A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller
A nonauthoritative restore is the default method for restoring Active Directory
A nonauthoritative restore allows the entire directory to be restored on a domain controller, without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to bring an entire domain controller back, often after catastrophic or debilitating hardware failures. It is uncommon for data corruption to drive a nonauthoritative restore, unless the corruption is local and the database cannot be successfully loaded.
· Boot files, including the system files, and all files protected by Windows File Protection (WFP).
· Active Directory (on a domain controller only).
· Sysvol (on a domain controller only).
· Certificate Services (on certification authority only).
· Cluster database (on a cluster node only).
· The registry.
· Performance counter configuration information.
· Component Services Class registration database
· System Start-up Files (boot files). These are the files required for Windows 2000 Server to start.
· System registry.
· Class registration database of Component Services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment.
· SYSVOL. The system volume provides a default Active Directory location for files that must be shared for common access throughout a domain. The SYSVOL folder on a domain controller contains:
· NETLOGON shared folders. These usually host user logon scripts and Group Policy objects (GPOs) for non-Windows 2003based network clients.
· User logon scripts for Windows 2003 Professional based clients .
· Windows 2003 GPOs.
· File system junctions.
· File Replication service (FRS) staging directories and files that are required to be available and synchronized between domain controllers.
Ntbackup.exe provides simple and advanced options for backing up Active Directory components. When you back up system state, you can choose to include or exclude system-protected boot files. System-protected boot files are not used for installations from restored backup media. When the backup file that you create is to be used for additional domain controller installations, you can clear the advanced option to back up system-protected files. Clearing this option decreases the size of the .bkf file, as well as the time required to back up, restore, and copy the system state files.
Use these procedures to back up the system state only. These procedures do not back up the system disk or any other data on the domain controller except for the system-protected files.
Use the first procedure, “To back up system state including system-protected files,” for routine system state backup. Use the second procedure, “To back up system state excluding system-protected files,” if you want to create a smaller backup that is effective for installing domain controllers from restored backup media.
How to backup System State including system-protected files?
- To perform the following two procedures, you must be a member of the Domain Admins group or a member of the Backup Operators group.
1. To start the Windows Server 2003 backup utility, click Start, click Run, type ntbackup, and then click OK.
This procedure provides steps for backing up in Wizard Mode. By default, the Always Start in Wizard Mode check box is selected in the Backup or Restore Wizard. If the Welcome to the Backup Utility Advanced Mode page appears, click Wizard Mode to open the Backup or Restore Wizard.
2. On the Welcome to the Backup or Restore Wizard page, click Next.
3. Select Back up files and settings, and then click Next.
4. Select Let me choose what to back up, and then click Next.
5. In the Items to Back Up window, double-click My Computer.
6. In the expanded list below My Computer, check System State, and then click Next.
7. Select a location to store the backup:
· If you are backing up to a file, type the path and file name for the backup (.bkf) file (or click Browse to find a folder or file).
· If you are backing up to a tape unit, choose the tape that you want to use.
You should not store the backup on the local hard drive. Instead, store it in a location, such as a tape drive, away from the computer that you are backing up.
8. Type a name for this backup and then click Next.
9. On the last page of the wizard, click Advanced.
10. Do not change the default options for Type of Backup. Normal should be selected, and the check box for Backup migrated remote storage data should remain cleared. Click Next.
11. Select Verify data after backup, and then click next.
12. In the Backup Options dialog box, select a backup option, and then click Next.
13. If you are replacing the existing backups, select the option to allow only the owner and administrator access to the backup data and to any backups that are appended to this medium, and then click Next.
14. In the When to back up box, select the appropriate option for your needs, and then click Next.
15. If you are satisfied with all of the options that are selected, click Finish to perform the backup operation according to your selected schedule.
The following procedure produces a smaller .bkf file that does not include system boot files. By using this procedure, you can reduce the time that is required to perform the backup and subsequent restore, as well as the amount of disk space that is required
16. To start the Windows Server 2003 backup utility, click Start, click Run, type ntbackup, and then click OK.
17. On the Welcome to the Backup or Restore Wizard page, click Advanced Mode, and then click the Backup tab.
18. In the console tree, select the System State check box.
19. In Backup media or file name.
20. Click Start Backup, and then click Advanced.
21. Clear the Automatically backup System Protected Files with the System State check box, and then click OK.
22. Click Start Backup
To restore system state data Computer must be started in directory service restore mode.
This allows restoring sysvol and active directory services database. System state can only be restored on local computer
To perform this procedure, you must provide the Administrator password for Directory Services Restore Mode.
1. Start the computer in Directory Services Restore Mode.
2. To start the Windows Server 2003 backup utility, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.
This procedure provides steps for restoring from backup in Wizard Mode. By default, the Always Start in Wizard Mode check box is selected in the Backup or Restore Wizard. If the Welcome to the Backup Utility Advanced Mode page appears, click Wizard Mode to open the Backup or Restore Wizard.
3. On the Welcome to the Backup or Restore Wizard page, click Next.
4. Click Restore files and settings, and then click Next.
5. Select System State and then click Next.
6. On the Completing the Backup or Restore Wizard page, click Advanced.
7. In Restore files to, click Original Location, and then click next.
8. Click Leave existing files (Recommended), and then click next.
9. In Advanced Restore Options, select the following check boxes, and then click Next:
· Restore security settings
· Restore junction points, but not the folders and file data they reference
· Preserve existing volume mount points
10. For a primary restore of SYSVOL, also select the following check box: When restoring replicated data sets, mark the restored data as the primary data for all replicas.
A primary restore is required only if the domain controller that you are restoring is the only domain controller in the domain. A primary restore is required on the first domain controller that is being restored in a domain if you are restoring the entire domain or forest.
11. Click Finish.
12. When the restore process is complete, click Close, and then do one of the following:
· If you do not want to authoritatively restore any objects, click yes to restart the computer. The system will restart and replicate any new information that is received since the last backup with its replication partners.
· If you want to authoritatively restore any objects or if you want to create an LDAP Data Interchange Format (LDIF) file to restore back-links on this domain controller, click No to remain in Directory Services Restore Mode. For information about how to proceed with authoritative restore
When an object is marked for authoritative restore, its version number is changed so that it is higher than the existing version number of the (deleted) object in the Active Directory replication system. This change ensures that any data that you restore authoritatively is replicated from the restored domain controller to other domain controllers in the forest.
An authoritative restore should not be used to restore an entire domain controller, nor should it be used as part of a change-control infrastructure. Proper delegation of administration and change enforcement will optimize data consistency, integrity, and security.
In this procedure, you select which objects are to be marked authoritative to have them replicate to other domain controllers. You must have completed a nonauthoritative restore procedure, following which the domain controller has not been restarted and remains in Directory Services Restore Mode. To complete this procedure, you must know the full distinguished name of the object or objects that you want to restore.
To perform this procedure, you must provide the Administrator password for Directory Services Restore Mode.
To mark a subtree or individual object authoritative
1. In Directory Services Restore Mode, click Start, click Run, type ntdsutil, and then press ENTER.
2. At the ntdsutil: prompt, type authoritative restore, and then press ENTER.
3. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER:
To restore a subtree (for example, an organizational unit and all child objects):
restore subtree DistinguishedName
To restore a single object:
restore object DistinguishedName
The distinguished name of the subtree or object that is to be marked authoritative
4. Click Yes in the message box to confirm the command.
For example, if you want to restore a deleted organizational unit named Marketing NorthAm in the corp.domain.com domain, type:
restore subtree “OU=Marketing NorthAm,DC=corp,DC=Domain,DC=com”
(Always enclose the distinguished name in quotes when there is a space or other special characters within the distinguished name.)
5- Make a note of the location of the .txt and .ldf files, if any. You will use the .ldf file to restore back-links in this domain. You will use the .txt file to generate an LDIF file to restore back-links in a different domain, if necessary. If you have other domains in which you want to restore back-links for this restored object, make a copy of this .txt file to use on a domain controller in another domain.
6- At the authoritative restore: and ntdsutil: prompts, type quit, and then press ENTER.
EX: ou name test command will be
Restore subtree OU=test,dc=Domain,dc=com
Examples for Authoritative and non authoritative restore modes
On the domain controller that is being restored, an authoritative restore process returns a designated object or container of objects to its state at the time of the backup. For example, you might need to perform an authoritative restore if an administrator inadvertently deletes an organizational unit (OU) containing a large number of users. If you restore the server from backup, the normal, non authoritative restore process does not restore the inadvertently deleted OU because the restored domain controller is updated following the restore process to the current status of its replication partners, which have deleted the OU. Recovering the deleted OU requires authoritative restore. You can use authoritative restore to mark the OU as authoritative and let the replication process restore it to all the other domain controllers in the domain.
Note: If you can isolate a domain controller in the domain that has not received replication of the deletion, the preliminary, nonauthoritative restore from backup is not necessary
You can restore objects in domain directory partitions, application directory partitions, and the configuration directory partition, as follows:
- Domain directory partitions: You must restore the objects on a domain controller in the domain.
- Application directory partitions: You must restore the objects on a domain controller that hosts the application directory partition. If you delete an entire application directory partition, you must restore the domain naming operations master to recover the application directory partition.
- Configuration directory partitions: You can restore objects on any domain controller in the forest.
When you select objects that you want to replicate authoritatively, it is important to select the object that is lowest in the directory sub tree as possible that you can still use to recover the deleted objects. In this way, you avoid reverting objects that are not related to the deletion. Objects other than the deleted objects might have been modified after the backup was created.
Global catalog servers store a single, writable domain and a partial, read-only replica of all other domains in the forest. A partial replica means that the global catalog stores all objects, but with a limited set of attributes on each object.
Check the properties of the NTDS Settings object of the server object in Active Directory Sites and Services to confirm that a domain controller is a global catalog server.
1. Click Start, click Run, type ntdsutil, and then click OK.
2. At the Ntdsutil command prompt, type set dsrm password.
3. At the DSRM command prompt, type one of the following lines:
o To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.
o To reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password.
4. At the DSRM command prompt, type q.
5. At the Ntdsutil command prompt, type q to exit.
· Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
· Microsoft Windows Server 2003, Standard Edition (32-bit x86)
· Microsoft Windows Small Business Server 2003 Premium Edition
· Microsoft Windows Small Business Server 2003 Standard Edition
- Active Directory Sites – Best Practices (robsilver.org)
- Domain controllers and Global catalogs in the current site (richardspowershellblog.wordpress.com)
- Windows Server 8: Part 1 – Active Directory (slalom.com)