Learn about Windows 2000 Server's Active Directory authoritative restore

Restoring, not simply backing up, Active Directory in Windows 2000 Server can be a bit complicated -- but it doesn't have to be. Learn about AD authoritative restore and be prepared.

Restoring Active Directory (AD) can be a bit more complicated in some cases than backing it up. The reason for this is the multi-master nature of AD replication. Every domain controller (DC) in Windows 2000 Server contains a writable copy of the database. When you create a change, this modification is replicated to all other DCs through its replication partners.

Let's say you delete an Organizational Unit (OU) full of users, and you notice this after all other DCs have replicated the information. At first you might think that using your backup would repair the damage, but unfortunately it won't. If you use a backup and bring the OU back, this OU will be deleted in the next replication process. This is because all other DCs have "remembered" that the last action you performed on OU was deletion, and because your backup copy contained the database that was unaware of this deletion, other DCs will tell it to delete the OU.

The magic that allows you to tell other DCs, "I want to bring that OU back no matter what info you have," is called authoritative restore. Authoritative restore will eventually convince all other replication partners that your backup contains the newest information about this OU.

To actually perform an authoritative restore, you need the Backup utility and a special tool called ntdsutil.exe. You will use this tool to mark the object as authoritative. The first part of the restore is the same as on a normal, non-authoritative restore.

You have to reboot your DC in Directory Services Restore mode and use Backup to restore the system state data as you normally would when doing a non-authoritative restore. The second part of the restore process requires you to run ntdsutil.exe. This is the tool that will actually allow you to do an authoritative restore. To do this, follow these steps:

  1. Run ntdsutil.exe.
  2. At the ntdsutil prompt, type authoritative restore.
  3. Type restore subtree DN_of_the_object, where "DN_of_the_object" represents the distinguished name (DN), or path, to the object you want to restore. For example, to restore a deleted OU named "TestOU" that was in a domain called "domain.com," you'd type restore subtree OU=TestOU, DC=domain, DC=com.
  4. Type quit and press [Enter] twice.

After you restart the domain controller, Windows 2000 Server will again perform a consistency check and re-index AD.

Miss a column?

Check out the Windows 2000 Server archive, and catch up on the all the Windows 2000 Server columns.

Want more Windows 2000 Server tips and tricks? Automatically sign up for our free Windows 2000 Server newsletter, delivered each Tuesday!