Saturday, May 8, 2010

Active Directory Authoratative Restore

Active Directory is located in the directory Winnt\Ntds .


The steps below are taken from a Microsoft white paper or manual. I apologize but I have lost the link to the document, but it is not my own but a Microsoft doc. This is here more for my reference.

An Authoritative Restore occurs after nonauthoritative restore has been performed. During authoritative restore, an entire directory, a subtree, or individual objects can be designated to take precedence over any other instances of those objects on domain controllers. So, through normal replication, the restored domain controller becomes authoritative in relation to its replication partners. Authoritative restore is typically used to restore a system to a previously known state, for example before Active Directory objects were erroneously deleted. The

To restore system state data

1. Start Backup.
2. Click the Restore tab, and then select the check box for any drive, folder, or file that you want to restore.
3. Click the box next to System State to restore the system state data along with any other data you have selected for the current restore operation.
Caution: If you restore the system state data, and you do not designate an alternate location for the restored data, Backup erases the system state data that is currently on your computer and replaces it with the system state data you are restoring.

When you back up the system state data, a copy of your registry files is also saved in %SystemRoot%\Repair\Regback.

Ntdsutil command-line tool allows you to authoritatively restore the entire directory, a subtree, or individual objects provided they are leaf objects.

Performing an Authoritative Restore

When a domain contains more than one domain controller, Active Directory replicates directory objects, such as users, groups, organizational units, and computers, to all the domain controllers in that domain.

When you are restoring a domain controller by using backup and restore programs, such as Ntbackup or those from third-party providers, the default mode for the restore is nonauthoritative. This means that the restored server is brought up-to-date with its replicas through the normal replication mechanism. For example, if a domain controller is restored from a backup tape that is two weeks old, when you restart it, the normal replication mechanism brings it up-to-date with respect to its replication partners.

Authoritative restore allows the administrator to recover a domain controller, restore it to a specific point in time, and mark objects in Active Directory as being authoritative with respect to their replication partners. For example, you might need to perform an authoritative restore if an administrator inadvertently deletes an organizational unit containing a large number of users. If you restore the server from tape, the normal replication process would not restore the inadvertently deleted organizational unit. Authoritative restore allows you to mark the organizational unit as authoritative and force the replication process to restore it to all of the other domain controllers in the domain.

Authoritative Restore Commands

Restore database

Marks the entire Ntds.dit (both the domain and configuration naming contexts held by the domain controller) as authoritative. The schema cannot be authoritatively restored.

Restore database verinc %d

Marks the entire Ntds.dit (both the domain and configuration naming contexts held by the domain controller) as authoritative and increments the version number by %d. Use this option only to authoritatively restore over a previous, incorrect, authoritative restore, such as an authoritative restore from a backup that contains the problem you want to restore over.

Restore subtree %s

Marks subtree (and all children of subtree) as being authoritative. The subtree is defined by using the fully distinguished name of the object.

Restore subtree %s verinc %d

Marks subtree (and all children of subtree) as being authoritative and increments the version number by %d. The subtree is defined by using the fully distinguished name of the object. Use this option only to authoritatively restore over a previous, incorrect, authoritative restore, such as an authoritative restore from a backup that contains the problem you want to restore over.

Originally Published: 11/30/2008 8:29 PM