Link to home
Start Free TrialLog in
Avatar of leobis
leobisFlag for Italy

asked on

Authoritative restore - -windows 2008

Hi all,
one of the new feature of windows server 2008 is the restartable service of  AD DS; on reading this link http://technet.microsoft.com/en-us/library/cc732714.aspx (see the paragraph "Mark an object or objects as authoritative") it seems, I repeat, it seems that now it is possible to do an authoritative restore of objects using the  AD DS restartable service. If so, can you let me know what the correct procedure is (I tried in network  lab but with no success)
thanks for your help
Leonardo
SOLUTION
Avatar of Rajith Enchiparambil
Rajith Enchiparambil
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of tigermatt

You're correct. By stopping the NTDS service (the service running AD DS), a new feature in Server 2008, you can now perform an authoritative restore without restarting the server, useful in smaller environments with perhaps only a few servers, and a restart could have an effect on an active and busy network. http://technet.microsoft.com/en-us/library/cc732714.aspx details the benefits of being able to restart this service.

To run an authoritative restore, the procedure is quite easy. The main point to note is that the Domain Controller on which you run the restore must already have the deleted objects still present - a DC in another site, where replication is not instantaneous, would be the perfect solution.

To run the restore, you stop AD DS on the server where you the objects still exist by running net stop ntds. You then launch the restore tool, by entering ntdsutil authoritative restore at the command prompt. Perform the authoritative restore using ntdsutil (see http://www.computerperformance.co.uk/w2k3/utilities/windows_authoritative_restore.htm), then run net start ntds to restart the directory server. Remember in any documents you see, many are outdated and refer to Server 2003 where a restart to DSRM was required; this is no longer the case.

-tigermatt
Actually performing an auth restore still requires a reboot into DSRM. It is a sufficiently sensitive operation that doing so in an "AD DS service stopped" state is not supported by the product group. You can perform a NON-authoritative restore while the AD DS service is stopped, but performing an auth restore in a supported manner still requires a reboot into DSRM.

Good point. I get confused too quickly :-)
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of leobis

ASKER

Thanks everybody for your reply and sorry for being but I was not at my place.
on my virtual machine I stopped the AD DS service, and then I launched the authoritative restore but I got an error - see the attached file, and the event in the event viewer states:
This machine is a Domain Controller with the Active Directory service (NTDS) stopped. Backup cannot be performed, nor can shadow copies be managed in this case. Either the NTDS must be started (net start ntds), or reboot in DSRM to enumerate shadow copies/providers/writers only.
-honestly I am still confused about this procedure but iany suggestions on this suject is more than welcome  
Thanks again Leonardo
Aut-Rest.JPG
As I said above, an authoritative restore cannot be performed by simply stopping the AD DS service - an authoritative restore in Windows Server 2008 still requires you to reboot into Directory Services Restore Mode.
Avatar of leobis

ASKER

thanks everybody and if you have further news please let us know.
Leonardo