Windows Server 2003 for Interview
Authoritative restore of Active Directory
An authoritative restore is an extension of the
non-authoritative restore process. You must perform the steps of
a non-authoritative restore before you can perform an
authoritative restore. The main difference is that an
authoritative restore has the ability to increment the version
number of the attributes of all objects in an entire directory,
all objects in a subtree, or an individual object (provided that
it is a leaf object) to make it authoritative in the directory.
Restore the smallest unit necessary, for example, do not restore
the entire directory in order to restore a single subtree.
An
authoritative restore is most commonly used in cases in which a
change was made within the directory that must be reversed, such
as deleting an organization unit by mistake. This process
restores the DC from the backup and then replicates to and
overwrites all other domain controllers in the network to match
the restored DC. The especially valuable thing about this is
that you can choose to only make certain objects within the
directory authoritative. For example, if you delete an OU by
mistake you can choose to make it authoritative. This will
replicate the deleted OU back to all of the other DC’s in the
network and then use all of the other information from these
other DC’s to update the newly restored server back up to date.
Performing an authoritative restore
After the data has been restored, use Ntdsutil.exe to perform the authoritative restore. To do this, follow these steps:
1. At a command prompt, type ntdsutil, and then press ENTER.
2. Type authoritative restore, and then press ENTER.
3. Type
restore database, press ENTER, click OK, and then click Yes.
Restoring a subtree
Frequently, you may not want to restore the whole database because of the replication impact this would have on your domain or forest. To authoritatively restore a subtree within a forest, follow these steps:
1. Restart the domain controller.
2. When the Windows 2000
Startup menu is displayed, select Directory Services Restore
Mode, and then press ENTER.
3. Restore the data from backup
media for an authoritative restore. To do this, follow these
steps:
a. In Directory Services Restore mode, click Start,
point to Programs, point to Accessories, point to System Tools,
and then click Backup to start the Windows 2000 Server Backup
utility.
b. Click Restore Wizard, and then click Next.
c. Select the appropriate backup location, and then make sure
that at least the System disk and System State containers are
selected.
d. Click Advanced, and then make sure that you
restore junction points. If you do not use the Advanced menu,
the restore process will not be successful.
e. In the
Restore Files to list, click Original Location.
f. Click OK,
and then complete the restore process. A visual progress
indicator is displayed.
g. When you are prompted to restart
the computer, do not restart.
4. At a command prompt, type
ntdsutil, and then press ENTER.
5. Type authoritative
restore, and then press ENTER.
6. Type the following command,
and then press ENTER:
restore subtree
ou=OU_Name,dc=Domain_Name,dc=...
Note In this command,
OU_Name is the name of the organizational unit that you want to
restore, Domain_Name is the domain name that the OU resides in,
and ... is the top-level domain name of the domain controller,
such as "com," "org," or "net."
7. Type quit, press ENTER,
type quit, and then press ENTER.
8. Type exit, and then press
ENTER.
9. Restart the domain controller.
How
to Recover the Active Directory Database
To recover the database, follow these steps:
1. Click Start, click Run, type ntdsutil in the Open box, and
then press ENTER.
2. At the Ntdsutil command prompt, type
files, and then presses ENTER.
3. At the file maintenance
command prompt, type recover, and then press ENTER.
4. Type
quit, and then presses ENTER.
5. Restart the computer.
NOTE: You can also use Esentutl.exe to perform database recovery
when the procedure described earlier in this article fails (for
example, the procedure may fail when the database is
inconsistent). To use Esentutl.exe to perform database recovery,
follow these steps:
1. Click Start, click Run, type cmd in
the Open box, and then press ENTER.
2. Type esentutl /r
path\ntds.dit, and then press ENTER. path refers to the current
location of the Ntds.dit file.
3. Delete the database log
files (.log) from the WINDOWS\Ntds folder.
4. Restart the
computer.
NTDSUTIL.EXE is a
command-line tool that is used to manage Active Directory. This
utility is used to perform the following tasks:
Performing
database maintenance of Active Directory.Managing and
controlling operations master roles.Removing metadata left
behind by domain controllers.
To perform offline
defragmentation of the Active Directory database:
1. Back up Active Directory. Windows 2000 Backup natively
supports backing up Active Directory while online. This occurs
automatically when you select the option to back up everything
on the computer in the Backup Wizard, or independently by
selecting to back up the "System State" in the wizard.
2.
Reboot the domain controller, select the appropriate
installation from the boot menu, and press F8 to display the
Windows 2000 Advanced Options menu. Choose Directory Services
Restore Mode and press ENTER. Press ENTER again to start the
boot process.
3. Click Start, point to Programs, point to
Accessories, and then click Command Prompt. At the command
prompt, type ntdsutil, and then press ENTER.
4. Type files,
and then press ENTER.
5. Type info, and then press ENTER.
This displays current information about the path and size of the
Active Directory database and its log files. Note the path.
6. Establish a location that has enough drive space for the
compacted database to be stored.
7. Type compact to
drive:\directory, and then press ENTER, where drive and
directory is the path to the location you established in the
previous step.
compact to "c:\new folder"
8. A new
database named Ntds.dit is created in the path you specified.
9. Type quit, and then press ENTER. Type quit again to
return to the command prompt.
10. If defragmentation succeeds
without errors, follow the Ntdsutil.exe on-screen instructions.
Delete all the log files in the log directory by typing the
following command:
del drive :\ pathToLogFiles \*.log
Copy the new Ntds.dit file over the old Ntds.dit file in the
current Active Directory database path that you noted in step 6.
Note You do not have delete the Edb.chk
file.
11. Restart the computer normally.
Practice Test Exam