Windows Server 2003 for Interview
Authoritative restore of Active Directory
An authoritative restore is an extension of the
non-authoritative restore process. You must perform the steps of
a non-authoritative restore before you can perform an
authoritative restore. The main difference is that an
authoritative restore has the ability to increment the version
number of the attributes of all objects in an entire directory,
all objects in a subtree, or an individual object (provided that
it is a leaf object) to make it authoritative in the directory.
Restore the smallest unit necessary, for example, do not restore
the entire directory in order to restore a single subtree.
An authoritative restore is most commonly used in cases in which a change was made within the directory that must be reversed, such as deleting an organization unit by mistake. This process restores the DC from the backup and then replicates to and overwrites all other domain controllers in the network to match the restored DC. The especially valuable thing about this is that you can choose to only make certain objects within the directory authoritative. For example, if you delete an OU by mistake you can choose to make it authoritative. This will replicate the deleted OU back to all of the other DC’s in the network and then use all of the other information from these other DC’s to update the newly restored server back up to date.
Performing an authoritative restore
After the data has been restored, use Ntdsutil.exe to perform the authoritative restore. To do this, follow these steps:
1. At a command prompt, type ntdsutil, and then press ENTER.
2. Type authoritative restore, and then press ENTER.
3. Type restore database, press ENTER, click OK, and then click Yes.
Restoring a subtree
Frequently, you may not want to restore the whole database because of the replication impact this would have on your domain or forest. To authoritatively restore a subtree within a forest, follow these steps:
1. Restart the domain controller.
2. When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER.
3. Restore the data from backup media for an authoritative restore. To do this, follow these steps:
a. In Directory Services Restore mode, click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup to start the Windows 2000 Server Backup utility.
b. Click Restore Wizard, and then click Next.
c. Select the appropriate backup location, and then make sure that at least the System disk and System State containers are selected.
d. Click Advanced, and then make sure that you restore junction points. If you do not use the Advanced menu, the restore process will not be successful.
e. In the Restore Files to list, click Original Location.
f. Click OK, and then complete the restore process. A visual progress indicator is displayed.
g. When you are prompted to restart the computer, do not restart.
4. At a command prompt, type ntdsutil, and then press ENTER.
5. Type authoritative restore, and then press ENTER.
6. Type the following command, and then press ENTER:
restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx
Note In this command, OU_Name is the name of the organizational unit that you want to restore, Domain_Name is the domain name that the OU resides in, and xxx is the top-level domain name of the domain controller, such as "com," "org," or "net."
7. Type quit, press ENTER, type quit, and then press ENTER.
8. Type exit, and then press ENTER.
9. Restart the domain controller.
How to Recover the Active Directory Database
To recover the database, follow these steps:
1. Click Start, click Run, type ntdsutil in the Open box, and
then press ENTER.
2. At the Ntdsutil command prompt, type files, and then presses ENTER.
3. At the file maintenance command prompt, type recover, and then press ENTER.
4. Type quit, and then presses ENTER.
5. Restart the computer.
NOTE: You can also use Esentutl.exe to perform database recovery when the procedure described earlier in this article fails (for example, the procedure may fail when the database is inconsistent). To use Esentutl.exe to perform database recovery, follow these steps:
1. Click Start, click Run, type cmd in the Open box, and then press ENTER.
2. Type esentutl /r path\ntds.dit, and then press ENTER. path refers to the current location of the Ntds.dit file.
3. Delete the database log files (.log) from the WINDOWS\Ntds folder.
4. Restart the computer.
NTDSUTIL.EXE is a command-line tool that is used to manage Active Directory. This utility is used to perform the following tasks:
Performing database maintenance of Active Directory.Managing and controlling operations master roles.Removing metadata left behind by domain controllers.
To perform offline defragmentation of the Active Directory database:
1. Back up Active Directory. Windows 2000 Backup natively
supports backing up Active Directory while online. This occurs
automatically when you select the option to back up everything
on the computer in the Backup Wizard, or independently by
selecting to back up the "System State" in the wizard.
2. Reboot the domain controller, select the appropriate installation from the boot menu, and press F8 to display the Windows 2000 Advanced Options menu. Choose Directory Services Restore Mode and press ENTER. Press ENTER again to start the boot process.
3. Click Start, point to Programs, point to Accessories, and then click Command Prompt. At the command prompt, type ntdsutil, and then press ENTER.
4. Type files, and then press ENTER.
5. Type info, and then press ENTER. This displays current information about the path and size of the Active Directory database and its log files. Note the path.
6. Establish a location that has enough drive space for the compacted database to be stored.
7. Type compact to drive:\directory, and then press ENTER, where drive and directory is the path to the location you established in the previous step.
compact to "c:\new folder"
8. A new database named Ntds.dit is created in the path you specified.
9. Type quit, and then press ENTER. Type quit again to return to the command prompt.
10. If defragmentation succeeds without errors, follow the Ntdsutil.exe on-screen instructions. Delete all the log files in the log directory by typing the following command:
del drive :\ pathToLogFiles \*.log
Copy the new Ntds.dit file over the old Ntds.dit file in the current Active Directory database path that you noted in step 6.
Note You do not have delete the Edb.chk file.
11. Restart the computer normally.