Active Directory Authoritative Restore
When Active Directory
has been modified and needs to be restored to a previous state, and
this rollback needs to be replicated to all domain controllers in the
domain and possibly the forest, an authoritative restore of Active
Directory is required. An authoritative restore of Active Directory can
include the entire Active Directory database, a single object, or a
container, such as an organizational unit including all objects
previously stored within the container. To perform an authoritative
restore of Active Directory, perform the System State restore of a
domain controller, but when you are finished, reboot as directed and
when the reboot completes follow these additional steps:
1. | Open
a command prompt on the domain controller that is running in DSRM and
has just completed a System State recovery and a reboot.
|
2. | In the Command Prompt window, type NTDSUTIL and press Enter.
|
3. | Type Activate Instance NTDS and press Enter.
|
4. | Type Authoritative Restore and press Enter.
|
5. | To restore a single object, type Restore Object
followed by the distinguished name of the previously deleted object.
For example, to restore an object named Khalil Droubi in the Users
container of the companyabc.com domain, type Restore Object "cn=Khalil Droubi,cn=users,dc=companyabc,dc=com".
|
6. | To
restore a container or organizational unit and all objects beneath it,
replace the “restore object” with “restore subtree” followed by the
appropriate distinguished name.
|
7. | After
the appropriate command is typed in, press Enter. A window opens,
asking for confirmation of the authoritative restore; click the Yes
button to complete the authoritative restore of the object or subtree.
|
8. | The
NTDSUTIL tool displays the name of the text file that may contain any
backlinks for objects just restored. Note the name of the file(s) and
whether any backlinks were contained in the restored objects.
|
9. | Type quit and press Enter; type quit again to close out of the NTDSUTIL tool.
|
10. | Click
the Restart button in the Windows Server Backup dialog box and reboot.
Make sure to set the boot option back to normal boot if not changed
previously.
|
11. | After
the domain controller reboots into normal boot mode, log on to verify
that the authoritatively restored objects are replicating to the other
domain controllers. If things are working properly, run a full backup
of the domain controller and log off.
|
Authoritative Restore Backlinks
When
an object is authoritatively restored to Active Directory and if the
object was previously a member of groups in other domains in an Active
Directory forest, a file will be created that defines the restored
object backlinks. A backlink is a reference to a cross-domain group
membership. When an object that was previously deleted is
authoritatively restored, the file can be used to update that object’s
group membership in the other domains that contain the groups in
question. The NTDSUTIL, upon completion of the authoritative restore,
will list the name of the file that contains the backlink information.
This file can be copied over the domain controller in the different
domains and can be processed by running the command ldifde -i -k -f FileName, where FileName represents the text file created by the NTDSUTIL authoritative restore.
Restoring the Sysvol Folder
When a domain controller
System State is restored, the SYSVOL is also restored to the point in
time the backup was taken. If the SYSVOL that has replicated across the
domain needs to be rolled back, an authoritative restore of the SYSVOL,
known previously as a primary restore of SYSVOL, must be performed. To
perform an authoritative restore of the SYSVOL, restore the System
State of a domain controller using Windows Server Backup, as outlined
in the previous section, “System State Recovery for Domain Controllers,”
but on the Select Location for System State Recovery page, check the
Perform an Authoritative Restore of Active Directory Files check box.
Follow the steps to recover the System State of the domain controller,
and then boot the domain controller normally. Once the domain
controller is returned to operation, the Active Directory database will
sync with other domain controllers, but the SYSVOL of this particular
domain controller will be pushed out to all other domain controllers in
the domain as the authoritative copy and will overwrite the other
copies. No other steps are required.
Restoring Group Policies
When group policies need to be
restored, performing a restore of the SYSVOL as well as the Active
Directory database is required. Group Policy Object information is
stored in a container in the domain-naming context partition called the
Group Policy Objects container, and the files are stored in the sysvol
folder on each domain controller. The most effective way to back up and
restore group policies is to use the backup and restore features built
in to the Group Policy Management Console included with Windows Server
2008 R2 Group Policy Management tools.
DHCP
In situations when DHCP
services fail and need to be restored, the fastest recovery option is
to restore the System State of the DHCP system. In many cases, however,
DHCP services are not hosted on systems dedicated only to the DHCP
service and the DHCP service will need to be recovered independently.
The DHCP service itself when in a failed state will need to be
investigated and repaired just like any other application or service.
If only the configuration details of the DHCP server need to be restored and a previous backup was made, perform the following steps:
1. | Log on to the Windows Server 2008 R2 DHCP server system with an account with administrator privileges.
|
2. | Click Start, click All Programs, click Administrative Tools, and select DHCP.
|
3. | Double-click on the DHCP server to initiate the connection in the console.
|
4. | Right-click on the DHCP server in the tree pane, and select Restore.
|
5. | When
the Browse for Folder window opens, it defaults to the
systemroot\System32\DHCP\Backup folder; click OK to accept this
location and start the restore. If more recent backups have been
created, they might be located in subfolders of the Backup folder.
|
6. | A
window opens, requiring confirmation to restart the DHCP service; click
Yes to stop the DHCP service, restore the data, and restart the DHCP
service.
|
7. | After
the restore completes, click OK on the window and then verify that the
DHCP scopes and other data have been restored to the state when the
backup was performed.
|
8. | Log off of the DHCP server system.
|