Restoring Active Directory Domain Services objects using Authoritative Restore in Windows Server 2012 R2
Authoritative restore is a method to recover objects and containers that have been deleted for AD DS. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated throughout the domain.
The basic process for performing an authoritative restore of AD DS is the same as a Non-authoritative restore except for one step. After the restore of AD DS is complete in DSRM and then, before restarting, you manually run NTDSUTIL, and the mark the object that you want to restore as AUTHORITATIVE. This command increases the Update Sequence Number (USN) version of all attributes of the selected by 100,000 (per day passed since the backup was taken). Once restored, these changes have a much higher version than the production ones, which replicates to other DCs, overwriting all other domain controllers in the network to match the restored DC.
In this article, you will now “accidentally” delete user “Prabir Singh” and an “IT” OU, and then restore it using Windows Server Backup (Wbadmin.exe) and NTDSUTIL to perform an authoritative restore of deleted AD DS objects. For the Windows Server Backup, please check my previous article on “How to Backup AD DS Database in Windows Server 2012 R2”.
Deleting the user and an OU, perform the following steps:
1. Open Active Directory User and Computers, Expand required OU, deleted the user and an IT OU as shown in figure.
Recovering a System State Backup, perform the following steps:
1. Restart the DC into Directory Recovery Mode (Press F8 on the keyboard immediately after the BIOS POST screen and before the Windows Server 2012 logo appears) “OR”
i.)At the command prompt, type bcdedit /set safeboot dsrepair and press Enter.
ii.) At the command prompt, type shutdown –r –t 0 to restart the Domain Controller. “OR
ii.) In the Run box, type msconfig and press Enter.
iii.)In the System Configuration windows, in the Boot options, check Safe boot and select Active Directory repair. Click OK and then restart the Domain Controller.
2. Login with .\administrator and the Directory Services Restore Mode (DSRM) password you set up when you ran AD DS Installation, by clicking “Switch User”
3. Right Click on Safe Mode Start Menu, click Command Prompt (Admin).
4. In the command prompt, type wbadmin get versions and press Enter. This will provide you with a view of the image backup catalogue for your server.
5. To start the restore process, type wbadmin start systemstaterecovery –version:08/22/2014-06:18
After executing this command you will be prompted to continue. Type “Y” for yes and press Enter. Starting a system state recovery operation and this might take a few minute or longer. Once recovery is finished, you are asked to restart your computer as shown in figure. For an authoritative restore you do not restart the system.
Performing an Authoritative Restore, perform the following steps:
1. After the System State backup complete, Open Administrator: Command Prompt and type, ntdsutil and then press Enter.
2. At the ntdsutil: prompt, type activate instance ntds, and then press Enter.
3. At the ntdsutil: prompt, type authoritative restore, and then press Enter.
4. This will bring up an authoritative restore prompt. At the prompt type the following command:
restore object “cn=Prabir Singh,OU=Audit,OU=HeadOffice,DC=msserverpro,DC=com”
restore subtree “OU=IT,OU=HeadOffice,DC=msserverpro,DC=com”
Click Yes in the message box to confirm the Authoritative Restore. One record will be found and will be successfully updated. You will see the message Authoritative Restore completed successfully.
Notice NTDSUTIL is increasing attribute version numbers by 100,000
5. At the authoritative restore prompt, type quit and Press Enter to exit authoritative restore and then type quit again, then press Enter to exit ntdsutil.
6. In the same command prompt type, bcdedit /deletevalue safeboot and press Enter.
7. In the recovery of the system state successfully command prompt, type “Y” to restart the computer now.
8. Once restarted in normal mode, logon on domain controller, and Press ENTER to continue… to acknowledge that the system state recovery operation has successfully completed.
9. Open Active Directory Users and Computers, make sure that deleted user object and OU have been restored.
This is the part of AD DS disaster recovery procedures. You must test the restore procedures for an authoritative restore before you implement them throughout the organization. The above article outlines how to carry out authoritative restore in Windows Server 2012 R2. It will also work in Windows Server 2008 R2. I hope this helps.
MS server pro!
when I type this command
( restore subtree “OU=IT,OU=HeadOffice,DC=msserverpro,DC=com” )
I don`t understand this line, can you help me please!
” None of the specified objects have back – links in this domain. No link restore file has been created”