When restoring Active Directory data from backup, you must consider whether to make a nonauthoritative restore or an authoritative restore. A nonauthoritative restore allows the restored domain controller to be brought fully up to date during the next replication process. An authoritative restore forces the data items on the restored domain controller to take precedence and be pushed out to all other domain controllers.
The native backup tool can be used to back up and restore the AD database, but it can only be used to perform a nonauthoritative restore, and in order to restore the AD database, Active Directory must be offline. To restore the AD database and perform a nonauthoritative restore, boot the domain controller into Directory Services Restore Mode (using the F8 boot menu) and log on as the local administrator. Then, using the backup
There are only a handful of reasons to perform authoritative restores. Accidentally deleting an object is one of them. If you mistakenly delete an object, then you'll need to do an authoritative restore. To perform an authoritative restore, first perform the actions for the nonauthoritative restore, and then indicate which portions of the AD database will be assigned precedence over other new objects in the domain. The NTDSUTIL tool accomplishes the latter activity.
For more information on restoring AD from backup and using the NTDSUTIL tool, please visit the Resource Kits information section at the Microsoft Web site.
James Michael Stewart has co-authored numerous books on Microsoft, security certification and administration and is a regular speaker at Networld+Interop. Michael holds the following certifications: MCSE, MCT, CTT+, CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K and iNet+. He can be reached at firstname.lastname@example.org.
This was first published in March 2005