Ted,
Yes and no. An authoritative restore is
pretty much a point restore tool. If I do a Backup today and create a user
Bob tomorrow, but find that the user Jane was deleted today, I can choose to do
an authoritative restore. I then go into NTDSUTIL, mark the object
Jane. Jane is restored and Bob is not
affected.
Authoritative restore is not meant (typically) for the
whole domain restore. It is meant to restore a piece, an OU, a user
object, a computer object.
If you have the Server Resource Kit, look at Chapter 9
of the Distributed Systems Guide, page 440 through 460. Detailed
explanation of both Authoritative and
Non-authoritative.
Rick Kingslan - Microsoft Certified Trainer
MCSE+I on
Windows NT 4.0
MCSE on Windows 2000
MVP [Windows NT/2000
Server]
"Any sufficiently advanced technology
is indistinguishable
from magic."
--- Arthur C.
Clarke
-----Original
Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Strand, Ted
Sent: Thursday, May 23, 2002 9:42 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Partial AD Restore
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Strand, Ted
Sent: Thursday, May 23, 2002 9:42 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Partial AD Restore
Just a quick question regarding this to make sure that I understand it properly.... When this authoritative restore is done. Any changes through out the domain that were made since the backup you are using would be lost. Am I correct?-Ted------Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Partial AD RestoreChris,Hopefully, it's not going to be too hard to convince them to perform this simple process other than requiring that the objects, sec associations, etc. all be recreated.Firstly, Scott has done a first rate job at explaining the process.If your admins should have difficulty in understanding how doing an authoritative restore on one DC will actually successfully restore these objects to their last known good state, have them consider what happanes when a series of objects are created on one DC through AD Users and Computers. The objects are created on one DC, then they are replicated to the domain partition on other DC's in the domain. In reality, the process is no different.They could also look at these:Good luck!Rick Kingslan - Microsoft Certified Trainer
MCSE+I on Windows NT 4.0
MCSE on Windows 2000
MVP [Windows NT/2000 Server]
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of England, Christopher M
Sent: Thursday, May 23, 2002 7:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Partial AD RestoreYou have been more than helpful, Scott. Now I just have to convince the domain admins to do this (we are a single-domain architecture here at Indiana University, with each campus and department having a separate OU, not domain).Thanks again,Chris-----Original Message-----
From: Rachui, Scott [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 7:36 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Partial AD RestoreWhen a restore is performed usually, the first thing that the restored server does when it comes back online is to synch its directory up (since its copy is presumably older than the copy on the other DCs) with other AD Servers in the domain. If you do a simple restore, all that will happen is that you'll bring back the groups you deleted, bring the server back online and then watch as the other DCs instruct the restored DC to re-delete these groups.The purpose of an authoritative restore is so that you can determine which server has the authoritative copy of the portion of the directory you are restoring. When you perform an authoritative restore, the USNs of the restored objects are significantly incremented so they appear 'authoritative' to other copies of the directory. In this case, the restored groups will be copied to the other AD Servers, rather than a re-delete taking place.You don't need to take any other of your servers offline to restore a single server, and your clients shouldn't notice this as long as they can get to one of the other AD Databases (which happens automatically and doesn't require reconfiguration). If you have multiple Sites and this server is the only AD Server in the local site, you might want to make sure that Site Coverage isn't disabled (you can read about this at Microsoft's website), and that no FSMO roles are on this box (especially the PDC Emulator). If there are FSMO roles on this machine and there are multiple AD Servers in your domain, you might consider transferring the roles (I typically don't do this for anything other than the PDC Emulator unless the machine will be offline for several hours).Once the machine is back up, the only behavior you'll see is replication taking place to synch up the various copies of the directory.-----Original Message-----
From: England, Christopher M [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 7:18 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Partial AD RestoreDoes this affect other DC's? If they bring one DC down to do this, are the other 2 (or how many ever) still running and ok? And when the restore happens, they would just need to synchronize before they restart the DC they used to restore?Thanks again,Chris-----Original Message-----
From: Rachui, Scott [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 6:49 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Partial AD RestoreTo restore objects that were accidentally deleted, you'll need to do something called an authoritative restore. It requires that you reboot a domain controller into Directory Services Restore Mode and run an authoritative restore. You can select the specific OU that you'd like to restore, or you can select the entire directory.With AD, a restore is definitely not 'all or nothing', which is a very good thing! Make sure you get familiar with the NTDSUTIL tool as this is the tool you'll be using to run this authoritative restore. Microsoft has some very good white papers on how to do this, including a Disaster Recovery Guide for Active Directory that gives you step-by-step instructions.I hope this helps.Scott-----Original Message-----
From: England, Christopher M [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 6:43 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Partial AD RestoreI did a silly thing and deleted some user groups out of an OU. I am not in charge of the domain, but I have asked the domain admins to attempt to restore those groups. Is this even possible with Active Directory? I have heard that an AD restore is all or nothing. Any info would be great!Chris EnglandSystems AdministratorIndiana University
