• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2060
  • Last Modified:

Authoritative restore - -windows 2008

Hi all,
one of the new feature of windows server 2008 is the restartable service of  AD DS; on reading this link http://technet.microsoft.com/en-us/library/cc732714.aspx (see the paragraph "Mark an object or objects as authoritative") it seems, I repeat, it seems that now it is possible to do an authoritative restore of objects using the  AD DS restartable service. If so, can you let me know what the correct procedure is (I tried in network  lab but with no success)
thanks for your help
Leonardo
0
leobis
Asked:
leobis
  • 3
  • 2
  • 2
  • +1
2 Solutions
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
0
 
tigermattCommented:

You're correct. By stopping the NTDS service (the service running AD DS), a new feature in Server 2008, you can now perform an authoritative restore without restarting the server, useful in smaller environments with perhaps only a few servers, and a restart could have an effect on an active and busy network. http://technet.microsoft.com/en-us/library/cc732714.aspx details the benefits of being able to restart this service.

To run an authoritative restore, the procedure is quite easy. The main point to note is that the Domain Controller on which you run the restore must already have the deleted objects still present - a DC in another site, where replication is not instantaneous, would be the perfect solution.

To run the restore, you stop AD DS on the server where you the objects still exist by running net stop ntds. You then launch the restore tool, by entering ntdsutil authoritative restore at the command prompt. Perform the authoritative restore using ntdsutil (see http://www.computerperformance.co.uk/w2k3/utilities/windows_authoritative_restore.htm), then run net start ntds to restart the directory server. Remember in any documents you see, many are outdated and refer to Server 2003 where a restart to DSRM was required; this is no longer the case.

-tigermatt
0
 
LauraEHunterMVPCommented:
Actually performing an auth restore still requires a reboot into DSRM. It is a sufficiently sensitive operation that doing so in an "AD DS service stopped" state is not supported by the product group. You can perform a NON-authoritative restore while the AD DS service is stopped, but performing an auth restore in a supported manner still requires a reboot into DSRM.
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
tigermattCommented:

Good point. I get confused too quickly :-)
0
 
LauraEHunterMVPCommented:
No worries. It's not well-documented (if at all, I'm actually going by the word of one of the AD developers in Redmond who has forgotten more about the AD code than most of us will ever know), and I think a lot of people make the same assumption.
0
 
leobisAuthor Commented:
Thanks everybody for your reply and sorry for being but I was not at my place.
on my virtual machine I stopped the AD DS service, and then I launched the authoritative restore but I got an error - see the attached file, and the event in the event viewer states:
This machine is a Domain Controller with the Active Directory service (NTDS) stopped. Backup cannot be performed, nor can shadow copies be managed in this case. Either the NTDS must be started (net start ntds), or reboot in DSRM to enumerate shadow copies/providers/writers only.
-honestly I am still confused about this procedure but iany suggestions on this suject is more than welcome  
Thanks again Leonardo
Aut-Rest.JPG
0
 
LauraEHunterMVPCommented:
As I said above, an authoritative restore cannot be performed by simply stopping the AD DS service - an authoritative restore in Windows Server 2008 still requires you to reboot into Directory Services Restore Mode.
0
 
leobisAuthor Commented:
thanks everybody and if you have further news please let us know.
Leonardo
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now