Recipe15.7.Restoring Active Directory


Recipe 15.7. Restoring Active Directory

Problem

You want to perform a nonauthoritative or authoritative restore of a domain controller. A nonauthoritative restore can be useful if you want to quickly restore a domain controller that failed due to a hardware problem. An authoritative restore is needed if data was deleted from Active Directory that you want to bring back.

Solution

To restore a domain controller without restoring any objects (i.e., nonauthoritative restore), do the following:

  1. First, boot the domain controller into Directory Services Restore Mode.

  2. Open the NT Backup utility; go to Start Programs for Windows 2000)

    Click the Advanced Mode link.

  3. Under the Welcome tab, click the Restore Wizard button and click Next.

  4. Check the box beside System State and any other drives you want to restore and click Next.

  5. Click the Advanced button.

  6. Select Original location for Restore files to.

  7. For the How to Restore option, select Replace existing files and click Next.

  8. For the Advanced Restore Options, be sure that the following are checked: Restore Security Settings, Restore junction points, and Preserve existing mount volume points. Then click Next.

  9. Click Finish.

  10. Restart the computer.

When the system starts up, any changes that have occurred in the domain since the backup was taken will be replicated to it.

If you want to restore a single object (i.e., authoritative restore), before you restart (step 11), run the following command:

> ntdsutil "auth restore" "restore object <ObjectDN>" q

Here is an example:

> ntdsutil "auth restore" "restore object cn=jsmith,ou=Sales,dc=rallencorp,dc=com" q

To restore an entire subtree (again, an authoritative restore) run the following:

> ntdsutil "auth restore" "restore subtree ou=Sales,dc=rallencorp,dc=com" q

Note the only difference is that I specified subtree instead of object and I included the distinquished name (DN) of an organizational unit (OU) instead of a user account. Restart the computer after you are done. This will cause that single object or subtree to replicate out to all domain controllers. Any other changes that have taken place in the domain will replicate to this server.

There are some issues related to restoring user, group, computer, and trust objects that you should be aware of. See MS KB 216243 and MS KB 280079 for more information.


If you want to restore all of the objects in an Active Directory domain (i.e., a complete authoritative restore), do the following before step 11:

Run the following command to restore the entire database:

> ntdsutil "auth restore" "restore database" q

Then restart the computer.

Discussion

If you encounter a failed domain controller that you cannot bring back up (e.g., multiple hard disks fail), you have two options for restoring it. One option is to remove the domain controller completely from Active Directory (as outlined in Recipe 15.3) and then repromote it back in. This is known as the restore from replication method, because you are essentially bringing up a brand new domain controller and will let replication restore all the data on the server. On Windows Server 2003 domain controllers, you can also use the install from media option described in Recipe Recipe 15.2 to expedite this process.

The other option, nonauthoritative restore, is described in the first part of the Solution section; you can restore the domain controller from a good backup. This method involves booting into Directory Services Restore Mode, restoring the system state and any necessary system drives, and then rebooting. As long as the domain controller comes up clean, it should start participating in Active Directory replication once again and sync any changes that have occurred since the last backup.

In some cases, you may not want to restore an entire domain controller, but only certain objects in Active Directory. If an administrator or user accidentally deletes an important object or entire subtree from Active Directory, you can restore that particular object or set of objects. Fortunately, the process isn't very painful. The key is having a good backup that contains the objects you want to restore. If you don't have a backup that has the objects in it, you are out of luck.

Well, that is not completely true with Windows Server 2003 since you can restore deleted objects, but that is beyond the scope of this recipe.


To restore one or more objects, you need to follow the same steps as performing a nonauthoritative restore. The only difference is that after you do the restore, you need to use the ntdsutil command to mark the objects in question as authoritative on the restored domain controller. After you reboot the domain controller, it will replicate any objects that have been added or modified since the last backup, except for the objects or subtrees that were marked as authoritative. For those objects, Active Directory increments the USN in such a way that they will become authoritative and replicate out to the other domain controllers.

You can also use ntdsutil without first doing a restore in situations where an object has been deleted accidentally, but the change has not yet replicated to all domain controllers. The trick here is that you need to find a domain controller that has not had the deletion replicated yet and either stop it from replicating or make the object authoritative before it receives the replication update.

The last restore method I describe is a complete authoritative restore. In a production environment, you should never have to perform this type of restore. It is a drastic measure and you will inevitably lose data as a result. Before you even attempt such a restore, you may want to contact Microsoft Support to make sure all options have been exhausted. That said, you should test the authoritative restore process in a lab environment, and make sure you have the steps properly documented in case you ever need to use it. Microsoft created a really good whitepaper on performing forest recoveries called Best Practices: Active Directory Forest Recovery, which you can download from http://download.microsoft.com.

For a detailed discussion of the advantages and disadvantages of each option, see Chapter 13 in Active Directory (O'Reilly).

See Also

MB KB 216243 (Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts), MS KB 240363 (HOW TO: Use the Backup Program to Back Up and Restore the System State in Windows 2000), MS KB 241594 (HOW TO: Perform an Authoritative Restore to a Domain Controller in Windows 2000), and MS KB 280079 (Authoritative Restore of Groups Can Result in Inconsistent Membership Information Across Domain Controllers)



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net