Tips for Active Directory Restores
Over the past few weeks I have had the chance to play with Active Directory Restoration and various failure scenarios. During this I have come up with a set of tips that I thought it would be worth sharing. If you have any more then please add them into the comments.
1. You should always have a MINIMUM of two domain controllers doing replication between them and they should be at different sites.
2. Should you ever need to restore the system state you should only restore the system state to the machine it was backed up FROM. This is because the system state contains more than just active directory, it contains all the registry settings and more therefore restoring
system state to a different machine will overwrite the settings on that machine.
3. The only exception to rule 2 is when you restore system state to a DIFFERENT location in order to promote a domain controller from another domain controllers system state.
4. DCPROMO /ADV is the command that will allow you to point the DCPROMO process at a restored system state. This is called a non-authoritative restore.
5. An authoritative restore cheats. It just increments the USN (Unique Sequence Number) of all objects that you are restoring by a huge amount (20 to 100 thousand) .
6. The Active Directory Database is called NTDS.DIT
7. It's helpful to understand Active Directories replication model - A domain controller will look in it's NTDS.DIT database and THEN ask the server running the PDC Emulator if it has a recorded with a higher USN.
8. Dependent on how your replication environment is configured it MAY be possible to jump onto another DC and mark the object you want recovered authoritative. This way, when the replication occurs it will be ignored because the USN's have changed.
9. To recover Active Directory the server MUST be in Active Directory services Restore Mode. This mode is a variant on Safe Mode and means the Active Directory database is NOT loaded. You must login using a logon name of Administrator and the Active Directory services restore password you set during DCPROMO. This password is the ONLY password that is stored locally on the domain controller. It can be changed by following tip 16.
10. To recover the ENTIRE Active Directory database you type NTDSUTIL -> authoritative Restore -> Restore Database
11. To recover an OU you type NTDSUTIL -> Authoritative Restore > Restore Subtree "OU=X, OU=Y, DC=A, DC=B"
12. To recover a single object you type NTDSUTIL -> Authoritative Restore > Restore Object "OU=X, OU=Y, DC=A, DC=B"
13. When restoring objects you need to use the full distinguished Name. The distinguished Name is the CN=X, OU=Y, DC=Z as listed above.
14. Acronyms used in distinguished Names:
CN is Common Name
OU is Organizational Unit
DC is Domain Component
15. It's possible to perform an authoritative restore WITHOUT being in Active Directory Services Restore mode. To do so you need to set a flag with the following command:
SET SAFEBOOT_OPTION=DSREPAIR.
Attempting this type of restore is NOT recommended. It's much cleaner and safer to be in Active Directory services restore mode.
16. NTBACKUP has a bug. If your NTDS.DIT database is on any drive other than C: you must back up a file on the same drive NTDS.DIT lives on. For example, if NTDS.DIT lives on the G: drive then you must back up ONE OTHER file on G: otherwise it won't work.
The bug is documented here.
17. You can change the Active Directory Services Restore Mode password by using the following command:
NTDSUTIL -> SET DSRM PASSWORD -> RESET PASSWORD ON SERVER
you will then be prompted for a new Active Directory Services Restore Mode password.
1. You should always have a MINIMUM of two domain controllers doing replication between them and they should be at different sites.
2. Should you ever need to restore the system state you should only restore the system state to the machine it was backed up FROM. This is because the system state contains more than just active directory, it contains all the registry settings and more therefore restoring
system state to a different machine will overwrite the settings on that machine.
3. The only exception to rule 2 is when you restore system state to a DIFFERENT location in order to promote a domain controller from another domain controllers system state.
4. DCPROMO /ADV is the command that will allow you to point the DCPROMO process at a restored system state. This is called a non-authoritative restore.
5. An authoritative restore cheats. It just increments the USN (Unique Sequence Number) of all objects that you are restoring by a huge amount (20 to 100 thousand) .
6. The Active Directory Database is called NTDS.DIT
7. It's helpful to understand Active Directories replication model - A domain controller will look in it's NTDS.DIT database and THEN ask the server running the PDC Emulator if it has a recorded with a higher USN.
8. Dependent on how your replication environment is configured it MAY be possible to jump onto another DC and mark the object you want recovered authoritative. This way, when the replication occurs it will be ignored because the USN's have changed.
9. To recover Active Directory the server MUST be in Active Directory services Restore Mode. This mode is a variant on Safe Mode and means the Active Directory database is NOT loaded. You must login using a logon name of Administrator and the Active Directory services restore password you set during DCPROMO. This password is the ONLY password that is stored locally on the domain controller. It can be changed by following tip 16.
10. To recover the ENTIRE Active Directory database you type NTDSUTIL -> authoritative Restore -> Restore Database
11. To recover an OU you type NTDSUTIL -> Authoritative Restore > Restore Subtree "OU=X, OU=Y, DC=A, DC=B"
12. To recover a single object you type NTDSUTIL -> Authoritative Restore > Restore Object "OU=X, OU=Y, DC=A, DC=B"
13. When restoring objects you need to use the full distinguished Name. The distinguished Name is the CN=X, OU=Y, DC=Z as listed above.
14. Acronyms used in distinguished Names:
CN is Common Name
OU is Organizational Unit
DC is Domain Component
15. It's possible to perform an authoritative restore WITHOUT being in Active Directory Services Restore mode. To do so you need to set a flag with the following command:
SET SAFEBOOT_OPTION=DSREPAIR.
Attempting this type of restore is NOT recommended. It's much cleaner and safer to be in Active Directory services restore mode.
16. NTBACKUP has a bug. If your NTDS.DIT database is on any drive other than C: you must back up a file on the same drive NTDS.DIT lives on. For example, if NTDS.DIT lives on the G: drive then you must back up ONE OTHER file on G: otherwise it won't work.
The bug is documented here.
17. You can change the Active Directory Services Restore Mode password by using the following command:
NTDSUTIL -> SET DSRM PASSWORD -> RESET PASSWORD ON SERVER
you will then be prompted for a new Active Directory Services Restore Mode password.
Labels: Technical
posted by Gary Williams at
Friday, June 23, 2006
1 Comments:
Have you done any work on the global catalog, the reason I ask..I just started a job with a company as the it manager, and for reasons unknown active directory and global catalog are not working correctly, everything works ok but i can not enforce policies, or remote to users with the computer and user snapin, i believe the global catalog was on another domain controller at one time but was removed and it was lost.
By
Anonymous, At
Thursday, July 13, 2006
Post a Comment
Subscribe to Post Comments [Atom]
<$I18N$LinksToThisPost>:
Create a Link
<< Home