Authoritative Restore – Tutorial to back up deleted AD objects
Authorative and non-authorative restore
Individual Active Directory objects that have been deleted accidently can be backed up proceeding an authoritative restore. You can restore single objects (OU, containers) and integrate them in the current AD. To know how, read the step by step tutorial.
A non-authorative restore instead would not set back a missing / deleted OU. In this case the restored domain controller gets the information and status of the replicating Active Directories. As the object is not existing in these domain controllers it just not possible to restore it.
Backup Active Directory
- Open a command window (“cmd”) on a domain controller of the Active Directory domain you want to back up.
- To start the system backup use the command:
“wbadmin start systemstatebackup -backuptarget:e:”
Note: Different backup targets can be assigned.
Authoritative Restore of Active Directory objects (Tutorial)
- To start an Authoritative Restore you have to run the domain controller in DSRM (Directory Services Restore Mode). Press the F8 key during the reboot to get into DSRM Mode. Alternatively , enter the following command line the command window before the restart “bcdedit /set safeboot dsrepair”.
- If the F8 key was pressed during booting, you can select Directory Services Restore Mode in the menu.
- Log in as local administrator and use the DSRM password. The DSRM password was set during the Active Directory installation.
Note: If you do not remember the DSRM password – itcan be changed before booting (http://support.microsoft.com/kb/322672/en-us).
- Once you are logged on to the server in DSRM safe mode open a command window (“cmd”).
- Use the command “wbadmin get versions” to display all saved backups.
- Now backup the system state on the domain controller; use the following command: “wbadmin start systemstaterecovery -version:10/11/2013-02:39”.
- If the system state was backed up successfully the domain controller needs to be started again in DSRM safe mode.
- Now you can deal with the “Authoritative Restore” of the Active Directory object. (after you are logged in again)Use the well-known tool ntdsutil.
In our example we are restoring the following user:
|The restore command is:|
- Now the server can be restarted in “normal” mode. To prevent the start in DSRM mode use the command “bcdedit /deletevalue safeboot”. The USN of the “authoritatively” restored object increased. So the object is replicated on all other domain controllers in the domain as well.
Note: After restarting the server it may be necessary to re-enter the activation key for the operating system. Please keep in mind have the key at hand in advance.In some cases it may also be necessary to reset the server computer password where the system status was backed up.The following event log entry will appear in the event log.( Event ID : 4 / Event Source : Security-Kerberos )=> Reset the computer password : http://support.microsoft.com/kb/325850/en-us
For more information concerning Authoritative Restore, also have a look here: http://technet.microsoft.com/de-de/library/cc816878