Why are domain controllers tricky?
As most administrators know, domain controllers contain a copy of the Active Directory database. What makes things interesting is that there are typically multiple DCs in a domain, and Windows attempts to keep these domain controllers synchronized. It is this synchronization process that can be problematic.
Any time a change is made to the Active Directory database, that change is assigned a number. A change can include everything from creating a user account to deleting a group to changing an object's attributes. The numbers that are assigned when a change is made are sequential so that Windows can identify what order the changes were made in.
When you restore a domain controller, that domain controller's Active Directory database reverts to the state that it was in at the time the backup was made. After the restoration is complete, Windows looks at the number that is assigned to the most recent change made to that domain controller and compares it to the changes made to other DCs. Whatever changes have been made to the Active Directory since the time the backup was made are then replicated from one of the other domain controllers to the newly restored domain controller through a process called back filling. Eventually, the back-filling process will bring the newly restored domain controller's copy of the AD database up to date.
Back filling does have its share of drawbacks, however. For example, suppose you accidentally delete a bunch of user accounts. You could restore the backup of a domain controller to get those accounts back, but Windows will actually delete them again. The back-filling process acknowledges the deletion of those accounts as a change that has occurred since the backup was made. Therefore, Windows will delete the newly restored user accounts in an effort to bring the newly restored database up to a current state.
You can get around this problem by performing an authoritative restore. An authoritative restore works by assigning new sequence numbers to restored data. As such, Windows replicates the newly restored data to the other domain controllers rather than having the newly restored data be overwritten by data that is replicated from the other DCs.
Performing an authoritative restore
Performing an authoritative restore of a DC requires a special procedure. The first thing you will have to do is boot the server into Directory Services Restore Mode. To do so, simply reboot the server and press F8 during the earliest phases of the boot process to access the Windows Advanced Options menu. When prompted to select an option, choose the Directory Services Restore Mode option.
The next part of the restoration process is probably what you would expect. You must perform a system state restore. If you are using NTBACKUP, be sure to set the advanced restore options to Restore Security Settings, Restore Junction Points (but not the folders or files that they reference) and Preserve Existing Volume Mount Points.
When the restore completes, you will be prompted to reboot your server. If you are performing a non-authoritative restore, then just go ahead and reboot the machine. If you want to perform an authoritative restore, though, you've still got some work to do.
To complete the process, open a Command Prompt window and enter the NTDSUTIL command. Upon doing so, Windows will display an NTDSUTIL prompt. You must now enter the AUTHORITATIVE RESTORE command, and tell Windows what portion of the Active Directory you want to mark as authoritative. You can authoritatively restore a single object or an entire subtree. To do so, you would use one of the following commands, followed by the distinguished name of the object or subtree that you want to restore. The distinguished name must be surrounded by quotation marks.
Restore object "distinguished name"
Restore subtree "distinguished name"
Here is an example of how you would use the command to restore a subtree:
restore subtree "OU=finance,DC=contoso,DC=com"
NTDSUTIL will now display some text indicating whether or not the object or subtree has been marked for an authoritative restore. If you happen to receive an error message, double-check to make sure you entered the distinguished name correctly and included the quotation marks.
If you are running Windows Server 2003 without any service packs>, then you will have to manually restore back-linked data.
If you are using Windows Server 2003 with SP1 or higher, though, then NTDSUTIL will tell you if any of the objects you marked for an authoritative restore contain backlinks. If backlinks are found, then the text you see will look something like this:
Successfully updated 3 records.
The following text file with a list of authoritatively restored objects has been created in the current working directory: ar_20050209-091249_objects.txt
One or more specified objects have backlinks in this domain. The following LDIF files with link restore operations have been created in the current working directory: ar_20050209-091249_links_contoso.com.ldf
Authoritative Restore completed successfully.
As you can see in the text above, NTDSUTIL has created a TXT file and an LDF file. In most cases you won't have to worry about the text file, but you must make note of the name of the LDF file.
At this point, use the QUIT command to exit NTDSUTIL and go ahead and reboot the server. When the server comes back up, give the Active Directory time to replicate. If you want to force the replication process to complete more quickly, then you can use the following command:
repadmin /syncall domain controller name /e /d /A /P /q
For example, if the name of your domain controller is DC1, then the command would look like this:
repadmin /syncall DC1 /e /d /A /P /q
Now, to restore group memberships for previously deleted objects, you will have to restore any backlinks. To do so, enter the following command:
LDIFDE –I –K –F filename
In this particular case, the command would look like this:
LDIFDE –I –K –F ar_20050209-091249_links_contoso.com.ldf
To complete the process, repeat this command on one domain controller in each domain that contains an object (typically a group) that was previously linked to an object that was recently restored.
|Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. He writes regularly for SearchWinComputing.com and other TechTarget sites.|
This was first published in November 2007