Disaster Recovery  «Prev  Next»

Lesson 6 Restore Active Directory
ObjectiveRestore a damaged Active Directory database and perform an authoritative restore.

Restore Active Directory

Backing up and restoring the Active Directory is one of the most important functions you as a System Administrator will need to perform. The Active Directory for your organization can easily contain tens-of-thousands to millions of objects. You do not want to have to reenter this information manually. You must make it a priority to backup the Active Directory on a regular basis, and know how to restore it should the need arise.
You can restore Active Directory during the process of replacing a failed domain controller. You can also use it to repair a damaged Active Directory database or to recover one or more objects that are accidentally deleted from Active Directory.

Restoring Active Directory on a failed domain controller

If a domain controller fails completely, you must first restart the computer and make sure Windows 2000 is running. Then you use the Backup utility to restore the latest version of the System State data, which includes Active Directory.
After you have restored Active Directory, Windows 2000 automatically:
  1. Performs a consistency check on and re-indexes the Active Directory database
  2. Updates Active Directory and File Replication Service with data from their replication partners
Restoring the System State from Backup
Restoring the System State from Backup

Restoring a damaged Active Directory database

If the operating system on a domain controller is functioning normally, but the Active Directory database is damaged, you must restart the computer, select the Directory Services Restore Mode advanced startup option, and then use the Backup utility to restore the latest System State data.
After you have restored the Active Directory database, restart the computer and Windows 2000 will re-index the Active Directory database and update Active Directory and the File Replication service.

Performing an authoritative restore

Restoring deleted objects in a distributed environment presents a challenge. If you restore the most recent copy of the Active Directory database that contains the deleted objects, those objects will be deleted when replication occurs because the objects are marked for deletion in the replicas (replica is just another word for copy) of the database.
To prevent this from occurring, you perform an authoritative restore. When you restore an object authoritatively, it persists after replication even though it is marked for deletion in the replicas of the database.

Authoritative restore

In the Backup utility, distributed services such as Active Directory are contained in a collection known as the System State data. When you back up the System State data on a domain controller, you are backing up all Active Directory data that exists on that server (along with other system components such as the Sysvol directory and the registry). In order to restore these distributed services to that server, you must restore the System State data. However, if you have more than one domain controller in your organization and your Active Directory is replicated to any of these other servers, you will need to perform what is called an authoritative restore in order to ensure that your restored data gets replicated to all of your servers. During a normal restore operation, the Backup utility operates in nonauthoritative restore mode. That is, any data that you restore, including Active Directory objects, will have their original update sequence number (USN). The Active Directory replication system uses this number to detect and propagate Active Directory changes among the servers in your organization. Because of this, any data that is restored nonauthoritatively will appear to the Active Directory replication system as though it is "old," which means the data will never be replicated to your other servers. Instead, the Active Directory replication system will actually update the restored data with newer data from your other servers. Authoritative restore solves this problem.
To authoritatively restore Active Directory data, you need to run the Ntdsutil utility after you have restored the System State data but before you restart the server. The Ntdsutil utility lets you mark Active Directory objects for authoritative restore. When an object is marked for authoritative restore, its update sequence number is changed so that it is higher than any other update sequence number in the Active Directory replication system. This will ensure that any replicated or distributed data that you restore is properly replicated or distributed throughout your organization.

The following simulation walks you through an authoritative restore procedure.

Performing an authoritative restore

  1. To perform an authoritative restore, you must first select the Directory Services Restore Mode (Windows 2000 domain controller only) option in the Windows 2000 Advanced Options menu. In the actual environment, you would press Enter to move to the next screen. In this simulation, press anywhere to continue the process.
  2. You are returned to the boot menu. Note the additional information on the bottom of the screen. Microsoft Windows 2000 Advanced Server has been selected for you. In the actual environment, you would press Enter to move to the next screen. Press anywhere to continue the process.
  3. As the system boots, it informs you that it is entering an authoritative restore. Click Next to move to the next screen.
  4. In the actual environment, you would press Ctrl-Alt-Delete to log on. Click Next to move to the next screen.
  5. The Password dialog box appears. Type password in the Password field. The characters will appear as asterisks. Click OK when you are finished.
  6. After logging on, you will receive a message informing you that you are in safe mode. Click OK to continue the log on process.
  7. We have opened the Command Prompt for you. At the Command Prompt, type ntdsutil and press Enter.
  8. At the ntdsutil command prompt, type authoritative restore. Then press Enter.
  9. At the authoritative restore Command Prompt, type Restore database and press Enter.
  10. After pressing Enter, a confirmation dialog box appears. Click Yes to begin the authoritative restore.
  11. After the restore process completes, you will see some statistics printed to the screen. Type quit to exit the ntdsutil utility.
  12. This completes the simulation. Click the Exit button.

View the results of an Authoritative Rsestore

You can view the results of the authoritative restore by opening the Active Directory Users and Computers applet and checking for the restoration of the lost objects. Remember that you must log on with the appropriate permission, usually administrative permissions, to work with the Active Directory Users and Computers applet.
The next lesson wraps-up this module.