
Restoring Active Directory Domain Services objects using Authoritative Restore in Windows Server 2012 R2
Authoritative restore is a method to recover objects and containers that have been deleted for AD DS. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated throughout the domain.
The basic process for performing an authoritative restore of AD DS is the same as a Non-authoritative restore except for one step. After the restore of AD DS is complete in DSRM and then, before restarting, you manually run NTDSUTIL, and the mark the object that you want to restore as AUTHORITATIVE. This command increases the Update Sequence Number (USN) version of all attributes of the selected by 100,000 (per day passed since the backup was taken). Once restored, these changes have a much higher version than the production ones, which replicates to other DCs, overwriting all other domain controllers in the network to match the restored DC.
In this article, you will now “accidentally” delete user “Prabir Singh” and an “IT” OU, and then restore it using Windows Server Backup (Wbadmin.exe) and NTDSUTIL to perform an authoritative restore of deleted AD DS objects. For the Windows Server Backup, please check my previous article on “How to Backup AD DS Database in Windows Server 2012 R2”.
Deleting the user and an OU, perform the following steps:
1. Open Active Directory User and Computers, Expand required OU, deleted the user and an IT OU as shown in figure.
Recovering a System State Backup, perform the following steps: 1. Restart the DC into Directory Recovery Mode (Press F8 on the keyboard immediately after the BIOS POST screen and before the Windows Server 2012 logo appears) “OR” i.)At the command prompt, type bcdedit /set safeboot dsrepair and press Enter. ii.) At the command prompt, type shutdown –r –t 0 to restart the Domain Controller. “OR
ii.) In the Run box, type msconfig and press Enter. iii.)In the System Configuration windows, in the Boot options, check Safe boot and select Active Directory repair. Click OK and then restart the Domain Controller.
2. Login with .\administrator and the Directory Services Restore Mode (DSRM) password you set up when you ran AD DS Installation, by clicking “Switch User” 3. Right Click on Safe Mode Start Menu, click Command Prompt (Admin).










Summary:
This is the part of AD DS disaster recovery procedures. You must test the restore procedures for an authoritative restore before you implement them throughout the organization. The above article outlines how to carry out authoritative restore in Windows Server 2012 R2. It will also work in Windows Server 2008 R2. I hope this helps.
MS server pro!
Hi,
when I type this command
( restore subtree “OU=IT,OU=HeadOffice,DC=msserverpro,DC=com” )
I don`t understand this line, can you help me please!
” None of the specified objects have back – links in this domain. No link restore file has been created”
thank you!