Solved

Authoritative restore on entire Domain Controller generates LDIF files?

Posted on 2014-07-18
7
468 Views
Last Modified: 2014-07-29
I'm running some disaster recovery tests by restoring our Win 2003 SP2 DC VMs from backup into a test environment. We use VSS compliant backups. The first DC I bring up holds the FSMO roles and I start it in DSRM and use ntdsutil to do an authoritative restore on the database. Once it's done, it generates who LDIF files containing back links for AD objects.

Now, from reading the MS documentation and from my own experiments, because I'm doing an authoritative restore on the entire database (instead of an individual object) and since I have a single domain, I should NOT have to import the LDIF files to restore membership information.

Is this correct?
0
Comment
Question by:donohoe1
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 40205359
In reality you should not use AD authoritative restore unless you have strong reason to do so
Authoritative restore only recommended when your AD is corrupted, you cannot logon to AD or if you have to revert functional levels from later version to previous versions
http://technet.microsoft.com/en-us/library/cc757662(v=ws.10).aspx

You may get restored user group membership with complete AD database authoritative restore but its not required and not recommended
http://technet.microsoft.com/en-us/library/cc816878(v=ws.10).aspx

Your testing should include deletion of some users and groups and then restore them authoritatively. Check below article
http://technet.microsoft.com/en-us/library/cc794728(v=ws.10).aspx

Normally 2003 and above functional levels authoritative restore will restore group membership as well when groups are created post LVR, however Due to active directory limitations, sometimes your authoritative restore on domains that are having 2003 and above functional levels still unable to restore group membership due to AD replication order.
http://technet.microsoft.com/en-us/library/cc816878(v=ws.10).aspx

In addition to standard way of restoring backlinks the alternate solution to your Problem:
The easiest solution to this problem is to perform the authoritative restore of the groups a second time. After you perform the first authoritative restore, reboot into normal mode and make sure that replication takes place properly. Then reboot back into DSRM and run NTDSUTIL to perform an authoritative restore of the groups the user was a member of. This guarantees that when you boot back into normal mode, the user object will have replicated out before the group objects referring to it replicate.
http://technet.microsoft.com/en-in/magazine/2007.04.adrecovery(en-us).aspx
0
 

Author Comment

by:donohoe1
ID: 40205367
I'm not looking at restoring just one or a couple active directory objects, I'm looking at restoring the entire servers. The test I'm running is restoring the entire network from the ground up. It's a disaster recovery scenario where we've lost the server room and need to get things running again from only our backups.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40205419
In that case just check 1st link in my comment above
It state about AD forest recovery scenario from scratch
In that case you don't have to restore backlinks again because you don't have any other domain controllers online and the DC that you will restore will be the 1st restored DC and rest of the DCs will be created as standard ADC process or can be just restored with non-authoritative restore process
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:donohoe1
ID: 40205452
That first link actually did help me. In the "Restore the first writeable domain controller in each domain" section it states:

Because this is the first writeable DC in the domain, you must perform a nonauthoritative restore of AD DS and an authoritative restore of SYSVOL. The restore operation must be completed by using an Active Directory-aware backup and restore application, such as Windows Server Backup (that is, you should not restore the DC by using unsupported methods such as restoring a VM snapshot).

Therefore I can just bring up my first DC as nonauthoritative (which is very easy to do) and the just set the SYSVOL to authoritative (als very easy) and then bring up the additional DCs.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40205601
That's right, however series of steps you need to follow to do forest recovery
You can download AD forest recovery guide for full information.
http://www.microsoft.com/en-in/download/details.aspx?id=16506
Normally you should not attempt that step unless Microsoft has suggested to do that because it is last step, in case of data center outage you don't have any choice other than forest recovery
0
 

Author Comment

by:donohoe1
ID: 40205731
Per the article Microsoft only wants you to restore one DC and then use promotion to add the rest. Do you know why that's the case? If you have good backups of the other DCs why not restore them as well?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40206191
Probably below post should gives you answer
http://social.technet.microsoft.com/Forums/windowsserver/en-US/d52da478-e78b-428b-958d-54150b3c9246/cant-find-restore-database-command-in-ntdsutil-on-server-2008?forum=winserverDS

With windows 2008 and above MS has removed \ silently dropped "restore entire Database" under authoritative restore in ntdsutil.
They have not published this for external world, you may be found some documentation with MS internally
MS has found serious problems with that command and hence it is been removed.

The scenario you are looking for can be bit simple
After restoring 1st DC with auth-Sysvol there is one step to remove references to all DCs, you need to skip this step and then you can restore another DCs with backup non-authoritatively, if you removed references at 1st place, then you are forced to deploy new ADC from scratch.
As a fact if you restore AD with authoritative Sysvol option on 1st DC, in reality AD get restored non authoritatively except Sysvol and hence it cannot replicate \ enforce restored version to another  non-authoritatively restored DC (another DC from backup without auth Sysvol option) and if another restored DC has some changes with higher USN (Ex user deletion, functional level raise) etc, those will get replicated to 1st DC

If your AD health is clean and healthy before disaster, you can use this approach, however you need to ensure that backups used for restore are within same time range and there should not be any major changes between restored system state backup otherwise it may generate unpredictable results.

However if AD database level corruption occurs and already replicated to all DCs and its also backed up with system state backups, you should not use above approach in order to get clean AD environment again

As a fact what MS is recommending \ wants you to restore one DC and then use promotion to add the rest.

Hope that helps

Mahesh.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now