procedure required for complete active directory restore to aprevious state

[zerbie45]

hello guys,

I have an AD domain I need to restore to a previous state, this is the
infrastructure:

1 DC 2K3 Std Ed SP2 all FSMO roles and GC
1 DC 2K3 Std Ed SP2 GC
Other member servers...

I have a valid backup taken only a few hours back.
I need to do authoritative restore so that all objects are rolled back
to the previous state.
I know I need to:

first, reboot DC 1 into AD restore mode and run a normal (not
authoritative) restore
second, use ntdsutil and execute restore database (authoritative
restore)

But I've never performed this before, and I know there's something to
do with regard to the sysvol objects.
I've looked everywhere in the internet but all examples refer to
restoring just an object, not the entire directory.

Does anyone have a bullet proof, step by step procedure, to perform a
complete restore of an active directory domain to a previous state ?
Anybody can help ? It would be much appreciated!

Thanks and Regards,
ZZ

 

[christophe06]

Microsoft provide it. I already use them and get no surprise.
See http://support.microsoft.com/kb/241594 and http://support.microsoft.com/kb/316790/en-us for the sysvol stuff.
http://support.microsoft.com/kb/840001/en-us

 

[Ace Fekay [MVP]]

In

hello guys,

I have an AD domain I need to restore to a previous state, this is the
infrastructure:

1 DC 2K3 Std Ed SP2 all FSMO roles and GC
1 DC 2K3 Std Ed SP2 GC
Other member servers...

I have a valid backup taken only a few hours back.
I need to do authoritative restore so that all objects are rolled back
to the previous state.
I know I need to:

first, reboot DC 1 into AD restore mode and run a normal (not
authoritative) restore
second, use ntdsutil and execute restore database (authoritative
restore)

But I've never performed this before, and I know there's something to
do with regard to the sysvol objects.
I've looked everywhere in the internet but all examples refer to
restoring just an object, not the entire directory.

Does anyone have a bullet proof, step by step procedure, to perform a
complete restore of an active directory domain to a previous state ?
Anybody can help ? It would be much appreciated!

Thanks and Regards,
ZZ

If you have more than one DC, you will probably want the objects in the
restore take precedents over the other DC's objects. To do this, you will
need to mark the entire database as authoritative. See 'after restarting the
domain controller Step 9 in the first link below.


How can I perform an authoritative restoration of Active Directory (AD) in
Windows Server 2003?
http://www.windowsitpro.com/Article/ArticleID/41170/41170.html

Performing an Authoritative Restore of Active Directory Objects:
http://technet2.microsoft.com/windo...83ce-4475-b9b4-46f76c9c7c901033.mspx?mfr=true

How to perform an authoritative restore to a domain controller in Windows
2000
http://support.microsoft.com/kb/241594


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

 

[zerbie45]

Thanks for your answer, much appreciated.

I did manage to restore the entire database but I have some problems
regarding the sysvol.

basically the steps I followed are:

- restart dc in dsrm
- perform normal (not authoritative) restore
- perform authoritative restore (that is: restore to original location
- mark as primary set,,,,for the sysvol folder,,,don't remember the
exact wording,,)
- restart

however, reading some kbs I gather that an auth restore of the sysvol
requires something more than that, like restoring to an alternate
location.
so my question is: do I need to run twice the auth restore, or can I
use the alternate location option during the step above,,,,will that
be compatible with the system state auth restore of all other
objects ?

thanks!
regards,
zz

 

[Jorge de Almeida Pinto [MVP - DS]]

there is no reason to fully restore the database by using the command
"restore database" in NTDSUTIL. That only authoritatively restores ALL the
object in the database but does not with other objects on other DCs that do
not exist in the restored database...

when you want to go back in time with your AD you need to restore at least 1
DC and then:
* restore all the others or rebuild them

for the SYSVOL....
if you do an auth. restore of the SYSVOL (primary set option OR D4) on one
DC, you MUST do a non-auth (D2) restore of the SYSVOL on all the other DCs
in the domain

I sure hope you are thinking first and testing before actually doing
anything like trial and error

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Herb Martin]

"Jorge de Almeida Pinto [MVP - DS]"

there is no reason to fully restore the database by using the command
"restore database" in NTDSUTIL. That only authoritatively restores ALL the
object in the database but does not with other objects on other DCs that
do not exist in the restored database...

when you want to go back in time with your AD you need to restore at least
1 DC and then:
* restore all the others or rebuild them

for the SYSVOL....
if you do an auth. restore of the SYSVOL (primary set option OR D4) on one
DC, you MUST do a non-auth (D2) restore of the SYSVOL on all the other DCs
in the domain

There is actually a way to accomplish the SysVol (equivalent of the)
"Authoritative
Restore" using a single DC. This procedure is documented in the Distributed
Systems volume of the Server Resource Kit (Chapter 9 under Win2000.)

The procedure is to basically do the following:

1) Complete the regular System State Restore and Authoritative Restore
for AD

2) Restore SysVol to an ADDITIONAL (different) location

3) AFTER bringing the DC back online copy all of the "additional" Sysvol
to
the current (production) SysVol with something like:
xcopy SysVolCopy SysVol\ /s /y /h /k /o /r

This apparently changes all the last "write time" and so using a utility
similar to
Unix "touch" would likely work also, but the documented method is to do the
copy as described above.

 

[zerbie45]

Thank you for your answer, but I think you misunderstood what my
target is.
I need to perform a complete (aka primary) restore of an active
directory domain.
That of course means all objects, like users, ous, gpos, sysvol, etc.
I do believe the 'restore database' command must be used to accomplish
this. Am I wrong ?!?
What kind of objects would not exist in the restored database ??
Assuming I have a valid system state backup (I believe this contains
all objects required for a complete AD restore ?!?)

I also believe that the above does not suffice the have the sysvol
restored too.

I have not found a clear procedure to do this. I was able to get the
AD restored, but the sysvol restore is still not working the way I
expected.

Thanks and Regards,
zz

 

[Jorge de Almeida Pinto [MVP - DS]]

no, I did not miss your target.... you wanna go back in time with your AD
domain to a certain point in time....

the command "restore database" in NTDSUTIL does not need to be used, as
there is no valid reason to use it. Better yet, it has been removed in W2K8


independent of how many DCs you have.......
1ST of AD domain --> a non-authoritative restore of AD with a primary
restore of the SYSVOL

ALL other DCs in the AD domain:
* rebuild and repromote
OR
* non-authoritative restore of AD and non-auth restore of the SYSVOL

for more info on AD and backups/restores see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2006/10/20/Active-Directory-Forest-Recovery.aspx
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Herb Martin]

Thank you for your answer, but I think you misunderstood what my
target is.

Possibly but then you need to state the target clearly and explicitly,
and perhaps give your ACTUAL goal as well. Many times people
ask "How to I do X" thinking that X will solve their real goal of Y,
instead of explaining that real goal (Y).

I need to perform a complete (aka primary) restore of an active
directory domain.

No, there is no such thing (in common Microsoft or by experienced
admins) as a "Primary" restore.

There is an AUTHORITATIVE restore, but that is almost never
needed for the ENTIRE database and seldom needed for smaller
subsets -- when you need it though it is cool.

The word "authoritative" means (essentially) "Information on THIS
Server/DC will override OTHER Servers/DCs with conflicting information"
(regardless of timestamp, USN, etc.)

That of course means all objects, like users, ous, gpos, sysvol, etc.
I do believe the 'restore database' command must be used to accomplish
this. Am I wrong ?!?

Only if you wish to do an AUTHORITATIVE restore.

What kind of objects would not exist in the restored database ??

The actual file based supplements such as the GPO (files), scripts, etc.

There are references in the actual AD to GPOs but not the actual data
of the settings which are kept in SysVol.

Assuming I have a valid system state backup (I believe this contains
all objects required for a complete AD restore ?!?)

Yes, it does, but the Authoritative Restore (per se) doesn't make the
SysVol "authoritative".

I also believe that the above does not suffice the have the sysvol
restored too.

Restored YES; authoritatively NO.

I have not found a clear procedure to do this. I was able to get the
AD restored, but the sysvol restore is still not working the way I
expected.

As I explained in my original response.

 

[Herb Martin]

"Jorge de Almeida Pinto [MVP - DS]"

no, I did not miss your target.... you wanna go back in time with your AD
domain to a certain point in time....

the command "restore database" in NTDSUTIL does not need to be used, as
there is no valid reason to use it. Better yet, it has been removed in
W2K8

independent of how many DCs you have.......

I don't understand what you are saying here. If he restores (physically)
the
database on ONLY 1 of several DCs, but skips the Authoritative Restore
procedure the OTHER DCs will subsequently overwrite the restored information
that conflicts with LATER (or USN precedence based) updates.