?
Solved

AD Authoritative and Non-Authoritative Restore

Posted on 2010-11-10
12
Medium Priority
?
1,784 Views
Last Modified: 2012-05-10
If I understand:
AD Authoritative restore comes into play when for instance an OU with or without sub-object is deleted by mistake.
In this case how can I tell which objects have been deleted by mistake. Some articles talk about using ADSIEdit to pinpoint the deleted objects.If so how to use it?
I am not sure If using ADSIEDit can tell witch object has been deleted and which has not.
In which case should I use Non-Authoritative restore?

Steps to use in Authoritative restote(correct me if I am wrong):
1- After noticing or being notified that an object has been deleted, use ADSIEdit and see if it's showing up, if so that means the delete object has been replicated from the deleted DC to the DC I am on, otherwise I will wait for the Replication to Occur.
2- After the replication has occurred and the ADSIEdit shows the object, Reboot  the DC in AD Restore more by pressing F8. If the Restore mode password
is forgotten, then reboot in normal mode and use DRSM tool to reset password.
3-after rebooting to AD Restore mode run the NTDsutil to do the authoritative restore and reboot in normal mode.

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1668 total points
ID: 34103957
You can also use a tool like afind to search for objects that have isdeleted=true, check out this question I helped with
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24541345.html
Non authoritative restore would be used if you just want to restore AD to the box and have changes that have happened since the backup overwrite your restore.
When an object is deleted you always do an authoritative restore so that the object doesn't get overwritten (during the auth restore the USN of the object is incremented to ensure it is not overwritten)
You almost have the steps right.   For number 3 you first have to do the restore and then mark the objects as authoritative using ntdsutil   http://technet.microsoft.com/en-us/library/cc779573(WS.10).aspx
Another question I helped with last year may also help  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24184760.html
 
...this all gets much easier with the AD recycle bin in 2008 R2 :)
Thanks
Mike
 
0
 

Author Comment

by:jskfan
ID: 34106237
how do we locate the AD Objects that have been deleted?

0
 
LVL 10

Assisted Solution

by:abhijitmdp
abhijitmdp earned 332 total points
ID: 34117389
Please look at below link from microsoft for finding out a deleted object in AD
http://support.microsoft.com/kb/258310.

You can also recover the object by this tool.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1668 total points
ID: 34118104
look at the first link I sent you, you can search for them
0
 

Author Comment

by:jskfan
ID: 34119525
Regarding the LDP.exe, it is used to view and restore deleted objects in AD.

I thought they use NTDSutil the perform authoritative restore, in order to restore the deleted items.

it's confusing now , which one to use
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1668 total points
ID: 34120076
ntdsutil is used to mark the objects as authoritative...you have that right
0
 

Author Comment

by:jskfan
ID: 34120452
so what s the difference between ldp.exe and ntdsutil  ?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1668 total points
ID: 34121275
You can use ldp to manually restore an object as noted here   http://support.microsoft.com/kb/840001

I'd personally use adrestore for that as mentioned in that article.  Note when you restore that way not all the attributes are brought back.

Thanks

Mike
0
 

Author Comment

by:jskfan
ID: 34121757
It is still not clear which should I use and why.
Ldp.exe vs ntdsutil
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1668 total points
ID: 34122603
0
 

Author Comment

by:jskfan
ID: 34124941
the blog talks about what happens after you do the authoritative restore
it doesn't compare between Ldp.exe restore and Authoritative restore using NTDSutil.
I want to know the difference.

thanks
0
 

Author Closing Comment

by:jskfan
ID: 34162709
thanks
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question