Restore Active Directory in authoritative mode works only once from a given backup set


dan tudor

Hello everybody.

I am reposting this message since I initially posted it (by mistake)
as a follow up to another thread

I am playing with the authoritative restore of Active Directory and I
have the following problem:

I have 2 Windows 2000 domain controllers in my domain.
I created 5 users - test1, test2,.., test5 - and I backed up one of
them (of course, including the System State)

After the backup was completed, I deleted the 5 users and I waited for
the Active Directory to be replicated to the second domain controller.
Here I want to test the authoritative restore, therefore I reboot the
computer that I backed up in Directory Services Restore Mode, I
restore the System State and I run < ntdsutil "authoritative restore"
"restore database" quit quit>.
ntdsutil completes successfully and I restart the computer in normal
The users test1,..test5 are there, and they are replicated on the
second domain controller.
So far is OK, but the problem appears if I repeat the test, starting
from this point: delete the 5 users, restart the computer in
Dir.Serv.Rest.Mode, restore System State (with Active Directory), run
again ntdsutli with the same options ("authoritative restore" and
"restore database") and restart the computer. This time the 5 users
are not anymore in my Active Directory.
One difference I was able to find, from the Event Viewer->Directory
- after restarting the computer in normal mode, after the first
restore, there were some logs which were specifying the updates to USN
for users for example:
the USN from the backup was 2475, "previous" USN something bigger,
like 3640 (not remember exactly, but normally, since the objects were
marked as authoritative) an new USN, the same like the one from
backup, 2475.
- after restarting the computer in the normal mode, after the second
restore, the USN from backup was, of course, the same - 2475, the
"previous" USN was over 4000, but the new USN was 0.

Has anybody any idea why is this behaviour? Is it by design that you
cannot do an authoritative restore more than once, in order to recover
the same objects?


Tim Hines [MSFT]

That is the expected behavior unless you use "restore database verinc #" .

When you perform an authoritative restore the USN of the Object(s) is
increased by 100,000. If you restore an object and it has a USN of 2 then
it will now be 100,002 and this object will replicate out to the other DCs.
If you perform another restore using the same backup then the object goes
back to having a USN of 2. If you make it authoritative then it goes back
to 100,002. The other DCs will not think that the object is newer because
of the USN that they are already familiar with. You can get around this by
using "restore database verinc #" . That will allow you to specify the
number to increment the USN by.

Here is more info about the switch from

Restore database verinc %d

Marks the entire Ntds.dit (both the domain and configuration naming
contexts held by the domain controller) as authoritative and increments the
version number by %d. Use this option only to authoritatively restore over a
previous, incorrect, authoritative restore, such as an authoritative restore
from a backup that contains the problem you want to restore over.

Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
This posting is provided "AS IS" with no warranties, and confers no rights.

dan tudor

Thanks for your reply Tim.

I have some questions though:
What verinc # should I use in order to make sure that I restore the
version I intend too? The thing is that I need to determine/compute
this version number automatically, for a backup/restore application,
which provides an "Authoritative restore" advanced option.
Now, my understanding is that as soon as I boot the computer in
Directory Services Restore Mode, this computer does not have anymore
any clue about the Active Directory database. Anyway, the restore
process will overwrite the ntds.dit file. According to Microsoft:
"During authoritative restore, Ntdsutil opens the Ntds.dit file,
increases version numbers, counts the records that need updating,
verifies the number of records updated, and reports completion. If you
do not specify an increase version number, Ntdsutil does so
automatically." I've just a statement that "the version number
increases by one hundred thousand for each day after the original
backup" If this is correct, I should be able to authoritative restore
more times the same backup, without specifying a verin# , with the
condition to be in different days. Is this true?
If so, I could go further and add to 100,000*days since backup the
number of seconds passed since midnight computed at the restore time
(there are 86,400 seconds in a day, therefore next day the number will
be higher) and I could specify the result as increased version number.
This means that I could restore the Active Directory as many times as
I want and solve my problem.
I still have one concern: the backup I'm playing with is from ~2 weeks
ago. According to above, after the restore the version numbers should
be > 1 million, but I checked them with repadmin and they are slightly
over 100,000. I'm not sure if somebody didn't play with the restore on
that machine though.

Thanks again,
Dan Tudor

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question