If you are performing a complete restore of a server then you would probably
want to perform a non-authoritative restore. That will allow it to pull
updates from the remaining DCs when it comes back online. Typically an
authoritative restore is done when someone inadvertently deletes an object
and you need to recover it. By making the object authoritative you are
increasing the Update Sequence Number (USN) so that it is the highest. The
other DCs will recognize this and request that object. This is explained in
more detail below.
Authoritative restore
In Backup, distributed services such as the Active Directory service are
contained in a collection known as the System State data. When you back up
the System State data on a domain controller , you are backing up all Active
Directory data that exists on that server (along with other system
components such as the SYSVOL directory and the registry ). In order to
restore these distributed services to that server, you must restore the
System State data. However, if you have more than one domain controller in
your organization, and your Active Directory is replicated to any of these
other servers, you will need to perform what is called an authoritative
restore in order to ensure that your restored data gets replicated to all of
your servers.
During a normal restore operation, Backup operates in nonauthoritative
restore mode. That is, any data that you restore, including Active Directory
objects, will have their original update sequence number. The Active
Directory replication system uses this number to detect and propagate Active
Directory changes among the servers in your organization. Because of this,
any data that is restored nonauthoritatively will appear to the Active
Directory replication system as though it is old, which means the data will
never get replicated to your other servers. Instead, the Active Directory
replication system will actually update the restored data with newer data
from your other servers. Authoritative restore solves this problem.
To authoritatively restore Active Directory data, you need to run the
Ntdsutil utility after you have restored the System State data but before
you restart the server. The Ntdsutil utility lets you mark Active Directory
objects for authoritative restore. When an object is marked for
authoritative restore its update sequence number is changed so that it is
higher than any other update sequence number in the Active Directory
replication system. This will ensure that any replicated or distributed data
that you restore is properly replicated or distributed throughout your
organization.
For example, if you inadvertently delete or modify objects stored in the
Active Directory directory service, and those objects are replicated or
distributed to other servers, you will need to authoritatively restore those
objects so they are replicated or distributed to the other servers. If you
do not authoritatively restore the objects, they will never get replicated
or distributed to your other servers because they will appear to be older
than the objects currently on your other servers. Using the Ntdsutil utility
to mark objects for authoritative restore ensures that the data you want to
restore gets replicated or distributed throughout your organization. On the
other hand, if your system disk has failed or the Active Directory database
is corrupted, then you can simply restore the data nonauthoritatively
without using the Ntdsutil utility.
The Ntdsutil command line utility can be run from the command prompt. Help
for the Ntdsutil utility can also be found at the command prompt by typing
ntdsutil /?.
Caution
a.. When you restore the System State data, and you do not designate an
alternate location for the data, Backup will erase the System State data
that is currently on your computer and replace it with the System State data
you are restoring.
Note
a.. You must be an administrator or a backup operator to back up files and
folders. For more information on permissions or user rights , see Related
Topics.
b.. In order to restore the System State data on a domain controller, you
must first start your computer in directory services restore mode. This will
allow you to restore the SYSVOL directory and the Active Directory. For more
information on starting your computer in safe mode, see Related Topics.
c.. You can only restore the System State data on a local computer You
cannot restore the System State data on a remote computer
--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
