Creating Active Directory replicas from backup tapes

James Michael Stewart, Contributor

There are two generally recognized methods to restore the Active Directory database onto a domain controller. The traditional method is to bring a new system up as a domain controller and allow the normal replication process to populate the new system with the Active Directory data. The other method uses a saved or backed up copy of the Active Directory database to jumpstart the new domain controller. This second option is usually faster, but it only restores the AD database back to the saved state of the backup. This could mean the restored system is hours, days or weeks out of sync with the other domain controllers within the domain.

When restoring Active Directory data from backup, you must consider whether to make a nonauthoritative restore or an authoritative restore. A nonauthoritative restore allows the restored domain controller to be brought fully up to date during the next replication process. An authoritative restore forces the data items on the restored domain controller to take precedence and be pushed out to all other domain controllers.

The native backup tool can be used to back up and restore the AD database, but it can only be used to perform a nonauthoritative restore, and in order to restore the AD database, Active Directory must be offline. To restore the AD database and perform a nonauthoritative restore, boot the domain controller into Directory Services Restore Mode (using the F8 boot menu) and log on as the local administrator. Then, using

Requires Free Membership to View

the backup tool, restore the System State data to its original location to perform the nonauthoritative AD restore.

There are only a handful of reasons to perform authoritative restores. Accidentally deleting an object is one of them. If you mistakenly delete an object, then you'll need to do an authoritative restore. To perform an authoritative restore, first perform the actions for the nonauthoritative restore, and then indicate which portions of the AD database will be assigned precedence over other new objects in the domain. The NTDSUTIL tool accomplishes the latter activity.

For more information on restoring AD from backup and using the NTDSUTIL tool, please visit the Resource Kits information section at the Microsoft Web site.

James Michael Stewart has co-authored numerous books on Microsoft, security certification and administration and is a regular speaker at Networld+Interop. Michael holds the following certifications: MCSE, MCT, CTT+, CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K and iNet+. He can be reached at michael@impactonline.com.

This was first published in March 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.