Programming4us
         
 
 
Windows Server

Windows Server 2003 : Restoring Active Directory

11/15/2010 2:56:52 PM

In the same way that System State components can be backed up only as a single logical group, individual components of the System State cannot be restored individually. As such, an administrator cannot choose to restore Active Directory without also restoring the registry, COM+ Class Registration database, system boot files, and so forth.

Different methods can be used to restore Active Directory on a domain controller. These include:

  • Normal restore (nonauthoritative restore)

  • Authoritative restore

  • Primary restore

Each of these methods is associated with a specific set of circumstances surrounding the need to restore Active Directory System State data. The following sections look at each restore method in more detail.

Normal Restore

During a normal restore operation (sometimes referred to as a nonauthoritative restore), the data and distributed services on a domain controller are restored from backup media, and then updated through normal replication. Each restored directory partition is updated via normal domain controller replication after you perform the restore process. For example, if the last backup was performed a week ago, and the System State is restored using a normal restore, any changes that were made after this backup was created will be replicated from the other domain controllers. So, if a restored backup in this situation includes a user object named Mark, and the Mark user object was deleted from Active Directory at some point after the backup was created, the Mark user object will also be deleted on the restored domain controller via the replication process. This occurs because the deletion of the Mark user object is considered more recent data in this case. If your specific goal was to restore the deleted Mark user object, an authoritative restore would need to be performed. To perform a normal restore of System State data, a domain controller must be started in Directory Services Restore Mode.

The primary reasons for performing a normal restore of System State data on a domain controller include:

  • Restoring a single domain controller in an environment that includes multiple domain controllers

  • Attempting to restore Sysvol or File Replication service (FRS) data on domain controllers other than the first in a replica set

Authoritative Restore

Another method that can be used to restore System State data is known as an authoritative restore. The main purpose of an authoritative restore is to undo or roll back changes that have been made to Active Directory, or to reset data stored in a distributed directory such as Sysvol. As you learned in the previous section, when System State data is restored using the normal restore method, the domain controller replication process will overwrite any changes that have occurred since the restored backup was taken. If your goal is to restore an object that was deleted or changed, an authoritative restore allows you to mark restored objects as being authoritative, thus disallowing the restored object to be deleted or updated according to the information currently stored on other domain controllers.

To perform an authoritative restore of System State data, a domain controller must be started in Directory Services Restore Mode. To authoritatively restore Active Directory data, you must run the Ntdsutil.exe utility after you have performed a normal restore of the System State data, but before you restart the server. The Ntdsutil utility allows you to mark Active Directory objects as authoritative. Marking objects as authoritative ultimately changes the update sequence number of an object, such that it is higher than any other update sequence number in the Active Directory replication system. This ensures that any replicated or distributed data that you have restored is properly replicated or distributed throughout your organization according to your intentions.

For example, suppose you back up the system on Monday, and then create a new user object named Ben Smith on Tuesday. This object will be replicated to all other domain controllers in the domain. On Wednesday, another user object named Nancy Anderson is accidentally deleted, a change which is replicated to other domain controllers as well. To authoritatively restore the Nancy Anderson object, you can start a domain controller in Directory Services Restore Mode and restore the backup created on Monday. Then, using Ntdsutil, you can mark the Nancy Anderson object as authoritative. After restarting the server normally, the Nancy Anderson object will be restored and replicated, without any impact on the Ben Smith object.

The primary reasons for performing an authoritative restore of System State data on a domain controller include:

  • Rolling back or undoing changes to Active Directory objects and replica sets

  • Resetting the data stored in the Sysvol folder

Primary Restore

A primary restore is used to rebuild a domain from a backup when all domain controllers (or the only domain controller) in a domain have failed. If a domain is lost, the first domain controller should be restored using a primary restore, and any subsequent domain controller should be restored using a normal restore. Like the other restore methods listed in this lesson, a server must be started in Directory Services Restore Mode to perform a primary restore. The primary reasons for performing a primary restore of System State data on a domain controller include:

  • Restoring the only domain controller in an Active Directory environment

  • Restoring the first of several domain controllers

  • Restoring the first domain controller in a replica set

Tip

Know when to use a primary, normal, or authoritative restore for System State data.


Preliminary Restore Tasks

In a manner similar to the backup process, restoring System State data involves performing preliminary tasks to ensure that your restore device and media will function correctly. Common preliminary tasks associated with restoring System State data include:

  • Ensuring that the appropriate device for the storage medium containing the data is attached to the computer on which the restore will be performed

  • Ensuring that the medium containing the data to be restored is loaded in the device

Note

You can restore System State data only on a local computer when using the Windows Server 2003 Backup Utility. This program does not support restoring System State data to remote computers.


Performing a Normal Restore

To restore the System State data on a domain controller, you must first start the server in Directory Services Restore Mode. This mode allows you to restore the Sysvol folder and the Active Directory database without causing conflicts with other domain controllers. Remember that you can restore System State data only on a local computer when using the Windows Server 2003 Backup Utility.

While you cannot restore System State data to a remote computer, you can restore System State data to an alternate location—in other words, a destination folder of your choice. By restoring to an alternate location, you preserve the file and folder structure of the backed-up data, meaning that all folders and subfolders appear in the alternate folder you specify.

Note

If you restore System State data without designating an alternate location, the Windows Server 2003 Backup Utility will erase existing System State data and replace it with the data you are restoring. Also, if you restore the System State data to an alternate location, only the registry files, Sysvol folder files, Cluster database information files (if applicable), and system boot files are restored to the alternate location. The Active Directory database, Certificate Services database (if applicable), and COM+ Class Registration database are not restored if you designate an alternate location.


To perform a normal restore of System State data on a domain controller, complete the following steps:

1.
Restart the computer.

2.
During the phase of startup where the operating system is normally selected, press F8.

3.
At the Windows Advanced Options Menu, select Directory Services Restore Mode (Windows domain controllers only) and press ENTER. This ensures that Active Directory on this domain controller is offline.

4.
At the Please Select The Operating System To Start menu, select the appropriate Microsoft Windows Server 2003 operating system and press ENTER.

5.
Log on using the local Administrator account.

Note

When you restart the computer in directory services restore mode, you must log on as an Administrator by using the valid Security Accounts Manager (SAM) account name and password, not the Active Directory Administrator’s name and password. The password to be used when logging on is the Directory Services Restore Mode password that was supplied when the server was promoted to the role of a domain controller using the Active Directory Installation Wizard.

6.
In the Desktop message box that warns you that Windows is running in safe mode, click OK.

7.
Click Start, select All Programs, select Accessories, select System Tools, and then click Backup.

8.
At the Welcome To The Backup Or Restore Wizard page, click Next.

9.
At the Backup Or Restore page, select Restore Files And Settings. Click Next.

10.
At the What To Restore page shown in Figure 1, expand the media type that contains the data that you want to restore in the Items To Restore box or click Browse. The media can be either tape or file. Expand the appropriate media set until the data that you want to restore is visible. Select the data you want to restore, such as System State, and then click Next.

Figure 1. What To Restore page with System State data selected for restore


11.
Ensure that the media containing the backup file is in the correct location.

12.
At the Completing The Backup Or Restore Wizard page, do one of the following:

  • Click Finish to start the restore process. The Backup Or Restore Wizard requests verification for the source of the restore data and then performs the restore. During the restore, the Backup Or Restore Wizard displays status information about the restore.

  • Click Advanced to specify advanced restore options. The advanced restore options for a normal restore are discussed later in the section “Specifying Advanced Restore Settings for a Normal Restore.”

13.
In the Warning message box that warns you that restoring System State will always overwrite current System State, click OK.

14.
The Restore Progress dialog box displays status information about the restore process. As with the backup process, when the restore is complete, you can choose to view the report of the restore. The report contains information about the restore, such as the number of files that have been restored and the duration of the restore process.

15.
Close the report when you have finished viewing it, and then click Close.

16.
When prompted to restart the computer, click Yes.

Real World: Shutdown Event Tracker

You’ve probably noticed that Windows 2003 Server includes a new feature that requires you to provide a reason each time you shut down or restart the server. This feature is known as the Shutdown Event Tracker. If you are working in a test environment, you might choose to disable this feature to avoid the hassle of typing in a reason each time you restart. To disable this feature, you can perform the following steps:

1.
Click Start, click Run, type gpedit.msc, and press ENTER.

2.
Expand the Computer Configuration and Administrative Templates objects. Click the System object. In the right-most pane, you’ll see several settings.

3.
Locate and double-click the Display Shutdown Event Tracker. The Display Shutdown Event Tracker Properties dialog box opens.

4.
Click the Disabled option to disable the Shutdown Event Tracker. Click OK. Close the Group Policy Editor console.

Now when you shut down this server, you won’t be asked to enter a reason.


Specifying Advanced Restore Settings for a Normal Restore

The advanced settings in the Backup Or Restore Wizard vary depending on the type of backup media from which you are restoring.

To specify advanced restore settings for a normal System State restore, complete the following steps:

1.
At the Where To Restore page, select the target location for the data that you are restoring in the Restore Files To list. The choices in the list are:

  • Original location Replaces corrupted or lost data. This is the default option, and it must be selected to restore Active Directory.

  • Alternate location Restores an earlier version of a file to a folder you designate.

  • Single folder Consolidates the files from a tree structure into a single folder. For example, use this option if you want copies of specific files but do not want to restore the hierarchical structure of the files.

Note

If you select either the Alternate Location or Single Folder option, you must also provide a path to the location or folder.

2.
Click Next.

3.
At the How To Restore page, select how you want to restore the System State data. The options include:

  • Leave existing files (recommended) Prevents accidental overwriting of existing data. This is the default option.

  • Replace existing files if they are older than the backup files Verifies that the most recent copy exists on the computer.

  • Replace existing files Ensures that the Backup Utility does not provide a confirmation message if it encounters a duplicate file name during the restore operation.

4.
Click Next.

5.
At the Advanced Restore Options page, select whether or not to restore security or special system files. The options include:

  • Restore security settings Applies the original permissions to files that you are restoring to a Windows NTFS volume. Security settings include access permissions, audit entries, and ownership information. This option is available only if you have backed up data from an NFTS volume and are restoring to an NTFS volume.

  • Restore junction points, but not the folders and file data they reference Restores junction points on your hard disk, but not the data to which the junction points refer. If you have any mounted drives and you want to restore the data that mounted drives point to, you should not select this check box.

  • Preserve existing volume mount points Prevents the restore operation from writing over any volume mount points on the destination volume. If you are restoring data to a replacement drive, and you have partitioned and formatted the drive and restored volume mount points, you should select this option so your volume mount points are not restored. If you are restoring data to a partition or drive that you have just reformatted, and you want to restore the old volume mount points, you should not select this option.

  • Restore the Cluster Registry to the quorum disk and all other nodes Makes certain that the cluster quorum database is restored and replicated on all nodes in a server cluster. If selected, the Backup Or Restore Wizard will stop the Cluster service on all other nodes of the server cluster after the node that was restored reboots.

  • When restoring replicated data sets, mark the restored data as the primary data for all replicas Ensures that restored File Replication service (FRS) data is replicated to your other servers. If you are restoring FRS data, you should choose this option. If you do not choose this option, the FRS data that you are restoring might not be replicated to other servers because the restored data will appear to be older than the data already on the servers. This will cause the other servers to overwrite the restored data, preventing you from restoring the FRS data.

6.
Click Next.

7.
On the Completing The Backup Or Restore Wizard page, click Finish to start the restore process. The Backup Or Restore Wizard requests verification for the source of the restore data and then performs the restore. During the restore, the Backup Or Restore Wizard displays status information about the restore.

Performing an Authoritative Restore

An authoritative restore occurs after a normal restore and is used to designate that the entire directory, a distinct portion of the directory, or individual objects should be marked as authoritative. An authoritative restore is most commonly used to restore accidentally deleted objects or roll back any unwanted changes to Active Directory data.

To authoritatively restore a portion or all of Active Directory, complete the following steps:

1.
Perform a normal restore as described previously, but do not restart the server once complete.

2.
Click Start, and then click Command Prompt.

3.
At the command line, type ntdsutil and press ENTER.

4.
At the Ntdsutil prompt, type authoritative restore and press ENTER.

5.
At the authoritative restore prompt

  • To authoritatively restore the entire directory, type restore database and press ENTER.

  • To authoritatively restore a portion or subtree of the directory, such as an OU, type restore subtree subtree_distinguished_name and press ENTER.

    For example, to restore the Marketing OU in the contoso.com domain, the commands would be:

    ntdsutil
    authoritative restore
    restore subtree OU=Marketing,DC=Contoso,DC=Com

    Similarly, to restore a user account named Mark stored in the Users container in the contoso.com domain, the commands would be:

    ntdsutil
    authoritative restore
    restore subtree CN=Mark, CN=Users,DC=Contoso,DC=Com
  • To authoritatively restore the entire directory and override the version increase, type restore database verinc version_increase and press ENTER.

  • To authoritatively restore a subtree of the directory and override the version increase, type restore subtree subtree_distinguished_name verinc version_increase and press ENTER.

After the Restore Subtree command is issued with correct parameters, the Authoritative Restore Confirmation Dialog window shown in Figure 2 will prompt you to confirm your decision.

Figure 2. Authoritative Restore Confirmation Dialog window


The authoritative restore opens the Ntds.dit file, increases version numbers, counts the records that need updating, verifies the number of records updated, and reports completion. If a version number increase is not specified, then one is automatically calculated.

6.
Type quit, and press ENTER twice to exit the Ntdsutil utility. Then close the Command Prompt window.

7.
Restart the domain controller normally. When the restored domain controller is online and connected to the network, normal replication brings the restored domain controller up to date with any changes from other domain controllers that were not overridden by the authoritative restore. Replication also propagates the authoritatively restored objects, such as any previously deleted objects, to other domain controllers. Because the objects that are restored have the same object globally unique identifier (GUID) and SID (if applicable), security remains intact, and object dependencies are maintained.
Other -----------------
- Windows Server 2003 : Backing Up Active Directory
- Windows Server 2003 : Managing Schema Modifications
- Windows Server 2008 : Perform a Full Server Recovery of a Domain Controller by Using the Command Line
- Windows Server 2008 : Perform a Full Server Recovery of a Domain Controller by Using the Windows Interface
- Windows Server 2008 : Create Active Directory Objects
- Windows Server 2008 : Promote Servers as Domain Controllers
- Windows Server 2008 : Schedule Regular Full Server Backups of a Domain Controller by Using the Command Line
- Windows Server 2008 : Schedule Regular Full Server Backups of a Domain Controller by Using the Windows Interface
- Windows Server 2008 : Perform an Unscheduled Full Server Backup of a Domain Controller by Using the Command Line
- Windows Server 2008 : Perform an Unscheduled Full Server Backup of a Domain Controller by Using the Windows Interface
- Windows Server 2008 : Perform an Unscheduled Backup of Critical Volumes of a Domain Controller by Using the Command Line
- Windows Server 2008 : Perform an Unscheduled Backup of Critical Volumes of a Domain Controller by Using the Command Line
- Windows Server 2008 : Perform an Unscheduled Backup of Critical Volumes of a Domain Controller by Using the Windows Interface
- Windows Server 2008 : Install the Windows Server Backup Server Feature
- Windows Server 2008 : Work with Group Policy Modeling and Results
- Windows Server 2008 : Configure Group Policy Application Settings
- Windows Server 2008 : Create and Apply Group Policies
- Windows Server 2008 : Use Starter GPOs
- Windows Server 2008 : Grasp the Structure of Group Policy
- Troubleshoot Windows Server 2008
 
 
Most View
- Windows Home Server 2011 : Controlling Services (part 1) - Controlling Services with the Services Snap-In
- jQuery 1.3 : Headline rotator (part 2) - Retrieving the feed
- Windows Server 2008: Installing a Read-Only Domain Controller (part 2)
- SQL Server 2005 : Using Database Snapshots
- Microsoft Lync Server 2010 : Planning for Deploying External Services - High Availability
- Examples of SharePoint Administrative Tasks (part 2) - Managing SharePoint Services
- Microsoft Exchange Server 2003 : Public Folder Security
- Windows Server 2012 : Backup and Recovery (part 3) - Backing up and recovering your data - Using the backup utility, Backing up your data
- Client Access Server Architecture in Exchange 2010 (part 4)
- Windows Server 2008 : Configuring IIS Security (part 1)
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS