Authoritative restore and primary restore for ad: In-Depth Active Directory series (vi)

In enterprise application environment, if there are multiple domain controllers, the standard restore is more embarrassing. In fact, standard restores often need to be combined with an authoritative restore and a primary restore.

There are three ways to restore a Windows Server 2003 Active Directory:

1, normal restore (standard restore, non-authoritative restore, unauthenticated restore, etc.), in the context of a single domain controller, we often use normal and original disaster recovery. If you combine normal, incremental, and differential backups, we can guarantee the integrity of the Active Directory database.

2, authoritative restore (mandatory restore), in an environment that is applied to multiple domain controllers, but the fact that the enterprise's domain environment is not as fragile as we think, so the authorization restore is very small in the real enterprise environment, but once the object in the domain is mistakenly deleted, the authorization restore comes in handy.

3, a primary restore (a primary restore) is also applied to the environment of multiple domain controllers, provided that all domain controllers in the domain fail, which is the scenario for the primary restore when restoring the 1th domain controller.

The environment of the experiment in this section is shown below:

Application Scenario for authorization restore

Fourth Post we discussed the standard restore, and in this section we continue to discuss authoritative restores and primary restores. First, we need to understand the scenario where the authorization restore applies:

If there are 2 domain controllers in the domain, we did backup on the domain controller server1 (the 1th domain controller in the domain), but suddenly today accidentally removed a user account "Terry" from the OU or "Beijing branch" in Server1 on the "Beijing branch". The data after the change is replicated to the domain controller server2 on the domain controller Server2 "Beijing branch" or "Terry" account will be deleted through the copy function of AD. At this point we will think of using a normal restore in Server1 to restore, the "Beijing branch" this OU or "Terry" account recovery. Yes, we can actually restore the "Beijing Branch" ou or the "Terry" account at Server1, but although we restored the OU or the "Terry" account on the Server1, the "Beijing branch" in Server2, the OU or the "Terry" Account has been marked as "deleted", the OU or "Terry" account of the restored "Beijing branch" in Server1 will be deleted again for the next time you perform AD replication between Server1 and Server2, because for a domain controller, This OU or "Terry" account has a higher version number on the Server2 identified as "deleted", while the OU or "Terry" account, which has just been restored in Server1, is older and has a lower version number. In domain control, when two objects are in conflict, the object with a higher version number overrides the lower version. At this point we not only need to perform a normal restore on the Server1, but we also need to perform an authoritative restore to increase the version number of the OU or the "Terry" account that was just restored on the server, and this increase is from the day of the last backup to the authorized restore, An additional 100,000 times a day, so that an authoritative restore will guarantee that the old data restored in Server1 is always higher than the version number of the object marked "deleted" in Server2. This will restore the old "Beijing Branch" ou or the "Terry" account when Server1 and Server2 do AD replication. Oh, this paragraph is a bit long, but I think I made it clear.