The Windows System State

What is a System State?

The System State includes a number of parameter and system settings files, including those in the list below, but critically, it does not backup the entire operating system. If your Windows Server System is still running but is having problems, then a System State recovery might sort it out. However if your server is totally dead and will not reboot, you need a Bare Metal recovery (BMR).

The System State includes -

The Registry (contains configuration information, such as user profiles, installed programs and their properties, property settings for folders and icons, and hardware and port configuration) - Always included.

The COM+ Class Registration database - Always included.

Boot files (used by Windows to load, configure and run the operating system) - Always included.

Certificate Services database - Included if this is a Certificate Services server.

Active Directory (stores information about objects on a network, so administrators can access those objects from a single logon. - Included if this server is a domain controller.

SYSVOL (typically contains host logon scripts, user logon scripts for administrators who use active directory, policy objects for network client computers, and folders and files that must be available and synchronized between domain controllers) - Only included if this server is a domain controller.

Cluster service (controls and manages server cluster operation, including the cluster database. - Included if this server is within a cluster.

IIS (Internet Information Services, looks after Web site creation, configuration, and management, including the various transport protocols needed to support internet services) - Included if it is installed.

Performance Monitor counter configuration data

Component Services class registration database

System files (various files used at initial startup, and configuration files used by Windows to run the operating system) - Always included.

back to top

System State Backups

You have lots of options for taking a System State, with Windows utilities you can use the Backup Schedule Wizard, the Backup Once Wizard, the Wbadmin start systemstatebackup command, the Wbadmin enable backup command, or the Windows PowerShell cmdlets for Windows Server Backup. You can also use third party tools like IBM Spectrum Protect (TSM) or NetBackup.
Windows utilities require you to save a system state backup to a locally attached disk, either internal or external, or a remote shared folder. They do not allow you to save it to a DVD, optical media, or other removable storage media. Third party products do support tape backups.
Four Windows options are shown below, three to take a manual backup and one to schedule a regular backup. The IBM Spectrum Protect (TSM) section describes how to take a system state using IBM Spectrum Protect.

Running a one-off manual backup

This example uses the Wbadmin start systemstatebackup command


Open a command prompt with elevated privileges by clicking Start , right-click Command Prompt , and then click Run as administrator. The command to run a system state backup is shown below, you need to substitute your own volume name. The optional quiet tag suppresses prompting.

wbadmin start systemstatebackup -backupTarget:VolumeName [-quiet]

For example, to create a system state backup with no prompts to the user and save it to volume G, type:

wbadmin start systemstatebackup -backupTarget:G: -quiet

To view the complete syntax for this command type:

wbadmin start systemstatebackup /?


To install the Windows Backup cmdlets, open up an elevated Windows PowerShell prompt and run the following command

Install-WindowsFeature -Name Windows-Server-Backup -IncludeAllSubfeature -IncludeManagementTools

You can see what the backup command options are by running

Get-Command -Module WindowsServerBackup

The following script will create a System State backup of the local server and save the backup to the e: volume. It is essential to comment scripts like this, as otherwise you will not understand them 6 months later.

#create a new backup policy
$policy = New-WBPolicy
#add the System State to this policy
Add-WBSystemState -Policy $policy
#create a backup volume variable that points to the E: volume
$bvol = New-WBBackupTarget -VolumePath "E:"
#point the backup to the target disk
Add-WBBackupTarget -Policy $policy -Target $bvol
#run the backup
Start-WBBackup -Policy $policy


You can also use the Windows GUI, but first you need to install the Windows Backup feature with PowerShell as above. Once you do this, you can start the Windows Server Backup Microsoft Management Console and run through the options below.

In the Console pane, select 'Local Backup'
In the Actions pane, select 'Backup Once' which will start the Backup Once Wizard.
Select the 'Custom' backup option
Select the System State to back up
Point the backup to a local or remote volume

Scheduling regular backups

This example creates a scheduled system state backup by using Wbadmin enable backup

Open a command prompt with elevated privileges by clicking Start , right-click Command Prompt , and then click Run as administrator.
The command to run a system state backup is shown below, you need to substitute your own time and volume name.

wbadmin enable backup -addtarget:BackupTarget -schedule:TimeToRunBackup -systemState [-quiet]

For example, to create a system state backup, daily at 22 P.M., with no prompts to the user, and save it to volume G, type:

wbadmin enable backup -addtarget:G: -schedule:22:00 -systemState -quiet

To view the complete syntax for this command type:

Wbadmin enable backup /?


System State Restores

Using the Recovery Wizard GUI

Recovering the system state by using the Windows Server Backup user interface.
From the Start menu, click Administrative Tools, and then click Windows Server Backup.
Open the Recovery Wizard by clicking 'Recover' in the Actions pane of the snap-in default page, under Windows Server Backup.
You now have 2 options for your restore, select either 'This Server' or 'Another Server' then click Next:

Now you need to select the backup that you want to recover from, which can be held either a local volume or a remote shared folder.
To restore from a backup on a local volume, on the Select Backup Location page, select the volume or drive that contains the backup from the drop-down list then select the server whose data you want to recover.
For a backup on a remote shared folder, on the Specify Remote Folder page, type the path to the folder that contains the backup. The path to the backup is normally \\RemoteSharedFolder\WindowsImageBackup\ComputerName\Backup_name.
On the Select Backup Date page, select the date from the calendar and the time that you want, from the drop-down list of available backups, then click Next.

On the Select Recovery Type page, click System state, and then click Next.
On the Select Location for System State Recovery page, do one of the following, and then click Next:
- Click Original location.
- Click Alternate location. Then, type the path to the location, or click Browse to select it.
On the Confirmation page, review the details, and then click Recover to restore the listed items.
On the Recovery Progress page, you can view the status of the recovery operation and whether or not it was successfully completed. After the operation completes, you will be prompted to restart your computer.

Command line Recovery

You can use the Wbadmin start systemstaterecovery command to recover the system state for a computer. To recover the system state by using a command line
To open a command prompt with elevated privileges, click Start, right-click Command Prompt, and then click Run as administrator.
The command to run a system state recovery is shown below, you need to substitute your own version identifier and destination name.

wbadmin start systemstate recovery -version:versionIdentifier --backupTarget:{BackupDestinationVolume

For example, to run a system state recovery of the backup from 04/12/2015 at 11:00 A.M. that is stored on the remote shared folder \\servername\share for server01, type:

wbadmin start systemstaterecovery -version:04/12/2015-11:00 -backupTarget:\\servername\share -machine:server01

back to top

Active Directory and Authoritative Restores

Why do you need an authoritative restore? The Active Directory replication system uses an update sequence number to decide which versions of the same object get replicated. The object with the highest update sequence number is replicated over the others. When you restore an older object, it will have a lower update sequence number and it will never get replicated or distributed to your other servers because it will appear to be older than the objects currently on your other servers. The Ntdsutil utility increments the update sequence number by several hundred, to make it the highest in the system, and ensure it gets replicated over the others. In fact, if you do not use an authoritative restore, your restore will probably be backed out by replication from other domain controllers.

Take the following steps to run an authoritative restore

For example, once you have the authoritative restore prompt type in

restore object “cn=Allan Brown,OU=Service Management,DC=thiscompany,DC=com”
restore subtree “OU=IT,OU=HeadOffice,DC=msserverpro,DC=com”

Then click Yes in the message box to confirm the Authoritative Restore. You should then see a message Authoritative Restore completed successfully and also a message stating that NTDSUTIL is increasing attribute version numbers by 100,000.

back to top

Windows BMR

Restoring a system state backup requires an initial working Windows system, so what do you do if all you have is an empty server? This is called a bare metal restore. A Bare Metal backup will backup the operating system files and all system data (but not user data) on the critical system volumes. By definition a BMR backup includes a system state backup. Windows has it's own native (and chargeable) product, the System Center Data Protection Manager (DPM). This product backs up system images and stores the backups on a DPM server, with the option to move older backups off to tape for long term retention.

The first stage is to install a DPM protection agent on your source server, then instruct DPM to create a replica of the source server data onto the DPM server. This replica is updated at regular intervals to keep it current. You configure settings to decide how often this synchronisation happens. The Protection agent tracks changes to protected data and transfer the changes to the DPM server. The protection agent is also involved in the recovery process.
The backups are held in 'protection groups', which are collections of data sources that share the same protection configuration. You can schedule a daily consistency check to make sure that the data held in protection groups correctly matches the source servers.

An older option is Automated System Recovery (ASR). ASR was introduced in Windows 2003 and it simplifies the 'bare metal' recovery that is needed if a server is totally trashed. ASR is integrated with VSS on Windows 2012 servers.

In a disaster situation, you have to start with an empty disk. You need to partition that disk into the correct number of volumes with the correct sizes, and then install the registry, system files, and active directory if required. This information is known as the Windows System State as described above.

ASR consists of a supplied CD and a CD that you must create. ASR does not completely automate the bare metal recovery process, as it is up to you to take regular copies of the system state, though ASR does help you through the copy process. Go into the Accessories - System Tools - Backup window, and select the Automated System Recovery wizard.
The wizard will take a backup of all the system files first, and by default will want to put this onto the A drive. As the file size will be almost 2 GB, you should change this to a more suitable location, ideally on a remote server. Once ASR has finished the system backup, it will prompt you for a CD or DVD to store the ASR recovery data. After you finish taking the copy, remember not to leave the CD on top of the server, it needs to be kept off-site. This is process is fine for a PC user, if you want to take regular system state backups of several servers, you will want a more automated method.

If you need to recovery the server, you use the backup set on the CD along with the ASR restore CD to recover all the system state. ASR can also restore to different (but not too different) hardware.

back to top

Windows Storage

Lascon latest major updates