13.3 Restoring Active Directory

No one ever wants to be in a position where you have to restore Active Directory, but nevertheless you should prepare for it. Restoring Active Directory comes in a few different flavors, which we'll cover now.

13.3.1 Nonauthoritative Restore

A nonauthoritative restore is a restore where you simply bring a domain controller back to a known good state using a backup. You then let replication resync the contents of the latest changes in Active Directory since the backup. The restore from backup method we described earlier to handle DC failures is an example of a nonauthoritative restore. The only difference between that scenario and the one we'll describe here is that previously we assumed that the failed server you rebuilt or replaced was not a domain controller yet. There may be some circumstances when you want to perform a similar restore, but the server is a domain controller. One example might be if some changes were made on a particular domain controller that you wanted to take back. If you were able to disconnect the domain controller from the network in time before it replicated, you could perform a nonauthoritative restore to get it back to a known state before the changes were made. This would effectively nullify the changes as long as they didn't replicate to another server.

A nonauthoritative restore simply restores Active Directory without marking any of the data as authoritative. Since the data will be "nonauthoritative," any changes that have happened since the backup will replicate to the restored server. Also, any changes that were made on the server that had not replicated will be lost.

To perform a non-authoritative restore of a domain controller, you need to boot the DC into "Directory Services Restore Mode." The reason you have to do this is that when a domain controller is live, it locks the Active Directory database (ntds.dit) in exclusive mode. That means that no other processes can modify its contents. To restore over the DIT file, you must boot into DS Restore Mode, which is a version of Safe Mode for domain controllers. If you try to restore a live domain controller, you'll get an error like the one shown in Figure 13-4.

Figure 13-4. Restore error on a live domain controller

You can get into DS Restore Mode by hitting the F8 key during the initial system startup. After doing so you'll see the screen shown in Figure 13-5.

Figure 13-5. Directory Services Restore Mode

Once you receive a logon prompt, you have to login with the DS Restore Administrator account and password. You set the password for this account when you initially dcpromo the machine into Active Directory. Since Active Directory is offline in DS Restore Mode, you have to log in with the local Administrator account that is stored in the local SAM and that can only be used in this mode.

After logging into the system, you'll need to bring up the NT Backup utility or other backup software. We will walk through how to do the restore using NT Backup. After clicking Next at the initial wizard screen, you'll see the screen shown in Figure 13-6.

Figure 13-6. Backup or restore options

Select "Restore Files and Settings" and click Next. You'll now be brought to a screen to select what to restore. You should restore at least the System State, but you can also restore the System Drive and other drives if necessary. Figure 13-7 shows the selection screen.

Figure 13-7. Restore selection

After you've made your selection and clicked Next, the summary screen will be displayed showing what will be restored. Before finishing, you need to click the Advanced button and walk through the advanced screens to ensure that junction points will be restored, as shown in Figure 13-8.

Figure 13-8. Restore junction points

Click Finish to kick off the restore. After the restore is complete, you'll need to reboot into normal mode. At this point, the domain controller will replicate the latest changes with its replication partners. Give time for the replication to complete and then monitor the server and check the event logs to make sure it is functioning correctly.

13.3.2 Partial Authoritative Restore

In some situations, you may need to restore data in Active Directory. In the examples we've shown so far of restoring a domain controller and performing a non-authoritative restore, we simply wanted to get the domain controller back up and running. There are certain situations, though, in which you may need to do an authoritative restore. Here are a few examples:

  • Accidental deletion of important objects

  • Accidental deletion of a subtree

  • Corruption of objects or the entire directory

  • Reversing certain object additions or modifications

In all of these scenarios, you can do a partial authoritative restore to reverse the changes. If the entire directory gets corrupted, you'll need to do a complete authoritative restore, which we will touch on shortly.

You have two options for doing an authoritative restore. You can either find a domain controller that has the data it is supposed to, perhaps because the changes haven't replicated to it yet, or you can restore the data from a backup. In either case, you need to boot into DS Restore Mode as described in the previous section. Again, this is necessary due to the fact that the Active Directory database is locked when the DC is live, and no modifications can be made. Once you are in DS Restore Mode, you can restore from backup if necessary, as described earlier.

At this point we need to mark the data we want restored as authoritative in our offline Active Directory database. This is done with the ntdsutil utility. There are several options to choose from under the authoritative restore menu shown here:

ntdsutil: authoritative restore
authoritative restore: ?
 ?                             - Show this help information
 Help                          - Show this help information
 List NC CRs                   - Lists Partitions and cross-refs.  You need
                                 the cross-ref of a Application Directory
                                 Partition to restore it.
 Quit                          - Return to the prior menu

 Restore database              - Authoritatively restore entire database
 Restore database verinc %d    - ... and override version increase
 Restore object %s             - Authoritatively restore an object
 Restore object %s verinc %d   - ... and override version increase
 Restore subtree %s            - Authoritatively restore a subtree
 Restore subtree %s verinc %d  - ... and override version increase
authoritative restore:

When doing a partial restore, you can use either the restore object %s subcommand to restore a single object or the restore subtree %s subcommand to restore an entire subtree of objects. In the following example, we will restore the jsmith user object:

authoritative restore: restore object cn=jsmith,ou=sales,dc=mycorp,dc=com
Opening DIT database... Done.
The current time is 02-16-03 10:15.54.
Most recent database update occured at 02-14-03 12:29.37.
Increasing attribute version numbers by 200000.
Counting records that need updating...
Records found: 0000000004
Found 4 records to update.
Updating records...
Records remaining: 0000000000
Successfully updated 4 records.
Authoritative Restore completed successfully.
authoritative restore: quit

As you can see, ntdsutil increases the object's version number (USN) by 200,000. This is how it is marked as authoritative in the database. After you reboot into normal mode, the domain controller will check with its replication partners and determine that the jsmith user object has a higher USN than the version its partners have. It will then replicate this out to them. And likewise, all other objects that have been updated on the partner will be replicated to this server.

If for whatever reason the auto-increment of 200,000 is not enough for the object(s), you can use the alternate subcommand of restore object %s verinc %d where %d is the version increase to increment.

13.3.3 Complete Authoritative Restore

Restoring the entire Active Directory database is similar in concept to restoring individual objects or subtrees, except you are restoring all of the objects. This should be done with caution and only under the most extreme situations. We highly recommend that you test this out in a lab environment to ensure you have the process correctly documented and you actually have experience with doing restores.

Again, to run the restore command, you have to be in DS Restore Mode, and you need to have restored the system from backup as described in Section 13.3.1. The following is example output from the restore database subcommand.

authoritative restore: restore database
Opening DIT database... Done.
The current time is 02-16-03 10:29.21.
Most recent database update occured at 02-16-03 10:15.54.
Increasing attribute version numbers by 100000.
Counting records that need updating...
Records found: 0000005126
Found 5126 records to update.
Updating records...
Records remaining: 0000000000
Successfully updated 5126 records.
Authoritative Restore completed successfully.
authoritative restore: quit

If you have to perform a complete authoritative restore, the assumption is that something catastrophic happened on a domain controller that caused some form of Active Directory corruption. The safest thing may in fact be to restore one domain controller per domain and rebuild the rest. You would need to manually remove each of the rebuilt domain controllers from Active Directorysee Section earlier in the chapterand then repromote each. Again, this is only a suggestion, and each situation must be thoroughly thought out before taking such drastic measures.

    Part II: Designing an Active Directory Infrastructure
    Part III: Scripting Active Directory with ADSI, ADO, and WMI