Solved

AD Authoritative and Non-Authoritative Restore

Posted on 2010-11-10
12
1,766 Views
Last Modified: 2012-05-10
If I understand:
AD Authoritative restore comes into play when for instance an OU with or without sub-object is deleted by mistake.
In this case how can I tell which objects have been deleted by mistake. Some articles talk about using ADSIEdit to pinpoint the deleted objects.If so how to use it?
I am not sure If using ADSIEDit can tell witch object has been deleted and which has not.
In which case should I use Non-Authoritative restore?

Steps to use in Authoritative restote(correct me if I am wrong):
1- After noticing or being notified that an object has been deleted, use ADSIEdit and see if it's showing up, if so that means the delete object has been replicated from the deleted DC to the DC I am on, otherwise I will wait for the Replication to Occur.
2- After the replication has occurred and the ADSIEdit shows the object, Reboot  the DC in AD Restore more by pressing F8. If the Restore mode password
is forgotten, then reboot in normal mode and use DRSM tool to reset password.
3-after rebooting to AD Restore mode run the NTDsutil to do the authoritative restore and reboot in normal mode.

Thanks
0
Comment
Question by:jskfan
  • 6
  • 5
12 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 417 total points
ID: 34103957
You can also use a tool like afind to search for objects that have isdeleted=true, check out this question I helped with
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24541345.html
Non authoritative restore would be used if you just want to restore AD to the box and have changes that have happened since the backup overwrite your restore.
When an object is deleted you always do an authoritative restore so that the object doesn't get overwritten (during the auth restore the USN of the object is incremented to ensure it is not overwritten)
You almost have the steps right.   For number 3 you first have to do the restore and then mark the objects as authoritative using ntdsutil   http://technet.microsoft.com/en-us/library/cc779573(WS.10).aspx
Another question I helped with last year may also help  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24184760.html
 
...this all gets much easier with the AD recycle bin in 2008 R2 :)
Thanks
Mike
 
0
 

Author Comment

by:jskfan
ID: 34106237
how do we locate the AD Objects that have been deleted?

0
 
LVL 10

Assisted Solution

by:abhijitmdp
abhijitmdp earned 83 total points
ID: 34117389
Please look at below link from microsoft for finding out a deleted object in AD
http://support.microsoft.com/kb/258310.

You can also recover the object by this tool.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 417 total points
ID: 34118104
look at the first link I sent you, you can search for them
0
 

Author Comment

by:jskfan
ID: 34119525
Regarding the LDP.exe, it is used to view and restore deleted objects in AD.

I thought they use NTDSutil the perform authoritative restore, in order to restore the deleted items.

it's confusing now , which one to use
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 417 total points
ID: 34120076
ntdsutil is used to mark the objects as authoritative...you have that right
0
 

Author Comment

by:jskfan
ID: 34120452
so what s the difference between ldp.exe and ntdsutil  ?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 417 total points
ID: 34121275
You can use ldp to manually restore an object as noted here   http://support.microsoft.com/kb/840001

I'd personally use adrestore for that as mentioned in that article.  Note when you restore that way not all the attributes are brought back.

Thanks

Mike
0
 

Author Comment

by:jskfan
ID: 34121757
It is still not clear which should I use and why.
Ldp.exe vs ntdsutil
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 417 total points
ID: 34122603
0
 

Author Comment

by:jskfan
ID: 34124941
the blog talks about what happens after you do the authoritative restore
it doesn't compare between Ldp.exe restore and Authoritative restore using NTDSutil.
I want to know the difference.

thanks
0
 

Author Closing Comment

by:jskfan
ID: 34162709
thanks
0

Join & Write a Comment

Suggested Solutions

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now