There are two generally recognized methods to restore the Active Directory database onto a domain controller. The traditional method is to bring a new system up as a domain controller and allow the normal replication process to populate the new system with the Active Directory data. The other method uses a saved or backed up copy of the Active Directory database to jumpstart the new domain controller. This second option is usually faster, but it only restores the AD database back to the saved state of the backup. This could mean the restored system is hours, days or weeks out of sync with the other domain controllers within the domain.
When restoring Active Directory data from backup, you must consider whether to make a nonauthoritative restore or an authoritative restore. A nonauthoritative restore allows the restored domain controller to be brought fully up to date during the next replication process. An authoritative restore forces the data items on the restored domain controller to take precedence and be pushed out to all other domain controllers.
The native backup tool can be used to back up and restore the AD database, but it can only be used to perform a nonauthoritative restore, and in order to restore the AD database, Active Directory must be offline. To restore the AD database and perform a nonauthoritative restore, boot the domain controller into Directory Services Restore Mode (using the F8 boot menu) and log on as the local administrator. Then, using
There are only a handful of reasons to perform authoritative restores. Accidentally deleting an object is one of them. If you mistakenly delete an object, then you'll need to do an authoritative restore. To perform an authoritative restore, first perform the actions for the nonauthoritative restore, and then indicate which portions of the AD database will be assigned precedence over other new objects in the domain. The NTDSUTIL tool accomplishes the latter activity.
For more information on restoring AD from backup and using the NTDSUTIL tool, please visit the Resource Kits information section at the Microsoft Web site.
James Michael Stewart has co-authored numerous books on Microsoft, security certification and administration and is a regular speaker at Networld+Interop. Michael holds the following certifications: MCSE, MCT, CTT+, CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K and iNet+. He can be reached at email@example.com.
This was first published in March 2005