Understanding the concept
An
authoritative restore is most commonly used when you want to revert the changes
that is made within the directory. Consider the scenario you have deleted an
organization unit or any of the objects by mistake and you want to get it back.
This process restores the DC from the backup and then overwrites all other
domain controllers in the network to match the restored DC (through
replication). Even if the authoritatively restored replica set is older than
the current replicas, the older data is replicated to all of its replication
partners. The especially valuable thing about this is that you can choose to
only make certain objects within the directory authoritative. For example, if
you delete an OU by mistake you can choose to make it authoritative. This will
replicate the deleted OU back to all other DC’s in the network and then
use all other information from other DC’s to update to the newly
restored server.
You can
perform authoritative restore depending on your network status,
A)
Restore Before Deletions Have Replicated
B)
Restore After Deletions Have Replicated
If the deleted object and its status is replicated to another DC, you need to perform slightly different method. That is from the recent backup you need to perform non-authoritative restore and authorize the deleted object. For more information please follow the below link,
http://serverlabs.blogspot.in/2014/04/how-to-do-authoritative-restore-in.html
In this
article I will describe about restoring the object before replication has
occurred across the domain. In this case you do not want to initiate the non-
authoritative restore but need to turn off the inbound replication and make
the deleted object as authoritative.
|
Let us
consider the scenario that I have accidently delete one user, named as
'Livin' which is under the default container 'Users' and I want to restore
this object to the domain. Note that my domain name is 'serverlabs.com'.
|
1. Make sure that the replication has not
occurred after the deletion is occurred. Use the command repadmin /showrepl in cmd to determine the date and time of the latest inbound
replication of the domain directory partition where the deletions occurred(By
default, intersite replication across each site link occurs every 180 minutes
(3 hours). You can adjust this frequency to match your specific needs). After
confirming that the replication is not occurred we need to stop the inbound
replication. It can be achieved by the command line repadmin /options <ServerName> +DISABLE_INBOUND_REPL.
Whereas <Servername> is the NetBIOS name of domain controller.
2. Reboot the server in Directory Services Restore Mode
You can
reboot the server in Directory Services Restore Mode
using three methods.
- If you can manually reboot the server, press F8 at the time of boot to get the advanced boot option and select directory service restore mode, press ENTER.
- Edit the Boot Configuration Data (BCD). In order to edit the BCD open command prompt and type bcdedit /set safeboot dsrepair and press ENTER. Now restart the server and wait for this to come up.
- Edit the boot option from System configuration. Type msconfig in run and press ENTER->Under the Boot tab tick the check box safe boot and select Active Directory repair->Appy->OK and on prompt to restart select restart.
You can select any one of the above option to reboot the server in
directory service restore mode.(If the server is in remote location you can
prefer to have ii or iii option). Remember that you will need to supply the DSRM password that you set when promoting the server to a DC. The username for DSRM is Administrator and you may have different DSRM password for different DC.
3. Once you are logged on, you need to mark the deleted object as
authoritative. Perform the below steps to achieve it.
Open command
prompt, here the command line tool ntdsutil
will help you to go further. Now type ntdsutil and press ENTER.
4.Now you are at ntdsutil prompt, type activate instance ntds and press ENTER.
5.At ntdsutil prompt type authoritative restore and
press ENTER.
Generally
we will use two commands here that are restore
object and restore subtree. The
restore object comes in use, when you want to restore an object that is
deleted (User, computer etc)and restore subtree is when you want to restore
an entire OU or a container.
|
The
syntax will be restore object
<distinguished name of the object>(Eg: restore object CN=deleted
object name,CN=deleted objects OU,DC=your domain name,DC=your DC extension)
|
The
syntax will be restore
subtree<distinguished name of the object>(Eg: restore
subtreeCN=deleted OU,DC=your domain name,DC=domainroot)
|
6.As discussed earlier I want to recover one of
my deleted user 'Livin' under the OU 'users'.
So type restore object
CN=Livin,CN=Users,DC=serverlabs,CN=com and press ENTER.
7.Click YES
on authoritative restore confirmation dialogue to
start the process.
8.Once the process is completed you will have
the success message and the windows will be as follows. The log files that
indicates the restored object will be available in the current working
directory specified in command prompt.
This
operation increments the update sequence number (USN) of this object so that
all other DCs consider it the most recent change.
9.If you were initiated the server to reboot
into directory service restore mode(DSRM) as
per the steps 1ii and 1iii the server will again boot into DSRM mode.
In order to boot the server as normal, after initial reboot login with DSRM
user name and password. You will have the below prompt now, press ENTER to
close the window.
Now change
the boot option of your server to normal.
If your option was as per the steps mentioned
in 1ii.
Open a command prompt and type bcdedit /deletevalue safeboot and press ENTER. You will have a
success message as below and you can reboot the server once again. Now it will
boot the server in normal mode.
If your option was as per the steps mentioned
in 1iii.
Type msconfig in run
and press ENTER->Under the Boot tab
tick the uncheck box safe boot ->Appy->OK and
on prompt to restart select restart.
10. Once the server is rebooted in normal mode
you can synchronize this DC with its replication partners. So open command
prompt and type repadmin /syncall< DCName>
/e /d /A /P /q and press ENTER, whereas <DCName> is the name of the domain controller on which
you want synchronize replication with all partners. Make sure that the
synchronization is completed successfully(You can get mode help on http://technet.microsoft.com/en-us/library/cc778969(v=ws.10).aspx).
11. Now we need to run the LDIF file to recover
back-links in this domain(This file is automatically generated after
authorizing the deleted object, here we have done that on step 8. It will be
available on the current working directory of command prompt). So in order to
restore group membership, on command prompt
type ldifde -i -k -f <file name>
and press ENTER. Whereas <file name> is
the LDIF file that is generated in your
network(More help: http://technet.microsoft.com/en-us/library/cc786564(v=ws.10).aspx)
Note: Remember to locate your command prompt to
the directory where your LDIF file is available and you must specify the LDIF
with its extension(ldf).
12. As we have initially disabled the inbound
we need to enable that.
On the command prompt type repadmin /options <ServerName> -DISABLE_INBOUND_REPL and
press ENTER. Whereas <ServerName> is
your current domain controller name.