Authoritative Restore

To perform authoritative restore of Active Directory including the SYSVOL volume, carry out the following operations:

1. Run the Backup utility and perform non-authoritative restore (see the previous section). When the Backup utility completes its work, it proposes that you restart the computer (Fig. 8.14). You must click No.

. -i ff-r W iiflnftt ittHr+d • w? fiu 54 rtrtfrt fiur tm&At* » iftfagrtt UN »iiiirf &V Vlr«J E««{ Ui rfftli-. fWW IWJrVt l«^"?

Fig. 8.14: Click No if you perform an authoritative restore

2. Restore the System State to an alternative location. See an example in Fig. 8.15.

Rftstnre files rrv

S * |Al:eiriite looetnn Alternate location;

C Wlt-Bockup

Fig. 8.15: Selecting an alternative location for a restore operation

Important This second restore operation as well as Steps 5 and 6 below are only necessary if you need to authoritatively restore the entire System State or directory objects along with corresponding Group Policy Objects. If you restore a single object, skip this step and go directly to Step 3.

When the System State is restored to an alternative location, the current System State (e.g., Registry or Active Directory data) will stay intact. That is why you should carry out restore twice.

3. On Windows .NET-based servers, the following folders will appear in the specified folder or on the disk (Fig. 8.16):

1 liiti uieniir ipmgf ManfUiiirs)

■ JnlK

Ék £4« t» 'a «in y=v






- Ji. ■ _»■



i<w n

- J WSii


J iindi


J toJltTJjriwc.'d'

1 _J Ll'B3Jt<Hj!H>LIDi-9<6H*Miy«iStHtil

. O t»if* tf 14H4 JUK MW*> t

t mi4i*-ïfJ= tii»-i:;?-i7itjfEr*jij

' liai*™




■ O


Fig. 8.16: Structure of the SYSVOL folder in alternative location (for domain net.dom)

o Active Directory (ntds.dit, edb*.log; these files can be used later to promote a server to additional DC) o Boot Files o COM+ Class Registration Database (ComReg.Db.bak) o Registry (default, SAM, SECURITY, software, system) o SYSVOL (this folder reflects the structure of the SYSVOL volume)

4. When you restore data to an alternative location, the program does not offer to reboot the computer. Close the Backup program.

5. Run NTDSutil.exe from the command prompt. A sample dialog for the authoritative restore command is placed below (a subtree is restored in this example):

7. ntdsutil: Authoritative restore

8. authoritative restore: Restore subtree OU=Staff,DC=net,DC=dom

9. [Confirm the restore operation — click Yes in the pop-up window.}

Opening DIT database... Done.

The current time is 06-04-02 20:41.05.

Most recent database update occured at 06-03-02 17:52.23.

Increasing attribute version numbers by 200000.

Counting records that need updating... Records found: 0000000038 Done.

Found 38 records to update.

Updating records...

Records remaining: 0000000000


Successfully updated 38 records.

Authoritative Restore completed successfully. authoritative restore: Quit ntdsutil: Quit

10. Reboot the computer into normal mode and wait until the SYSVOL volume will be published (look for event ID 13516 in the File Replication Service log and use the net share command to monitor when the process will be completed).

11. Copy contents of the SYSVOL volume from the alternative location to an existing one. These changes of the SYSVOL volume will be the most recent and, therefore, will be replicated to other DCs as the authoritative data.

In the example shown, an OU object has been restored. You can mark an individual object (in the Windows .NET environment), subtree, or entire directory partition as authoritative. This, however, does not extend to the Schema partition.

Caution Use authoritative restore with necessary directory objects only. Be very selective and do not restore excessive objects. Be especially careful with the Configuration partition. Do not use the restore database command unless you completely understand how restore operations work.

Notice the line in bold that indicates an increment of the attribute version numbers, and two previous lines. The version numbers increase by 100,000 for each day after the original backup has been performed. You can view changes of metadata by using ReplMon.exe. In our case, for example, the following command will be used:

repadmin /showmeta OU=Staff, DC=net, DC=dom

By using this command on different DCs, you can verify whether the authoritative restore was successful, and trace the replication's propagation.

If objects in your Active Directory installation have very low volatility, you might wish to override the default value of the version increment. Use a command similar to the following:

restore subtree OU=Staff, DC=net,DC=dom verinc 1000

0 0

Post a comment