Welcome to Abdul's Support Page

Non-Authoritative Restore of Active Directory

Non-Authoritative Restores Are Easy But Often Insufficient

The domain controllers (DCs) in each domain keep a variety of information in the directory data store (or simply the directory). Changes made to the directory are replicated from one DC to other DCs in the domain. Replication occurs at intervals, not continuously. Therefore, the directory on any DC is normally in loose consistency with those on other DCs, since the most recent changes on each DC may not have been replicated to the others. Objects’ attributes are assigned version numbers that are incremented when the attributes are changed so that the replication process can determine which changes are the most current.

Directory data stored on DCs and replicated between them includes information about objects, configuration data (such as a list of all domains and the locations of their DCs), and schema data, which defines the types of objects that can be stored in the directory and the attributes they can have. This information is used by network applications and services.

The first step in restoring Active Directory data is to boot a domain controller into Directory Services Restore Mode (DSRM). Then the Active Directory database (NTDS.dit) can be restored with a utility such as the native Backup utility provided by Microsoft. The restore of the actual database file can only be performed in non-authoritative mode; however, it is important to understand the concepts of non-authoritative and authoritative restores with respect to the objects stored in the database:

Using native tools provided by Microsoft, the default method is the non-authoritative restore: settings and entries maintain the version numbers they had at the time of backup. After the DC is restored, it is updated using normal replication methods. Note that any object that was deleted after the last backup will be restored with the database file, but if the DC is then booted to normal Active Directory mode, the object will be deleted again during the replication process.

An authoritative restore, on the other hand, allows you to selectively increment the version numbers of attributes to make them authoritative in the directory. That is, during the replication following the restoration, when the version numbers of objects are compared, the objects and attributes on the restored DC that were restored authoritatively will have higher version numbers than those on the other DCs, and will replicate out to the other DCs instead of themselves being overwritten as out-of-date. This allows you to recover deleted objects even after the deletion has been replicated throughout the enterprise. Usually, an authoritative restore of selected objects and attributes follows a non-authoritative restore of the whole database (for example, from a backup tape).

Accordingly, when you need to recover deleted objects from a backup or roll back changes to objects, you typically first need to perform a nonauthoritative restore and then do an authoritative restore, even though it is more difficult.

Simple non-authoritative restores are valuable primarily if you need to recover a DC that has crashed and that has a slow connection to the next DC. This restores an old version of Active Directory and only the differences between the restored DC and its replication partners need to be transmitted. If bandwidth is not a concern, you do not need to do a restore at all: if a DC crashes, you can simply promote a Windows 2000/2003 server to be a DC, and a clean version of Active Directory will replicate to it from an existing DC. If you're running Windows Server 2003, you can do this very efficiently by promoting a server to be a DC using the Install from Media feature.

Note that when you perform a non-authoritative or an authoritative restore, the DC must be offline for user access. Specifically, the DC must be booted into a special mode, Directory Services Restore Mode. The machine at that point is online but is not functioning as a DC in the Active Directory. While the DC is in Directory Services Restore Mode, it is unavailable for any functions associated with Active Directory, such as validating logons or replicating directory data.