Authoritative restore - -windows 2008

Hi all,
one of the new feature of windows server 2008 is the restartable service of  AD DS; on reading this link http://technet.microsoft.com/en-us/library/cc732714.aspx (see the paragraph "Mark an object or objects as authoritative") it seems, I repeat, it seems that now it is possible to do an authoritative restore of objects using the  AD DS restartable service. If so, can you let me know what the correct procedure is (I tried in network  lab but with no success)
thanks for your help
Leonardo
leobisAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
0
tigermattCommented:

You're correct. By stopping the NTDS service (the service running AD DS), a new feature in Server 2008, you can now perform an authoritative restore without restarting the server, useful in smaller environments with perhaps only a few servers, and a restart could have an effect on an active and busy network. http://technet.microsoft.com/en-us/library/cc732714.aspx details the benefits of being able to restart this service.

To run an authoritative restore, the procedure is quite easy. The main point to note is that the Domain Controller on which you run the restore must already have the deleted objects still present - a DC in another site, where replication is not instantaneous, would be the perfect solution.

To run the restore, you stop AD DS on the server where you the objects still exist by running net stop ntds. You then launch the restore tool, by entering ntdsutil authoritative restore at the command prompt. Perform the authoritative restore using ntdsutil (see http://www.computerperformance.co.uk/w2k3/utilities/windows_authoritative_restore.htm), then run net start ntds to restart the directory server. Remember in any documents you see, many are outdated and refer to Server 2003 where a restart to DSRM was required; this is no longer the case.

-tigermatt
0
LauraEHunterMVPCommented:
Actually performing an auth restore still requires a reboot into DSRM. It is a sufficiently sensitive operation that doing so in an "AD DS service stopped" state is not supported by the product group. You can perform a NON-authoritative restore while the AD DS service is stopped, but performing an auth restore in a supported manner still requires a reboot into DSRM.
0
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

tigermattCommented:

Good point. I get confused too quickly :-)
0
LauraEHunterMVPCommented:
No worries. It's not well-documented (if at all, I'm actually going by the word of one of the AD developers in Redmond who has forgotten more about the AD code than most of us will ever know), and I think a lot of people make the same assumption.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
leobisAuthor Commented:
Thanks everybody for your reply and sorry for being but I was not at my place.
on my virtual machine I stopped the AD DS service, and then I launched the authoritative restore but I got an error - see the attached file, and the event in the event viewer states:
This machine is a Domain Controller with the Active Directory service (NTDS) stopped. Backup cannot be performed, nor can shadow copies be managed in this case. Either the NTDS must be started (net start ntds), or reboot in DSRM to enumerate shadow copies/providers/writers only.
-honestly I am still confused about this procedure but iany suggestions on this suject is more than welcome  
Thanks again Leonardo
Aut-Rest.JPG
0
LauraEHunterMVPCommented:
As I said above, an authoritative restore cannot be performed by simply stopping the AD DS service - an authoritative restore in Windows Server 2008 still requires you to reboot into Directory Services Restore Mode.
0
leobisAuthor Commented:
thanks everybody and if you have further news please let us know.
Leonardo
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.