Join The Petri Insider

  • -Weekly Tutorials and Tips
    -Whitepaper Downloads
    -The Latest IT Webinars

Quick Links
Sponsored
Popular Articles
Resources
Sponsors

How to Restore Windows Server 2003 Active Directory

by Daniel Petri - January 8, 2009

In the Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted.

Free Tools That Simplify Active Directory Administration!

If managing users and computers on Active Directory has become a burden, let SolarWinds free trio of AD Admin Tools provide you relief! With the inactive user and computer account removal tools, and the user import tool, you can manage and remove computers and users from Active Directory, and you can add users in bulk. These tools run on current Windows® versions, and are even certified with Windows 7 through a strategic relationship with Microsoft®!

Download SolarWinds free trio of AD Admin Tools here >

Note: There is an option to restore Active Directory objects that have been deleted and are now in a phase called "tombstone". These items are hidden from the GUI and await their cleanup by a process called "garbage collection". Read more about it on my "Recovering Deleted Items in Active Directory" article.

You can use one of the three methods to restore Active Directory from backup media: Primary Restore, Normal Restore (i.e. Non Authoritative), and Authoritative Restore.

  • Primary Restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup. Members of the Administrators group can perform the primary restore on local computer. On a domain controller, only members of the Domain Admins group can perform this restore.
  • Normal Restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state.
  • Authoritative Restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain. Perform an authoritative restore for individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. You need to use the NTDSUTIL command line utility to perform an authoritative restore. You need to use it in order to mark Active Directory objects as authoritative, so that they receive a higher version recently changed data on other domain controllers does not overwrite System State data during replication.

    • For example, if you inadvertently delete or modify objects in Active Directory, and those objects were thereafter replicated to other DCs, you will need to authoritatively restore those objects so they are replicated or distributed to the other servers. If you do not authoritatively restore the objects, they will never get replicated or distributed to your other servers because they will appear to be older than the objects currently on your other DCs. Using the NTDSUTIL utility to mark objects for authoritative restore ensures that the data you want to restore gets replicated or distributed throughout your organization.

    On the other hand, if your system disk has failed or the Active Directory database is corrupted, then you can simply restore the data normally without using NTDSUTIL. After rebooting the DC, it will receive newer updates from other DCs.

    Links

    Related Articles



    Join The Petri Insider - Weekly IT Tutorial and Tips, Whitepaper and Webinars

    Sponsors
    *