IT Employment

General discussion


reverting active directory ....

By tyya44 ·
hi guys this discussion is about reverting active directory to the version that was backed up the previous day.and one of the solution is runing Ntdsutil utility.what is this utility.thanx

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Swiss Army Knife

by timwalsh In reply to reverting active director ...

I would consider ntdsutil (NT Directory Services Utility) as sort of a swiss army knife for fixing Active Directory. Actually it is indespensible when trying to fix AD.

Ntdsutil is a command line tool that usually must be run from Directory Services Restore mode.

While you would think that simply restoring the system state would allow you to revert to a previous version of AD, unless you are operating in a single-forest, single-domain, single-DC environment, this won't be the case.

Whenever ANY change is made to AD, the AD database gets a new version number (actually every AD object gets a "version number"). Whenever AD is replicated with other DCs within a domain (or within a forest), the entire AD database is not replicated, only those objects that have newer version numbers.

When you restore the system state to a previous version, all AD objects will have the version number they had at the time the system state was backed up. The next time replication occurs between DCs (approx. every 30 minutes within a site), the other DCs will see that they have newer version numbers of AD objects than the DC you just restored. They will automatically replicate thier versions of the AD objects to your just-restored DC and effectively "un-revert" it.

To prevent this from happening, you must do what is called an authoritative restore.
1. Restore System State from backup.
2. Reboot into DS Restore mode.
3. Run ntdsutil using the authoritative restore mode.

Authoritative restore essentially gives the AD objects you just restored a version number later than any other DCs have (it actually sets a flag). The next time replication takes place , other DCs will see that an authoritative restore has taken place and replicate objects FROM your just-restored DC.

Hope this helps.

Related Discussions

Related Forums