?
Solved

AD Authoritative and Non-Authoritative Restore

Posted on 2010-11-10
12
Medium Priority
?
1,812 Views
Last Modified: 2012-05-10
If I understand:
AD Authoritative restore comes into play when for instance an OU with or without sub-object is deleted by mistake.
In this case how can I tell which objects have been deleted by mistake. Some articles talk about using ADSIEdit to pinpoint the deleted objects.If so how to use it?
I am not sure If using ADSIEDit can tell witch object has been deleted and which has not.
In which case should I use Non-Authoritative restore?

Steps to use in Authoritative restote(correct me if I am wrong):
1- After noticing or being notified that an object has been deleted, use ADSIEdit and see if it's showing up, if so that means the delete object has been replicated from the deleted DC to the DC I am on, otherwise I will wait for the Replication to Occur.
2- After the replication has occurred and the ADSIEdit shows the object, Reboot  the DC in AD Restore more by pressing F8. If the Restore mode password
is forgotten, then reboot in normal mode and use DRSM tool to reset password.
3-after rebooting to AD Restore mode run the NTDsutil to do the authoritative restore and reboot in normal mode.

Thanks
0
Comment
Question by:jskfan
  • 6
  • 5
12 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1668 total points
ID: 34103957
You can also use a tool like afind to search for objects that have isdeleted=true, check out this question I helped with
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24541345.html
Non authoritative restore would be used if you just want to restore AD to the box and have changes that have happened since the backup overwrite your restore.
When an object is deleted you always do an authoritative restore so that the object doesn't get overwritten (during the auth restore the USN of the object is incremented to ensure it is not overwritten)
You almost have the steps right.   For number 3 you first have to do the restore and then mark the objects as authoritative using ntdsutil   http://technet.microsoft.com/en-us/library/cc779573(WS.10).aspx
Another question I helped with last year may also help  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24184760.html
 
...this all gets much easier with the AD recycle bin in 2008 R2 :)
Thanks
Mike
 
0
 

Author Comment

by:jskfan
ID: 34106237
how do we locate the AD Objects that have been deleted?

0
 
LVL 10

Assisted Solution

by:abhijitmdp
abhijitmdp earned 332 total points
ID: 34117389
Please look at below link from microsoft for finding out a deleted object in AD
http://support.microsoft.com/kb/258310.

You can also recover the object by this tool.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1668 total points
ID: 34118104
look at the first link I sent you, you can search for them
0
 

Author Comment

by:jskfan
ID: 34119525
Regarding the LDP.exe, it is used to view and restore deleted objects in AD.

I thought they use NTDSutil the perform authoritative restore, in order to restore the deleted items.

it's confusing now , which one to use
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1668 total points
ID: 34120076
ntdsutil is used to mark the objects as authoritative...you have that right
0
 

Author Comment

by:jskfan
ID: 34120452
so what s the difference between ldp.exe and ntdsutil  ?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1668 total points
ID: 34121275
You can use ldp to manually restore an object as noted here   http://support.microsoft.com/kb/840001

I'd personally use adrestore for that as mentioned in that article.  Note when you restore that way not all the attributes are brought back.

Thanks

Mike
0
 

Author Comment

by:jskfan
ID: 34121757
It is still not clear which should I use and why.
Ldp.exe vs ntdsutil
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1668 total points
ID: 34122603
0
 

Author Comment

by:jskfan
ID: 34124941
the blog talks about what happens after you do the authoritative restore
it doesn't compare between Ldp.exe restore and Authoritative restore using NTDSutil.
I want to know the difference.

thanks
0
 

Author Closing Comment

by:jskfan
ID: 34162709
thanks
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question