marked as authoritative and replicate to the rest of your domain.

Note : It might be possible that you have to perform the Windows Activation again
=> You will need the Activation key!

When the computer password of the domain controller has been changed in the meantime you have to reset the password of the computer account.

( Event ID : 4 / Event Source : Security-Kerberos )
=> Solution Link : [2] http://support.microsoft.com/kb/325850/en-us