Thursday, January 26, 2012

Active Directory Authoritative Restore

When Active Directory has been modified and needs to be restored to a previous state, and this rollback needs to be replicated to all domain controllers in the domain and possibly the forest, an authoritative restore of Active Directory is required. An authoritative restore of Active Directory can include the entire Active Directory database, a single object, or a container, such as an organizational unit including all objects previously stored within the container. To perform an authoritative restore of Active Directory, perform the System State restore of a domain controller, but when you are finished, reboot as directed and when the reboot completes follow these additional steps:
1. Open a command prompt on the domain controller that is running in DSRM and has just completed a System State recovery and a reboot.

2. In the Command Prompt window, type NTDSUTIL and press Enter.

3. Type Activate Instance NTDS and press Enter.

4. Type Authoritative Restore and press Enter.

5. To restore a single object, type Restore Object followed by the distinguished name of the previously deleted object. For example, to restore an object named Khalil Droubi in the Users container of the domain, type Restore Object “cn=Khalil Droubi,cn=users,dc=companyabc,dc=com”.

6. To restore a container or organizational unit and all objects beneath it, replace the “restore object” with “restore subtree” followed by the appropriate distinguished name.

7. After the appropriate command is typed in, press Enter. A window opens, asking for confirmation of the authoritative restore; click the Yes button to complete the authoritative restore of the object or subtree.

8. The NTDSUTIL tool displays the name of the text file that may contain any backlinks for objects just restored. Note the name of the file(s) and whether any backlinks were contained in the restored objects.

9. Type quit and press Enter; type quit again to close out of the NTDSUTIL tool.

10. Click the Restart button in the Windows Server Backup dialog box and reboot. Make sure to set the boot option back to normal boot if not changed previously.

11. After the domain controller reboots into normal boot mode, log on to verify that the authoritatively restored objects are replicating to the other domain controllers. If things are working properly, run a full backup of the domain controller and log off.

Source of Information : Sams - Windows Server 2008 R2 Unleashed

No comments: