Recipe 16.5 Performing an Authoritative Restore of an Object or Subtree

16.5.1 Problem

You want to perform an authoritative restore of one or more objects, but not the entire Active Directory database.

16.5.2 Solution

Follow the same steps as Recipe 16.4, except after the restore has completed, do not restart the computer.

To restore a single object, run the following:

> ntdsutil "auth restore" "restore object cn=jsmith,ou=Sales,dc=rallencorp,dc=com" q

To restore an entire subtree, run the following:

> ntdsutil "auth restore" "restore subtree ou=Sales,dc=rallencorp,dc=com" q

Restart the computer.

There are some issues related to restoring user, group, computer, and trust objects that you should be aware of. See MS KB 216243 and MS KB 280079 for more information.

16.5.3 Discussion

If an administrator or user accidentally deletes an important object or entire subtree from Active Directory, you can restore it. Fortunately, the process isn't very painful. The key is having a good backup that contains the objects you want to restore. If you don't have a backup with the objects in it, you are out of luck. Well, that is not completely true with Windows Server 2003. See Recipe 16.17 for another option to restore deleted objects.

To restore one or more objects, you need to follow the same steps as performing a nonauthoritative restore. The only difference is that after you do the restore, you need to use the ntdsutil command to mark the objects in question as authoritative on the restored domain controller. After you reboot the domain controller, it will replicate any changed objects since the backup that was restored on the machine, except for the objects or subtree that were marked as authoritative. For those objects, Active Directory increments the USN in such a way that they will become authoritative and replicate out to the other domain controllers.

You can also use ntdsutil without first doing a restore in situations where an object has been deleted accidentally, but the change has not yet replicated to all domain controllers. The trick here is that you need to find a domain controller that has not had the deletion replicated yet and either stop it from replicating or make the object authoritative before it receives the replication update.

16.5.4 See Also

Recipe 16.2 for booting into Directory Services Restore Mode, Recipe 16.17 for restoring a deleted object, MS KB 216243 (Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts), and MS KB 280079 (Authoritative Restore of Groups Can Result in Inconsistent Membership Information Across Domain Controllers)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List