In
the same way that System State components can be backed up only as a
single logical group, individual components of the System State cannot
be restored individually. As such, an administrator cannot choose to
restore Active Directory without also restoring the registry, COM+
Class Registration database, system boot files, and so forth.
Different methods can be used to restore Active Directory on a domain controller. These include:
Each
of these methods is associated with a specific set of circumstances
surrounding the need to restore Active Directory System State data. The
following sections look at each restore method in more detail.
Normal Restore
During a normal restore operation (sometimes referred to as a nonauthoritative restore),
the data and distributed services on a domain controller are restored
from backup media, and then updated through normal replication. Each
restored directory partition is updated via normal domain controller
replication after you perform the restore process. For example, if the
last backup was performed a week ago, and the System State is restored
using a normal restore, any changes that were made after this backup
was created will be replicated from the other domain controllers. So,
if a restored backup in this situation includes a user object named Mark, and the Mark user object was deleted from Active Directory at some point after the backup was created, the Mark
user object will also be deleted on the restored domain controller via
the replication process. This occurs because the deletion of the Mark user object is considered more recent data in this case. If your specific goal was to restore the deleted Mark
user object, an authoritative restore would need to be performed. To
perform a normal restore of System State data, a domain controller must
be started in Directory Services Restore Mode.
The primary reasons for performing a normal restore of System State data on a domain controller include:
Restoring a single domain controller in an environment that includes multiple domain controllers
Attempting to restore Sysvol or File Replication service (FRS) data on domain controllers other than the first in a replica set
Authoritative Restore
Another method that can be used to restore System State data is known as an authoritative restore.
The main purpose of an authoritative restore is to undo or roll back
changes that have been made to Active Directory, or to reset data
stored in a distributed directory such as Sysvol. As you learned in the
previous section, when System State data is restored using the normal
restore method, the domain controller replication process will
overwrite any changes that have occurred since the restored backup was
taken. If your goal is to restore an object that was deleted or
changed, an authoritative restore allows you to mark restored objects
as being authoritative, thus disallowing the restored object to be
deleted or updated according to the information currently stored on
other domain controllers.
To
perform an authoritative restore of System State data, a domain
controller must be started in Directory Services Restore Mode. To
authoritatively restore Active Directory data, you must run the Ntdsutil.exe
utility after you have performed a normal restore of the System State
data, but before you restart the server. The Ntdsutil utility allows
you to mark Active Directory objects as authoritative. Marking objects
as authoritative ultimately changes the update sequence number of an
object, such that it is higher than any other update sequence number in
the Active Directory replication system. This ensures that any
replicated or distributed data that you have restored is properly
replicated or distributed throughout your organization according to
your intentions.
For example, suppose you back up the system on Monday, and then create a new user object named Ben Smith
on Tuesday. This object will be replicated to all other domain
controllers in the domain. On Wednesday, another user object named Nancy Anderson is accidentally deleted, a change which is replicated to other domain controllers as well. To authoritatively restore the Nancy Anderson
object, you can start a domain controller in Directory Services Restore
Mode and restore the backup created on Monday. Then, using Ntdsutil,
you can mark the Nancy Anderson object as authoritative. After restarting the server normally, the Nancy Anderson object will be restored and replicated, without any impact on the Ben Smith object.
The primary reasons for performing an authoritative restore of System State data on a domain controller include:
Primary Restore
A
primary restore is used to rebuild a domain from a backup when all
domain controllers (or the only domain controller) in a domain have
failed. If a domain is lost, the first domain controller should be
restored using a primary restore, and any subsequent domain controller
should be restored using a normal restore. Like the other restore
methods listed in this lesson, a server must be started in Directory
Services Restore Mode to perform a primary restore. The primary reasons
for performing a primary restore of System State data on a domain
controller include:
Restoring the only domain controller in an Active Directory environment
Restoring the first of several domain controllers
Restoring the first domain controller in a replica set
Tip
Know when to use a primary, normal, or authoritative restore for System State data. |
Preliminary Restore Tasks
In
a manner similar to the backup process, restoring System State data
involves performing preliminary tasks to ensure that your restore
device and media will function correctly. Common preliminary tasks
associated with restoring System State data include:
Ensuring
that the appropriate device for the storage medium containing the data
is attached to the computer on which the restore will be performed
Ensuring that the medium containing the data to be restored is loaded in the device
Note
You
can restore System State data only on a local computer when using the
Windows Server 2003 Backup Utility. This program does not support
restoring System State data to remote computers. |
Performing a Normal Restore
To
restore the System State data on a domain controller, you must first
start the server in Directory Services Restore Mode. This mode allows
you to restore the Sysvol folder and the Active Directory database
without causing conflicts with other domain controllers. Remember that
you can restore System State data only on a local computer when using
the Windows Server 2003 Backup Utility.
While
you cannot restore System State data to a remote computer, you can
restore System State data to an alternate location—in other words, a
destination folder of your choice. By restoring to an alternate
location, you preserve the file and folder structure of the backed-up
data, meaning that all folders and subfolders appear in the alternate
folder you specify.
Note
If
you restore System State data without designating an alternate
location, the Windows Server 2003 Backup Utility will erase existing
System State data and replace it with the data you are restoring. Also,
if you restore the System State data to an alternate location, only the
registry files, Sysvol folder files, Cluster database information files
(if applicable), and system boot files are restored to the alternate
location. The Active Directory database, Certificate Services database
(if applicable), and COM+ Class Registration database are not restored
if you designate an alternate location. |
To perform a normal restore of System State data on a domain controller, complete the following steps:
1. | Restart the computer.
|
2. | During the phase of startup where the operating system is normally selected, press F8.
|
3. | At the Windows Advanced Options Menu, select Directory Services Restore Mode (Windows domain controllers only) and press ENTER. This ensures that Active Directory on this domain controller is offline.
|
4. | At
the Please Select The Operating System To Start menu, select the
appropriate Microsoft Windows Server 2003 operating system and press ENTER.
|
5. | Log on using the local Administrator account.
Note When
you restart the computer in directory services restore mode, you must
log on as an Administrator by using the valid Security Accounts Manager
(SAM) account name and password, not
the Active Directory Administrator’s name and password. The password to
be used when logging on is the Directory Services Restore Mode password
that was supplied when the server was promoted to the role of a domain
controller using the Active Directory Installation Wizard. |
|
6. | In the Desktop message box that warns you that Windows is running in safe mode, click OK.
|
7. | Click Start, select All Programs, select Accessories, select System Tools, and then click Backup.
|
8. | At the Welcome To The Backup Or Restore Wizard page, click Next.
|
9. | At the Backup Or Restore page, select Restore Files And Settings. Click Next.
|
10. | At the What To Restore page shown in Figure 1,
expand the media type that contains the data that you want to restore
in the Items To Restore box or click Browse. The media can be either
tape or file. Expand the appropriate media set until the data that you
want to restore is visible. Select the data you want to restore, such
as System State, and then click Next.
|
11. | Ensure that the media containing the backup file is in the correct location.
|
12. | At the Completing The Backup Or Restore Wizard page, do one of the following:
Click
Finish to start the restore process. The Backup Or Restore Wizard
requests verification for the source of the restore data and then
performs the restore. During the restore, the Backup Or Restore Wizard
displays status information about the restore. Click
Advanced to specify advanced restore options. The advanced restore
options for a normal restore are discussed later in the section “Specifying Advanced Restore Settings for a Normal Restore.”
|
13. | In the Warning message box that warns you that restoring System State will always overwrite current System State, click OK.
|
14. | The
Restore Progress dialog box displays status information about the
restore process. As with the backup process, when the restore is
complete, you can choose to view the report of the restore. The report
contains information about the restore, such as the number of files
that have been restored and the duration of the restore process.
|
15. | Close the report when you have finished viewing it, and then click Close.
|
16. | When prompted to restart the computer, click Yes.
|
You’ve
probably noticed that Windows 2003 Server includes a new feature that
requires you to provide a reason each time you shut down or restart the
server. This feature is known as the Shutdown Event Tracker. If you are
working in a test environment, you might choose to disable this feature
to avoid the hassle of typing in a reason each time you restart. To
disable this feature, you can perform the following steps:
1. | Click Start, click Run, type gpedit.msc, and press ENTER.
| 2. | Expand
the Computer Configuration and Administrative Templates objects. Click
the System object. In the right-most pane, you’ll see several settings.
| 3. | Locate and double-click the Display Shutdown Event Tracker. The Display Shutdown Event Tracker Properties dialog box opens.
| 4. | Click the Disabled option to disable the Shutdown Event Tracker. Click OK. Close the Group Policy Editor console.
|
Now when you shut down this server, you won’t be asked to enter a reason. |
|
Specifying Advanced Restore Settings for a Normal Restore
The advanced settings in the Backup Or Restore Wizard vary depending on the type of backup media from which you are restoring.
To specify advanced restore settings for a normal System State restore, complete the following steps:
1. | At
the Where To Restore page, select the target location for the data that
you are restoring in the Restore Files To list. The choices in the list
are:
- Original location Replaces corrupted or lost data. This is the default option, and it must be selected to restore Active Directory.
- Alternate location Restores an earlier version of a file to a folder you designate.
- Single folder
Consolidates the files from a tree structure into a single folder. For
example, use this option if you want copies of specific files but do
not want to restore the hierarchical structure of the files.
Note If you select either the Alternate Location or Single Folder option, you must also provide a path to the location or folder. |
|
2. | Click Next.
|
3. | At the How To Restore page, select how you want to restore the System State data. The options include:
- Leave existing files (recommended) Prevents accidental overwriting of existing data. This is the default option.
- Replace existing files if they are older than the backup files Verifies that the most recent copy exists on the computer.
- Replace existing files
Ensures that the Backup Utility does not provide a confirmation message
if it encounters a duplicate file name during the restore operation.
|
4. | Click Next.
|
5. | At the Advanced Restore Options page, select whether or not to restore security or special system files. The options include:
- Restore security settings
Applies the original permissions to files that you are restoring to a
Windows NTFS volume. Security settings include access permissions,
audit entries, and ownership information. This option is available only
if you have backed up data from an NFTS volume and are restoring to an
NTFS volume.
- Restore junction points, but not the folders and file data they reference
Restores junction points on your hard disk, but not the data to which
the junction points refer. If you have any mounted drives and you want
to restore the data that mounted drives point to, you should not select this check box.
- Preserve existing volume mount points
Prevents the restore operation from writing over any volume mount
points on the destination volume. If you are restoring data to a
replacement drive, and you have partitioned and formatted the drive and
restored volume mount points, you should select this option so your
volume mount points are not restored. If you are restoring data to a
partition or drive that you have just reformatted, and you want to
restore the old volume mount points, you should not select this option.
- Restore the Cluster Registry to the quorum disk and all other nodes
Makes certain that the cluster quorum database is restored and
replicated on all nodes in a server cluster. If selected, the Backup Or
Restore Wizard will stop the Cluster service on all other nodes of the
server cluster after the node that was restored reboots.
- When restoring replicated data sets, mark the restored data as the primary data for all replicas Ensures
that restored File Replication service (FRS) data is replicated to your
other servers. If you are restoring FRS data, you should choose this
option. If you do not choose this option, the FRS data that you are
restoring might not be replicated to other servers because the restored
data will appear to be older than the data already on the servers. This
will cause the other servers to overwrite the restored data, preventing
you from restoring the FRS data.
|
6. | Click Next.
|
7. | On
the Completing The Backup Or Restore Wizard page, click Finish to start
the restore process. The Backup Or Restore Wizard requests verification
for the source of the restore data and then performs the restore.
During the restore, the Backup Or Restore Wizard displays status
information about the restore.
|
Performing an Authoritative Restore
An
authoritative restore occurs after a normal restore and is used to
designate that the entire directory, a distinct portion of the
directory, or individual objects should be marked as authoritative. An
authoritative restore is most commonly used to restore accidentally
deleted objects or roll back any unwanted changes to Active Directory
data.
To authoritatively restore a portion or all of Active Directory, complete the following steps:
1. | Perform a normal restore as described previously, but do not restart the server once complete.
|
2. | Click Start, and then click Command Prompt.
|
3. | At the command line, type ntdsutil and press ENTER.
|
4. | At the Ntdsutil prompt, type authoritative restore and press ENTER.
|
5. | At the authoritative restore prompt
To authoritatively restore the entire directory, type restore database and press ENTER. To authoritatively restore a portion or subtree of the directory, such as an OU, type restore subtree
subtree_distinguished_name and press ENTER. For example, to restore the Marketing OU in the contoso.com domain, the commands would be: ntdsutil authoritative restore restore subtree OU=Marketing,DC=Contoso,DC=Com
Similarly, to restore a user account named Mark stored in the Users container in the contoso.com domain, the commands would be: ntdsutil authoritative restore restore subtree CN=Mark, CN=Users,DC=Contoso,DC=Com
To authoritatively restore the entire directory and override the version increase, type restore database verinc version_increase and press ENTER. To authoritatively restore a subtree of the directory and override the version increase, type restore subtree subtree_distinguished_name verinc version_increase and press ENTER.
After the Restore Subtree command is issued with correct parameters,
the Authoritative Restore Confirmation Dialog window shown in Figure 2 will prompt you to confirm your decision.
The authoritative restore opens the Ntds.dit file, increases version
numbers, counts the records that need updating, verifies the number of
records updated, and reports completion. If a version number increase
is not specified, then one is automatically calculated.
|
6. | Type quit, and press ENTER twice to exit the Ntdsutil utility. Then close the Command Prompt window.
|
7. | Restart
the domain controller normally. When the restored domain controller is
online and connected to the network, normal replication brings the
restored domain controller up to date with any changes from other
domain controllers that were not overridden by the authoritative
restore. Replication also propagates the authoritatively restored
objects, such as any previously deleted objects, to other domain
controllers. Because the objects that are restored have the same object
globally unique identifier (GUID) and SID (if applicable), security
remains intact, and object dependencies are maintained. |