This article discusses how to perform an authoritative restore of the Active Directory directory service to a Windows 2000-based domain controller.
During a typical file restore operation, Microsoft Windows Backup operates in nonauthoritative restore mode. In this mode, Windows Backup restores all files, including Active Directory objects, with their original Update Sequence Number (USN) or numbers. The Active Directory replication system uses the USN to detect and replicate changes to Active Directory to all the domain controllers on the network. All data that is restored nonauthoritatively appears to the Active Directory replication system as old data. Old data is never replicated to any other domain controllers. The Active Directory replication system updates the restored data with newer data from other domain controllers. Performing an authoritative restore resolves this issue.
Note Use an authoritative restore with extreme caution because of the effect it may have on Active Directory. An authoritative restore must be performed immediately after the computer has been restored from a previous backup, before restarting the domain controller in normal mode. An authoritative restore replicates all objects that are marked authoritative to every domain controller hosting the naming contexts that the objects are in. To perform an authoritative restore on the computer, you must use the Ntdsutil.exe tool to make the necessary USN changes to the Active Directory database.
There are certain parts of Active Directory that cannot or should not be restored in an authoritative manner:
You cannot authoritatively restore the schema.
The configuration naming context is also very sensitive, because changes will affect the whole forest. For example, it does not make sense to restore connection objects. Connection objects should be recreated by the Knowledge Consistency Checker (KCC) or manually. Restoring server and NTDS settings objects makes sense when no destructive troubleshooting was done before. If you are unsure, contact Microsoft Product Support Services for help:
In the domain context, do not restore any objects that deal with relativeidentifier (RID) pools. This includes the subobject "Rid Set" of domain controller computer accounts and the RidManager$ object in the SYSTEM container.
Another issue is that many distinguished name-type links may break when you restore. This may affect objects that are used by the File Replication Service (FRS). These exist underneath CN=File Replication Service,CN=System,DC=yourdomain and CN=NTFRS Subscriptions,CN=DC computer account.
Attempts to authoritatively restore a complete naming context will always include objects that can disrupt the proper functionality of crucial parts of Active Directory. You should always try to authoritatively restore a minimal set of objects.
Finally, similar issues might exist for objects created by other applications. These go beyond the scope of this article.
A system state restore replaces all new, deleted, or modified objects on the domain controller that is being restored.
A system state restore of a naming context that contains two or more replicas is an authoritative merge. In an authoritative merge, all objects that are deleted or modified are rolled back to when the backup was made. Objects that were created after the backup are replicated from naming context replicas. An authoritative merge represents a merge of the state that existed when the backup was made with new objects that were created after the backup.
When you nonauthoritatively restore a naming context that contains a single replica, you actually perform an authoritative restore.
Note After you perform an authoritative restore, you may delete user accounts and their group memberships in Active Directory. To resolve this problem, add the restored users back to their groups.For more information about how to add the restored users back to their groups, click the following article number to view the article in the Microsoft Knowledge Base:
840001 How to restore deleted user accounts and their group memberships in Active Directory
Frequently, you may not want to restore the whole database because of the replication impact this would have on your domain or forest. To authoritatively restore a subtree within a forest, follow these steps:
Restart the domain controller.
When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER.
Restore the data from backup media for an authoritative restore. To do this, follow these steps:
In Directory Services Restore mode, click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup to start the Windows 2000 Server Backup utility.
Click Restore Wizard, and then click Next.
Select the appropriate backup location, and then make sure that at least the System disk and System State containers are selected.
Click Advanced, and then make sure that you restore junction points. If you do not use the Advanced menu, the restore process will not be successful.
In the Restore Files to list, click Original Location.
Click OK, and then complete the restore process. A visual progress indicator is displayed.
When you are prompted to restart the computer, do not restart.
At a command prompt, type ntdsutil, and then press ENTER.
Type authoritative restore, and then press ENTER.
Type the following command, and then press ENTER:
restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx
Note In this command, OU_Name is the name of the organizational unit that you want to restore, Domain_Name is the domain name that the OU resides in, and xxx is the top-level domain name of the domain controller, such as "com," "org," or "net."
Type quit, press ENTER, type quit, and then press ENTER.