Active Directory disaster recovery

This article introducesActive DirectoryDisaster recovery.

Perform unauthoritative Restoration

To restore a deleted Active Directory object from a backup, take two steps: first, restart the DC to enter the Directory Service Restoration mode (DSRM ), then, use the Windows NTBACKUP utility or an equivalent third-party product to back up the entire Active Directory DIT from the system status. This process will overwrite the entire DIT.

There are two ways to start the DC to enter DSRM: If you have access to the DC console, close and restart the DC. When prompted, press F8 to bring out the Windows Startup menu. Select "Restore directory service" from the menu and enter the DSRM password.

If you manage the server remotely, you cannot access the Windows Startup menu. The alternative is to select "properties" from "My Computer", click the "advanced" tab, and then click "set" under "Start and recover, change the system startup options. Click "edit" in the "System" Startup area to edit the boot. ini file, and add/SAFEBOOT: DSREPAIR to the end of the line, as shown in figure 3. For more information about the boot. ini switch, see microsoft.com/technet/ sysinternals/information/bootini. mspx .)

 

Figure 3 set the DSRM startup option (click the image to get a larger view)

When the server is restarted, it will appear in DSRM. Remember, when you want to restart DC in normal mode, you must delete the/SAFEBOOT switch from boot. ini.

Once you log on with the DSRM password, you can use the NTBACKUP command again to restore the system status backup without specifying any parameters. You cannot use NTBACKUP to restore data from the command line .) When the wizard appears, select "Restore file and settings" and click "Next ". Select the backup file and select the "system status" box, as shown in figure 4.

Figure 4 use the backup or restore Wizard to restore the system status (click the image for a larger view)

If you want to start the DC at this time and return to the normal mode, the Active Directory replication process will bring the restored Domain Controller Back To The synchronization with other DC in the domain, and all restored data will be overwritten by the current data. Obviously, this is not your goal. Instead, you need to forcibly copy the restored object to another domain controller in the domain.

Execute authoritative Restoration

NTDSUTIL also increases the version number of each attribute by 100,000 every day between the backup date and the restoration date. Unless the attribute is updated more than 100,000 times in a day, the version number of the restored attribute is much larger than that of other DC versions, the restored objects will be copied to other DC. Other non-authoritative restoration objects will eventually be overwritten by the existing data of other domain controllers.

After the unauthoritative restoration is completed, use the NTDSUTIL program to execute the authoritative restoration of the object to be restored before the restart enters the normal mode. Regardless of the name, authoritative restoration of an object does not "Restore" the object, it only ensures that the object is copied to other DC. To do this, NTDSUTIL assigns the next available USN to the local USN of the object attribute. This causes the object to be sent to the replication partner during the next synchronization. To restore a single object, make sure that DC is started in DSRM mode and follow these steps:

Open the command window and type:

At the ntdsutil prompt, type:

At the authoritative restore prompt, type:

Restore object "<DN of object to be restored>"

For example, if you want to restore the Molly Clark account from the Eng ou in the drnet domain, enter:

Restore object "CN = Molly Clark, OU = Eng, DC = DRNET, DC = com & rdquo

If you want to authority restore the entire directory subtree, for example, an OU, you need to enter the following:

Restore subtree "OU = Eng, DC = DRNET, DC = com"

NTDSUTIL also provides a database restoration command to restore the entire domain and configure the NC and architecture NC. Restoring the entire domain is risky, and I do not recommend that you use this option. If you need to restore the entire domain, you should restore a domain controller and then promote other DC in the domain again, as described in plan Active Directory forest recovery.
When prompted, confirm the authoritative restoration to add the version numbers of each object and its attributes.

To exit ntdsutil, enter quit twice ).

Restart the DC to enter the normal Active Directory mode.

The next time the DC is copied with its partners, the user you restored will be copied. However, restoring user objects only solves half of the problem. The introduction of object links between groups and their members makes the situation more complex. Some Basic Problems may be faced during and after restoration. I will continue to introduce them in the following sections.

First, let's review the situation when deleting objects with backward links. Assume that you have deleted a user object, which is a member of one or more groups. Each domain controller that has a copy of the user object will convert it into a tombstone and delete all references from the chain table. Therefore, the user object is also deleted from all group members in the user domain. Remember that deleting a user from a group member identity is not a copy change because each DC updates the group member identity locally. The version number of the group member attribute remains the same as that of the local USN .) After a short time, the phantom object will be deleted from the chain tables of other domains, and the copy metadata of group member attributes will not be updated again.

When you unauthority restore the DIT on the domain controller in the user domain, the user object and all group members in the domain are restored. Therefore, the restored DC is consistent. When you use the NTDSUTIL utility to restore a user, the user object is copied to all other DC in the domain.

However, because the replication metadata of the current group in the domain is not changed, the attributes of members in the restored DC group are inconsistent with those in other DC groups. Generally, there is no way to aggregate it. Therefore, the user's membership will not be restored on other DC in the domain.

For more information, see Active Directory disaster recovery details 3.