Authoritative vs Nonauthoritative restore

[Dennis van der Meer]

Hi,

I am studying to become an MCSA 2003 and one of the requirements for
the 70-290 exam is disaster recovery. One of the things someone needs
to know is how an authoritative and nonautoritative restore works.
I have bought a book so I am able to study the material better. The
book contains a lot of sample questions so you can check if you know
the material enough. With one of the questions I'm having a bit of a
problem:

You are the network administrator of a large network.One of you
Windows Server 2003 domain controllers recently failed. You
reinstalled Windows Server 2003 and now need to restore the System
State data and the Active Directory. Which of the following steps
should you take? (Choose all that apply.)

A. Restart the server in Directory Services Restore Mode
B. Perform an authoritative restore using the Ntdsutil.exe
command.
C. Perform a non-authoritative restore using the Ntdsutil.exe
command.
D. Perform an authoritative restore using the Ntdsrestore.exe
command.

I know that one of them must be A and D is not part of the answer
because one must use Ntdsutil.exe.
Because there are multiple domain controllers and a lot could have
happened during the installation of the machine (newly added accounts
on the other domain controllers, etc.). So I would think that you
would then use a non-authoritative restore so that data from the other
domain controllers gets replicated to this newly installed domain
controller. So my guess would have been A, C.

The book says the answer is A,B with the following remarks:
If you need to restore System State data on a domain controller, you
should restart your computer with the advanced startup option
Directory Services Restore Mode. This allows the Active Directory
directory service database and the SYSVOL directory to be restored. If
the System State data is restored on a domain controller that is part
of a domain where data is replicated to other domain controllers, you
must perform an authoritative restore. For an authoritative restore,
you use the Ntdsutil.exe command, the restart the computer.

The answer is not what I expected so where did I go wrong?


Dennis van der Meer

 

[Simon Geary]

A and B are the only possible answers. The trick here is that you do not use
ntdsutil to do a non-authoritative restore, you use ntbackup to do this
therefore C cannot be right.

And of course, ntdsrestore does not exist so D is wrong as well.

Try on a test machine to do an authoritative restore and you will find that
the first step is to do a non-authoritative restore with ntbackup.

 

[Dennis van der Meer]

I do not completely understand.
How should one normally handle this? One of my domain controllers
crashes due to hardware failures. I replace the server and use
ntbackup to do a normal restore, including system state. A normal
restore is non-authoritative (I think) so data from the other domain
controllers should be replicated to this newly installed server
afterwards.
Why is the authoritative restore afterwards necessary? Isn't the data
replicated by itself to this server after the restore is done and do I
therefor need ntdsutil to make sure the data from the other domain
controllers gets replicated to the newly installed server?

 

[Simon Geary]

Don't make the mistake in an MCP exam of trying to work out the best
solution to the problem. You have to work out the best solution from the
answers they let you choose from. If this happened in real life, you
wouldn't do any kind of restore, you would just rebuild from scratch and use
dcpromo to recover AD from another DC.

You are correct that an authoritative restore would only be required if
there was some information on this server that had not yet replicated to
other DC's before it failed. The questions in the exams often don't reflect
real life so don't let it worry you if the correct answer doesn't seem to be
the best possible solution.

 

[Dennis van der Meer]

Ok, thanks for making the whole matter clear for me.

 

[Enkidu]

That answer is definitely wrong, because it doesn't say to do a
non-authorative restore first. Unless things have changed in 2003 you
always need to do a non-authoratative restore *before* an
authoratative restore. An authoratative restore doesn't actually
restore anything. It merely fiddles with the sequence numbers to
ensure that the objects that are marked authoratative and don't get
overwritten by replication from other DCs.

It is not "the best solution from the answers they let you choose
from". It is just plain wrong.

Cheers,

Cliff

 

[Simon Geary]

I see your point, but when talking about a specific exam question we're not
concerned with the right way to do things. We're concerned with getting the
question correct and in this case you need to choose A and B if you want to
get it right.