Problem solve Get help with specific problems with your technologies, process and projects.

Recover deleted AD objects using a daily System State backup

Restore deleted objects in 10 minutes without having to restore from tape by making a daily, local backup of System State.

This tip was submitted to the tip exchange by member Kevin Crandall. Let other users know how...

useful it is by rating it below.

Whoops! Through a glitch in replication or simultaneous administrative activity, an OU or user(s) has been deleted from your Active Directory. With a little planning, without bothering your backup operator for tapes, you can restore the deleted object(s) in 10 minutes without having to restore from tape by implementing a daily, local backup of System State to the local filesystem.

Then, if necessary, you can perform an Authoritative Restore from that local System State backup without scrambling for tapes.

On a domain controller, use the Win2k backup utility's backup wizard to quickly configure a daily backup of System State to a local filesystem. I usually choose %systemroot%SYSTEM_STATE_BACKUPSYSTEM_STATE.bkf.

Set the backup job to overwrite -- your System State backup will never be more than 24 hours old. If you like, make it more often -- perhaps where a lot of OU manipulation is happening, every 12 hours.

Now, if you ever need to perform a restore of an OU, reboot the DC in safe mode (F8) and choose Directory Services Restore Mode. You'll know at this point whether you remember the Restore Mode password -- because if you don't remember it, you're out of luck.

Use the NT Backup Restore Wizard to restore the System State from %systemroot%SYSTEM_STATE_BACKUPSYSTEM_STATE.bkf.

Do not reboot the server at this time. If you do, you'll have performed what is called an "Unauthoritative Restore" and your restoration will have to compete with replication priorities that might be higher from other DCs.

You want an authoritative restore if you are certain that the entire pie, or just a piece, is missing and should be restored without argument from other DCs.

From a command prompt, start ntdsutil.
At the ntdsutil: prompt, enter 'authoritative restore'.

Any restores from this prompt, like:

authoritative restore: restore subtree "cn=Web Administrator,ou=ITG,dc=nwtraders,dc=msft"

will mark that restore as authoritative and it will replicate appropriately to the other DCs as if it had a high priority, which indeed it does: authoritatively restored data is given the highest update sequence number in the AD replication system.

You can restore any AD object authoritatively, or the entire database.

Dig Deeper on Windows Server storage management