Windows Server 2008 – Active Directory – Authoritative Restore (Part 1)

While it is a task without major complications, this is not something we do every day, so in this article I will first describe the news about the authoritative restore process in Active Directory on Windows Server 2008 domains, and then the main considerations and things to take into account in this process.

First, as most of you already know, the Windows Server 2008 Domain Controllers bring the possibility to stop and/or restart exclusively the AD DS (Active Directory Domain Services service; this makes that nobody can temporarily logon on the Domain Controller on which we are working, ideal option for companies that occasionally bring another services in the Domain Controller affected. Of course, being a recommended action or not, this is not an issue that we will address at this time.

First, let's talk in general about the global steps necessaries to handle this task on a Windows Server 2008 Domain Controller:

  1. The Active Directory Domain Services has to be stopped (net stop ntds).

  2. Restore a valid System State.

  3. Run the ntdsutil authoritative restore command.

  4. Mark as authoritatives the objects to be restored.

  5. Start the service again (net start ntds) when we have completed the restoration.

Some points to take into account:

  • Always try to mark objects as Authoritatives as precisely as possible. This means that if we must restore a specified quantity of user accounts, for example, we doesn't have to restore the whole OU, because it would affect many other objects that maybe doesn't have to be restored, and using this example, it have to be taken into account that when restoring an object also implies restore all the attributes, for example group memberships, password, etc.

  • The Schema can't be authoritatively restored. It's important test in a lab in a precisely manner any task that implies extend the schema.

  • Precisely, mark an object as authoritative implies that the version increases by default (100.000 * age of backup (in days)).

In the next part, I will continue talking about different features and considerations of the authoritative restore process, in addition to another examples.



Comments (2)

  1. Anonymous says:

    Active administrator can recover active directory objects in a very granular way down to a single attribute of a single object.

    Thing I like best about this product is that it can do it even without rebooting into directory services restore mode while keeping domain controller online.

Skip to main content