Recover deleted AD objects using a daily System State backup

This tip was submitted to the SearchWin2000.com tip exchange by member Kevin Crandall. Let other users know how useful it is by rating it below.

Whoops! Through a glitch in replication or simultaneous administrative activity, an OU or user(s) has been deleted from your Active Directory. With a little planning, without bothering your backup operator for tapes, you can restore the deleted object(s) in 10 minutes without having to restore from tape by implementing a daily, local backup of System State to the local filesystem.

Then, if necessary, you can perform an Authoritative Restore from that local System State backup without scrambling for tapes.

On a domain controller, use the Win2k backup utility's backup wizard to quickly configure a daily backup of System State to a local filesystem. I usually choose %systemroot%SYSTEM_STATE_BACKUPSYSTEM_STATE.bkf.

Set the backup job to overwrite -- your System State backup will never be more than 24 hours old. If you like, make it more often -- perhaps where a lot of OU manipulation is happening, every 12 hours.

Now, if you ever need to perform a restore of an OU, reboot the DC in safe mode (F8) and choose Directory Services Restore Mode. You'll know at this point whether you remember the Restore Mode password -- because if you don't remember it, you're out of luck.

Use the NT Backup Restore Wizard to restore the System State from %systemroot%SYSTEM_STATE_BACKUPSYSTEM_STATE.bkf.

Do not reboot

    Requires Free Membership to View

the server at this time. If you do, you'll have performed what is called an "Unauthoritative Restore" and your restoration will have to compete with replication priorities that might be higher from other DCs.

You want an authoritative restore if you are certain that the entire pie, or just a piece, is missing and should be restored without argument from other DCs.

From a command prompt, start ntdsutil.
At the ntdsutil: prompt, enter 'authoritative restore'.

Any restores from this prompt, like:

authoritative restore: restore subtree "cn=Web Administrator,ou=ITG,dc=nwtraders,dc=msft"

will mark that restore as authoritative and it will replicate appropriately to the other DCs as if it had a high priority, which indeed it does: authoritatively restored data is given the highest update sequence number in the AD replication system.

You can restore any AD object authoritatively, or the entire database.

This was first published in March 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.