Problem solve Get help with specific problems with your technologies, process and projects.

Recover a deleted Active Directory OU

How a user recovered an important OU in a mixed mode environment that had lots of sub-OUs and users.

This tip was submitted to the Tip Exchange by member Kevin Potterton. Let other users know how...

useful it is by rating the tip below.

If you ever find a use for the following tip, it means you are in something of a pickle!

Fear not -- the process of recovery is simple if you know the right steps to take.

The following text describes how we recovered an OU in a mixed mode environment (Running AD but still with WinNT domain controllers). Our installation was also running Exchange Server 5.5, which created additional problems for us.

We'll assume that you've deleted an important OU with lots of sub OUs and a lot of users and that the change has replicated to all your Win2000 domain controllers. You first need to pick a Win2000 domain controller to use -- we used the server that was acting as the PDC emulator, but I think that this would work using any Win2000 domain controller. Ensure you have a good backup of this server, including the system state.

Restart the chosen server. When it displays the "Press F8" message, press F8 repeatedly at 1/2 second intervals (if you just press and hold F8, sometimes it doesn't register the keypress). After pressing F8 you should be presented with a menu. You need to select the option that takes you into Directory Serivices Restore Mode.

Once you are into Windows, run "ntbackup" and restore the system state to its original location using the backup tape prior to the OU being deleted. Do not reboot when prompted to! Click "no" to cancel rebooting. Open a command prompt and then enter the following commands:

  • ntdsutil
  • authoritative restore
  • restore database (you can use "restore subtree," but this is dodgy since groups that were not in that subtree can lose all of their users).

An authoritative restore is so called because the server you perform it on becomes the authority on the domain. It is given the highest USN number so that the active directory on this server is replicated to all the other domain controllers.

Once these steps are complete, this can take only a few seconds to run -- depending on the size of the organization. You simply need to reboot the server and start it up as you normally would. All the AD should be restored and replicated out to all the other Win2000 Domain controllers.

If you are running in mixed mode, however, you may find that although you can now log on again and have access to Win2000 servers, all the WinNT servers are inaccessible. If you are running Exchange 5.5 or earlier, you may also find that your email system is not working.

All of these problems are due to the old NT SAM Database not having been updated.

The reason for this is that replication of the SAM database can only handle a maximum of 5000 changes at any one given time. If you have in excess of that number (which is likely when restoring the whole of AD,) then your old NT security system may be well and truly "up the spout."

Im not sure whether or not this would slowly sort itself out replicating a few records at a time, but if you are like us -- and are eager to go home at a decent hour -- the following command is what you need:

You need to synchronize the entire SAM database, which you can do using a tool called "nltest" which is part of the support tools for NT (it is included in the Win2000 support tools also, but I'm not sure if the versions are compatible).

Put "nltest" -- available from Microsoft's web site -- onto each NT Domain controller. Then run "nltest/sync" on each NT domain controller, wait for the replication messages, and "Bob's yer uncle."

Dig Deeper on Windows systems and network management