nope that's wrong - it is absolutely no problem to do an Auth Restore of an object, whithout first doing a non-auth restore (e.g. from tape).
the challenge is to have a valid object in the database you're trying to do the auth restore against... - i.e. you'll need to be sure, that the respective DC hasn't first replicated the tombstone record, which was created when the object was deleted on a different DC. You'll then first boot into DSRM mode and can then do an Auth Restore on the respecive object (I would definitely just choose to restore the object or subtree and NOT the whole database!) Simon's method to take a DC offline would work just fine - however, it's rather clumsy and error-prone. Especially if you forget to take it on-line again within 60 days... All you need to do is to ensure that it doesn't replicate the tombstone objects - this can be achieved quite well via "lag-sites" - i.e. site in which your "special backup DC" resides, which only replicates once a day or so. You should also configure the DNS records this DC registers in DNS, as you don't want it to register some of the generic records that allow clients to find this DC for logon etc. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Mittwoch, 7. Juli 2004 06:24 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authoritative Restores Let me clarify one more time, because I don't think I was clear before. When I say that you can't do an authoritative restore without first doing a non-authoritative restore, I mean that you can't simply go to Directory Services Restore Mode, go to NTDSUTIL and select 'Authoritative Restore' and enter a DN and expect it to re-appear. You have to first restore the SystemState before running NTDSUTIL. And again, I'm only going from personal experience. If there's a way to do this, then please let me know. Because I agree that it would be nice to simply enter a DN within NTDSUTIL and have a deleted object re-appear. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Patrick Sent: Tuesday, July 06, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Authoritative Restores I may be a bit off here but wanted to comment. 1. You can do an Auth restore without a non-auth restore in Simon's scenario. 2. If this is Win2k3 you could optionally re-animate the object from the deleted items, and we retain the SID as well as a few other key (relative) attributes (such as last parent) 3. I dont really see the value of the plan here, as if you KNOW you are going to delete an obejct that you should not delete ( since you had the foresight to replicate and take a DC offline) then why bother with this? It doesnt seem feasible to take this DC offline for every change operation in your domain. Best practices should be a proper backup schedule IMHO my .02 -steve ----- Original Message ----- From: "Rachui, Scott" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 06, 2004 7:22 AM Subject: RE: [ActiveDir] Authoritative Restores > I'm re-sending what I sent out last night, because it looks like it wasn't noticed. Here is the answer to your question: > > It's not possible to do an authoritative restore without first doing a non-authoritative restore. > > The process of an authoritative restore is simply marking a portion of the restored directory so that it's not overwritten by the backfill process. It does this by increasing the version of the objects that will be authoritatively restored. If you don't first run a non-authoritative restore, there is nothing to mark authoritative. > > And, from your description, it sounds like you are planning to authoritatively restore the entire directory, thus catching the one user that was deleted. Since you have to do an authoritative restore only after a non-authoritative restore, what you're suggesting will roll back the directory to the point of the last backup. > > If you want to backup your directory on a DC, and then bring it offline prior to deleting a single user account, that's fine. But if that user account is to be restored, you'll have to run a non-authoritative restore first. And if you select the entire directory of the offline DC to be authoritative, you'll not only be grabbing the account you want to restore, but you'll be rolling back the entire directory (and every change made in the directory) to the state of the last backup. > > This is why AD allows you to specify the OU or CN that you want to restore...so you don't un-do all of the other changes in the directory since the last backup. Only the ones that you genuinely want to un-do. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, July 06, 2004 7:44 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Authoritative Restores > > > This is how I would usually do it but I have a customer who wants to do > the DC shutdown thing as an extra step. I'm just wondering how valid a > technique this is? Think of it as an authoritative restore without ever > doing a system state backup or non-authoritative restore. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. > Sent: 06 July 2004 13:16 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Authoritative Restores > > > Why do you need to shut down the dc first? Instead do a backup of one > of the DCs. Delete the account. When problems arise, do an authorative > restore. Also, in this case an authorative restore can be avoided by > disabling the account instead of deleting it. > > Denny > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, July 06, 2004 7:49 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Authoritative Restores > > I'd appreciate some comments on this technique as a cheap and cheerful > disaster recovery plan for making minor changes to AD, e.g. deleting > user accounts. > > Make sure one DC is fully synchronised and then shut it down. Delete a > user account on another DC, deletion replicates everywhere. Oh no! That > user account was used as the service account for 300 SQL servers > worldwide. Bring the powered-down DC up in DS Restore mode. Do an > authoritative restore of the AD database (*without* first doing a > non-authoritative restore). Server reboots to normal mode, deleted user > account that still exists here is now marked as authoratative and > replicates back to the other DC's (Yes?) > > I've never before considered doing an authoritative restore without > doing a non-authoritative one beforehand so just want to check my logic > on this. > > Cheers, > Simon > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
