Restore Domain Controller Backup: How to Reset Computers

Restoring from an older domain controller backup creates a "time travel" scenario that breaks trust relationships with domain-joined computers. When you restore a DC backup, the restored DC has older password information and USN (Update Sequence Number) values, while your computers have moved forward in time. This guide shows you how to reset computers and make them work with the restored domain controller.

Why Restored DC Backups Break Trust

When you restore a domain controller from backup, several things happen:

• Password mismatch: Computer account passwords change every 30 days. The restored DC has an older password version
• USN rollback: Update Sequence Numbers go backwards, causing replication conflicts
• Time drift: The restored DC may have incorrect time, causing Kerberos authentication failures
• Outdated information: User accounts, groups, and permissions may be outdated

Before You Start: Check for USN Rollback

USN (Update Sequence Number) rollback is a critical issue that can cause permanent replication problems. Check if your restored DC will cause USN rollback:

dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com" -scope base -attr dSHeuristics

If the output shows the 10th character as "1", USN rollback protection is enabled. If it's "0" or missing, you need to enable it before restoring:

dsmod partition "CN=Configuration,DC=domain,DC=com" -dSHeuristics 0000000001

Warning: If you've already restored without USN rollback protection, you may need to rebuild the DC from scratch.

Solution 1: Reset Computer Account Password (Recommended)

The fastest way to fix trust relationships is to reset the computer account password. This works when the computer can still communicate with the domain controller.

From the Computer (Local Administrator Required)

Run this command on the affected computer:

netdom resetpwd /s:DOMAINCONTROLLER /ud:DOMAIN\Administrator /pd:Password

Replace:

• DOMAINCONTROLLER with your restored DC's hostname or IP
• DOMAIN\Administrator with your domain admin credentials
• Password with the admin password (or omit /pd: to be prompted)

Example:

netdom resetpwd /s:DC01.domain.com /ud:CONTOSO\admin /pd:MyP@ssw0rd

From the Domain Controller

You can also reset the computer account password from the DC:

netdom reset ComputerName /d:DOMAIN /uo:Administrator /po:Password

Restart After Reset

After resetting the password, restart the computer:

shutdown /r /t 0

Solution 2: Remove and Rejoin Domain

If resetting the password doesn't work, remove the computer from the domain and rejoin it. This is more disruptive but guaranteed to work.

Step 1: Remove from Domain

Run PowerShell as Administrator on the affected computer:

$cred = Get-Credential
Remove-Computer -UnjoinDomaincredential $cred -Restart -Force

Or use the GUI:

1. Right-click "This PC" → Properties
2. Click "Change settings"
3. Click "Change" under Computer Name
4. Select "Workgroup" and enter a workgroup name
5. Click OK and restart

Step 2: Rejoin Domain

After the computer restarts and is in a workgroup:

$cred = Get-Credential
Add-Computer -DomainName "domain.com" -Credential $cred -Restart

Or use the GUI:

1. Right-click "This PC" → Properties
2. Click "Change settings"
3. Click "Change" under Computer Name
4. Select "Domain" and enter your domain name
5. Enter domain admin credentials
6. Click OK and restart

Solution 3: PowerShell Reset (Windows 10/11, Server 2016+)

On newer systems, you can use PowerShell's built-in cmdlet:

Reset-ComputerMachinePassword -Server DC01.domain.com -Credential (Get-Credential)

This will prompt for domain admin credentials and reset the computer account password immediately.

Solution 4: Reset from Active Directory Users and Computers

You can reset computer accounts from ADUC:

1. Open "Active Directory Users and Computers"
2. Navigate to the Computers container (or OU where computer accounts are stored)
3. Right-click the computer account → Reset Account
4. Click Yes to confirm
5. On the computer, restart it or run: gpupdate /force

Bulk Reset: Reset Multiple Computers at Once

If you have many computers to fix, use this PowerShell script:

# List of computers to reset
$computers = @("COMPUTER1", "COMPUTER2", "COMPUTER3")
$domainController = "DC01.domain.com"
$domainAdmin = "DOMAIN\Administrator"
$domainPassword = ConvertTo-SecureString "Password" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($domainAdmin, $domainPassword)

foreach ($computer in $computers) {
    Write-Host "Resetting $computer..." -ForegroundColor Yellow
    try {
        Reset-ComputerMachinePassword -Server $domainController -Credential $credential
        Write-Host "$computer reset successfully" -ForegroundColor Green
    }
    catch {
        Write-Host "Failed to reset $computer : $_" -ForegroundColor Red
    }
}

Save this as a `.ps1` file and run it from a domain-joined computer with domain admin credentials.

Verify the Fix

After resetting, verify the computer can authenticate:

Check Domain Membership

systeminfo | findstr /C:"Domain"

Should show your domain name.

Test Domain Authentication

nltest /sc_query:DOMAIN

Should return "0x0" (success).

Test Group Policy

gpupdate /force

Should complete without errors.

Check Trust Relationship

Test-ComputerSecureChannel -Verbose

Should return "True".

Fix Time Synchronization

After restoring a DC backup, time is often incorrect. Fix time sync on the restored DC first:

w32tm /config /manualpeerlist:"time.windows.com,0x1" /syncfromflags:manual /reliable:yes /update
net stop w32time && net start w32time

Then force time sync on all computers:

w32tm /resync /force

Preventing This Problem in the Future

• Regular backups: Take frequent DC backups to minimize time travel
• Multiple DCs: Never have just one domain controller
• USN rollback protection: Always enable before restoring
• Test restores: Practice restoring in a lab environment
• Documentation: Document your restore procedures
• Monitor replication: Watch for replication issues after restore

When to Rebuild vs Reset

Sometimes it's better to rebuild the domain controller than to restore from backup:

• Rebuild if: The backup is more than 180 days old (tombstone lifetime)
• Rebuild if: USN rollback occurred without protection
• Rebuild if: Many schema changes happened since backup
• Reset if: Recent backup (within 30 days) and minimal schema changes

Common Errors and Solutions

"The trust relationship between this workstation and the primary domain failed"

This is the most common error. Use Solution 1 (reset computer account password).

"Access Denied" when resetting

Ensure you're using domain admin credentials. Run PowerShell/Command Prompt as Administrator.

"The RPC server is unavailable"

Check firewall rules. Ensure ports 135, 389, 445, and 636 are open between computer and DC.

Computer can't find domain

Check DNS settings. Ensure the computer's DNS points to the restored DC.

Conclusion

Restoring from an older domain controller backup requires resetting computer trust relationships. The fastest method is using netdom resetpwd or Reset-ComputerMachinePassword, but removing and rejoining the domain is also effective. Always ensure USN rollback protection is enabled before restoring, and consider rebuilding instead of restoring if the backup is too old. Having multiple domain controllers and regular backups prevents most of these issues.