I'm re-sending what I sent out last night, because it looks like it wasn't noticed. Here is the answer to your question:
It's not possible to do an authoritative restore without first doing a non-authoritative restore. The process of an authoritative restore is simply marking a portion of the restored directory so that it's not overwritten by the backfill process. It does this by increasing the version of the objects that will be authoritatively restored. If you don't first run a non-authoritative restore, there is nothing to mark authoritative. And, from your description, it sounds like you are planning to authoritatively restore the entire directory, thus catching the one user that was deleted. Since you have to do an authoritative restore only after a non-authoritative restore, what you're suggesting will roll back the directory to the point of the last backup. If you want to backup your directory on a DC, and then bring it offline prior to deleting a single user account, that's fine. But if that user account is to be restored, you'll have to run a non-authoritative restore first. And if you select the entire directory of the offline DC to be authoritative, you'll not only be grabbing the account you want to restore, but you'll be rolling back the entire directory (and every change made in the directory) to the state of the last backup. This is why AD allows you to specify the OU or CN that you want to restore...so you don't un-do all of the other changes in the directory since the last backup. Only the ones that you genuinely want to un-do. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 7:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authoritative Restores This is how I would usually do it but I have a customer who wants to do the DC shutdown thing as an extra step. I'm just wondering how valid a technique this is? Think of it as an authoritative restore without ever doing a system state backup or non-authoritative restore. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: 06 July 2004 13:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authoritative Restores Why do you need to shut down the dc first? Instead do a backup of one of the DCs. Delete the account. When problems arise, do an authorative restore. Also, in this case an authorative restore can be avoided by disabling the account instead of deleting it. Denny -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 7:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authoritative Restores I'd appreciate some comments on this technique as a cheap and cheerful disaster recovery plan for making minor changes to AD, e.g. deleting user accounts. Make sure one DC is fully synchronised and then shut it down. Delete a user account on another DC, deletion replicates everywhere. Oh no! That user account was used as the service account for 300 SQL servers worldwide. Bring the powered-down DC up in DS Restore mode. Do an authoritative restore of the AD database (*without* first doing a non-authoritative restore). Server reboots to normal mode, deleted user account that still exists here is now marked as authoratative and replicates back to the other DC's (Yes?) I've never before considered doing an authoritative restore without doing a non-authoritative one beforehand so just want to check my logic on this. Cheers, Simon List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
