Recovering Active Directory Objects with Veeam Explorer for AD
Active Directory recovery is the scenario that ends careers when it goes wrong and earns enormous goodwill when it goes right. A deleted user account, a misconfigured group, a bulk OU wipe from a runaway script. Veeam Explorer for Microsoft Active Directory handles all of these without requiring a full DC restore or a forest recovery. This guide walks through object restore, container restore, password recovery, and the Compare with Production feature that makes AD recovery significantly less stressful than it would otherwise be.
How Veeam Explorer for AD Works
When you launch an AD restore, Veeam mounts the backup and locates the ntds.dit file (the Active Directory database) along with its associated transaction logs, typically found in %SystemRoot%\NTDS on the backed-up DC. Veeam Explorer uses the esent.dll library installed with Active Directory Domain Services to read the mounted database. It then uses native LDAP to restore selected objects back to the live domain controller. Data transfer goes over LDAP to the target DC. No NTDS-level manipulation of the production database is involved.
This is a non-authoritative restore by nature: restored objects are written to the DC with the current timestamp and replicate normally across the domain. If you need an authoritative restore (forcing replication to override newer versions on other DCs), do that at the AD level after Veeam's restore using ntdsutil.
Veeam Explorer does not restore objectSID and objectGUID from the backup directly. When restoring a deleted object, Explorer looks for an existing tombstone in the target AD or for the object in the AD Recycle Bin. If a tombstone exists, the original objectSID and objectGUID are recovered from it, which is the correct outcome for security principals. If no tombstone exists, Active Directory assigns new values to the restored object. This distinction matters for objects that other systems reference by SID or GUID, so always try to use backups newer than the tombstone lifetime interval.
AD marks deleted objects as tombstones and retains them for the tombstone lifetime (default 180 days in modern forests). Veeam Explorer can only restore objects for which a tombstone still exists. If you are trying to restore an object deleted more than the tombstone lifetime ago without a backup from before the deletion, the object cannot be restored with Veeam Explorer. Always use backups newer than the tombstone lifetime interval. Check yours with: dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain" -attr tombstonelifetime
Prerequisites
Application-aware backup of the DC. The DC backup must have been taken with application-aware processing enabled and VSS success confirmed.
Domain administrator credentials. Explorer needs credentials to connect to the target DC via LDAP and write restored objects. Domain Administrator is the simplest option, though you can use a delegated account with specific AD object creation permissions.
esent.dll version match. The esent.dll on the machine running Veeam Explorer must be the same version as the esent.dll on the DC that was backed up. Veeam Explorer for AD must be installed on a Windows machine running the same OS version or later than the domain controller OS. Running an older version will cause the database to fail to open.
Explorer must stay open. Veeam Explorer for Microsoft Active Directory must remain open for the entire restore operation.
Original domain only. Cross-domain restore is not supported. Objects can only be restored to the domain they came from.
Launching Veeam Explorer for AD
- In the VBR console, go to Home > Backups and find the backup job covering the Domain Controller VM.
- Right-click the restore point and select Restore application items > Microsoft Active Directory objects.
- The AD Object Restore wizard opens. Select the restore point and click Next.
- Veeam Explorer launches and mounts the ntds.dit from the backup. The domain tree populates in the left pane.
Compare with Production First
Before restoring anything, use the Compare with Production feature. It compares the objects in the backup against the current state of production AD and shows you exactly what has changed: what has been deleted, what has been modified, and what is new since the backup was taken. This gives you a clear picture of what actually needs to be restored. It is easy to overlook and it is genuinely worth running before you start selecting objects.
Click Compare with Production on the toolbar and let it run. Filter by "Show deleted objects only" or "Show changed objects only" to narrow your focus. Then proceed with the restore.
Restoring Objects
- In the Explorer tree, browse to the OU or container containing the objects to restore. You can select individual objects or an entire container.
- Right-click the selection and choose Restore to domain.
- On the Connection parameters page, specify the target DC and provide domain administrator credentials. Click Connect to verify the LDAP connection.
- On the Restore location page, choose whether to restore to the original OU or to a different container.
- On the Password restore options page, choose whether to restore the object's password from the backup or reset it. For accounts that were disabled or had a known-compromised password, use "Set to a random password and disable the account" and re-enable manually after confirming the restore.
- On the Account state page, specify whether to restore the account in its original state (enabled or disabled as it was in the backup) or force it to a specific state.
- On the Attributes page, choose which attributes to restore. The default is all attributes from the backup. If you only need to roll back specific attributes, select just those here.
- Review the summary and click Restore. The restored object will appear in the target OU and replicate to other DCs within the normal replication interval.
PowerShell
Import-Module Veeam.Backup.PowerShell
$backup = Get-VBRBackup -Name "DC-Backup"
$restorePoint = Get-VBRRestorePoint -Backup $backup -Name "dc01-hostname" |
Sort-Object CreationTime -Descending | Select-Object -First 1
$session = Start-VEADRestoreSession -RestorePoint $restorePoint
$domain = Get-VEADDomain -Session $session
# Find the object to restore by display name
$item = Get-VEADItem -Domain $domain -Name "john.smith"
# Restore to original location, restoring password and enabling the account
Restore-VEADItem `
-ADItem $item `
-TargetDomain $domain `
-RestorePassword `
-EnableAccount
Stop-VEADRestoreSession -Session $sessionImportant Limitations
No cross-domain restore. Objects can only be restored to the original domain. If an object was moved between domains using Movetree.exe or a third-party tool, no tombstone remains in the source domain and the object cannot be restored there.
Domain Controllers container and System container. Veeam Explorer does not support restore of the contents of the Domain Controllers container or most of the System container. Restoring these could cause serious domain stability issues. If you need to recover something in those containers, you are looking at a full DC restore.
Custom objects. Objects created by third-party applications that extend the AD schema with custom classes or attributes may not restore correctly. For custom objects, restore the full machine.
Password restore requires the System registry hive. When restoring from a VBR backup, the hive is located automatically. When restoring from an imported standalone database, the System hive and the ntds.dit file must be in the same directory.
AD LDS not supported. Veeam Explorer for AD does not support Active Directory Lightweight Directory Services.
What You've Completed
- Understood how Veeam Explorer reads ntds.dit via esent.dll and writes restored objects back to the live DC over LDAP. objectSID and objectGUID are recovered from tombstones when available, not from the backup directly.
- Used Compare with Production to identify exactly what changed before restoring anything.
- Restored AD objects with control over password behavior, account state, and which attributes to restore.
- Used the equivalent PowerShell cmdlets:
Start-VEADRestoreSession,Get-VEADItem, andRestore-VEADItem. - Understood the key limitations: original domain only, no DC or System container restore, tombstone requirement for original SID/GUID recovery, custom objects, and esent.dll version matching.