Saturday, 26 April 2014

How to do a Authoritative restore in windows server 2008-Restore after deletions have Replicated

Understanding the concept

An authoritative restore is most commonly used when you want to revert the changes that is made within the directory, consider the scenario you have deleted an organization unit or any of the objects by mistake and you want to get it back. This process restores the DC from the backup and then overwrites all other domain controllers in the network to match the restored DC (through replication). Even if the authoritatively restored replica set is older than the current replicas, the older data is replicated to all of its replication partners. The especially valuable thing about this is that you can choose to only make certain objects within the directory authoritative. For example, if you delete an OU by mistake you can choose to make it authoritative. This will replicate the deleted OU back to all of the other DC’s in the network and then use all of the other information from these other DC’s to update the newly restored server back up to date.

You can perform authoritative restore depending on your network status,
A) Restore before deletions have Replicated.
B) Restore after deletions have Replicated.

If the deleted object and its status is not replicated to another DC, you can perform another method as well. For more information please follow the below link,

In this article I will describe about restoring the object after the replication has occurred. In this case you must first initiate the non- authoritative restore and once it is completed successfully, you can start authoritative restore.
Let us consider the scenario that I have accidently delete one user, named as 'Livin' which is under the default container 'Users' and I want to restore this object to the domain. Note that my domain name is ''.

1.Reboot the server in Directory Services Restore Mode

You can reboot the server in Directory Services Restore Mode using three methods.

  1. If you can manually reboot the server press F8 at the time of boot to get the advanced boot option and select directory service restore mode, press ENTER.

  1. Edit the Boot Configuration Data (BCD). In order to edit the BCD open command prompt and type bcdedit /set safeboot dsrepair and press ENTER. Now restart the server and wait for this to come up.

  1. Edit the boot option from System configuration. Type msconfig in run and press ENTER->Under the Boot tab tick the check box safe boot and select Active Directory repair->Appy->OK and on prompt to restart select restart.

You can select any one of the above option to reboot the server in directory service restore mode.(If the server is in remote location you can prefer to have ii or iii option).

2.Wait a few minutes for the DC to reboot. You can log on locally or remotely, but remember that you will need to supply the DSRM password that you set when promoting the server to a DC. The username for DSRM is Administrator and you may have different DSRM password for different DC.
3.Once you logged on you can use the utility Wbadmin to manage the backup and restore operations. It enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt. Each backups that you have created using Windows server backup will have its own unique ID and its generally named based on the date and time that the backup has completed. You will restore the data based on the version of these backups.
Consider that I have to recover my secondary DC(second server) and I already have the latest backup of this server on my fist server(shared location: \\server-1\backuP of second server) or you may have the backup on the same server itself. If your backup is in a remote shared file make sure that there is no chances of network failures or copy the backup to local drive and perform the recovery, because the connection issues during this process makes the server become unusable.

On command prompt type wbadmin get versions and press ENTER.

I have only one backup of the server . From the list, note down the version identifier of the latest backup that you want to restore. That is for me the version identifier will be 04/22/2014-15:40.
4.Now start the system state backup by the below command,
Wbadmin start systemstaterecovery -version:<backup version that you would like to restore> and press ENTER.
So in my case the command will be Wbadmin start systemstaterecovery -version:04/22/2014-15:40 and press ENTER.
This will prompt you to confirm if you want to start with restore, type Y and press ENTER.

Important: Never try to interrupt the system state recovery until it completes.
5.Wait for this process to complete. You will see the status on the same command prompt itself. Do not reboot the server since we need to perform authoritative restore.

6.Open command prompt, here the command line tool ntdsutil will help you to go further. Now type ntdsutil and press ENTER.
7.Now you are at ntdsutil prompt, type activate instance ntds and press ENTER.
8.At ntdsutil prompt type authoritative restore and press ENTER.

Generally we will use two commands here that are restore object and restore subtree. The restore object comes in use, when you want to restore an object that is deleted (User, computer etc)and restore subtree is when you want to restore an entire OU or a container.
The syntax will be restore object <distinguished name of the object>(Eg: restore object CN=deleted object name,CN=deleted objects OU,DC=your domain name,DC=your DC extension)                                                                                      
The syntax will be restore subtree<distinguished name of the object>(Eg: restore subtreeCN=deleted OU,DC=your domain name,DC=domainroot)

9.As discussed earlier I want to recover one of my deleted user 'Livin' under the OU 'users'.
So type restore object  CN=Livin,CN=Users,DC=serverlabs,CN=com and press ENTER.
10.Click YES on authoritative restore confirmation dialogue to start the process.

11.Once the process is completed you will have the success message and the windows will be as follows. The log files that indicates the restored object will be available in the current working directory specified in command prompt.

This operation increments the update sequence number (USN) of this object so that all other DCs consider it the most recent change.
12.If you were initiated the server to reboot into directory service restore mode(DSRM) as per the steps in 1ii and 1iii the server will again boot into DSRM mode. In order to boot the server as normal, after initial reboot login with DSRM user name and password. You will have the below prompt now, press ENTER to close the window.

Now change the boot option of your server to normal.
If your option was as per the steps mentioned in 1ii.
Open a command prompt and type bcdedit /deletevalue safeboot and press ENTER. You will have a success message as below and you can reboot the server once again. Now it will boot the server in normal mode.

If your option was as per the steps mentioned in 1iii.
Type msconfig in run and press ENTER->Under the Boot tab tick the uncheck box safe boot ->Appy->OK and on prompt to restart select restart.

11. Now we need to run the LDIF file to recover back-links in this domain(This file is automatically generated after authorizing the deleted object, here we have done that on step 8. It will be available on the current working directory of command prompt). So in order to restore group membership, on command prompt type ldifde -i -k -f <file name> and press ENTER. Whereas <file name> is the LDIF file that is generated in your network(More help:

Note: Remember to locate your command prompt to the directory where your LDIF file is available and you must specify the LDIF with its extension(ldf).

Now you can check whether the object is restored in the your network.

No comments:

Post a Comment