Restoring Active Directory Domain Services objects using Authoritative Restore in Windows Server 2012 R2
Authoritative restore is a method to recover objects and containers that have been deleted for AD DS. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated throughout the domain.
The basic process for performing an authoritative restore of AD DS is the same as a Non-authoritative restore except for one step. After the restore of AD DS is complete in DSRM and then, before restarting, you manually run NTDSUTIL, and the mark the object that you want to restore as AUTHORITATIVE. This command increases the Update Sequence Number (USN) version of all attributes of the selected by 100,000 (per day passed since the backup was taken). Once restored, these changes have a much higher version than the production ones, which replicates to other DCs, overwriting all other domain controllers in the network to match the restored DC.
In this article, you will now “accidentally” delete user “Prabir Singh” and an “IT” OU, and then restore it using Windows Server Backup (Wbadmin.exe) and NTDSUTIL to perform an authoritative restore of deleted AD DS objects. For the Windows Server Backup, please check my previous article on “How to Backup AD DS Database in Windows Server 2012 R2”.
Deleting the user and an OU, perform the following steps:
1. Open Active Directory User and Computers, Expand required OU, deleted the user and an IT OU as shown in figure.
ii.) In the Run box, type msconfig and press Enter. iii.)In the System Configuration windows, in the Boot options, check Safe boot and select Active Directory repair. Click OK and then restart the Domain Controller.4. In the command prompt, type wbadmin get versions and press Enter. This will provide you with a view of the image backup catalogue for your server. 5. To start the restore process, type wbadmin start systemstaterecovery –version:08/22/2014-06:18 After executing this command you will be prompted to continue. Type “Y” for yes and press Enter. Starting a system state recovery operation and this might take a few minute or longer. Once recovery is finished, you are asked to restart your computer as shown in figure. For an authoritative restore you do not restart the system. Performing an Authoritative Restore, perform the following steps: 1. After the System State backup complete, Open Administrator: Command Prompt and type, ntdsutil and then press Enter. 2. At the ntdsutil: prompt, type activate instance ntds, and then press Enter. 3. At the ntdsutil: prompt, type authoritative restore, and then press Enter. 4. This will bring up an authoritative restore prompt. At the prompt type the following command: restore object “cn=Prabir Singh,OU=Audit,OU=HeadOffice,DC=msserverpro,DC=com”
This is the part of AD DS disaster recovery procedures. You must test the restore procedures for an authoritative restore before you implement them throughout the organization. The above article outlines how to carry out authoritative restore in Windows Server 2012 R2. It will also work in Windows Server 2008 R2. I hope this helps.