Windows Server 2008 and Windows Server 2008 R2 allow you to restore deleted objects back to the Active Directory. In this article, I will demonstrate an Active Directory restore with a combination of authoritative and non-authoritative techniques.
A non-authoritative restoration is a process in which the domain controller is restored, and then the Active Directory objects are brought up to date by replicating the latest version of those objects from other domain controllers in the domain.
An authoritative restore is an operation in which the data that has been restored takes precedence over the data that exists on other domain controllers in the domain. When you perform an authoritative restore, the current versions of objects in the Active Directory are overwritten by the versions of the objects which were restored.
This process works the same way regardless of how you made the backup or where the data is being restored from. The Active Directory objects that have been restored are assigned a new version number, which ensures that the Active Directory replication process will overwrite the existing Active Directory objects with the objects that have been restored. This process is completely automated and it affects all of the domain controllers in the domain.
Performing the restoration
The restoration process is performed from the command line. To begin, you’ll need to know the name of the object that you plan to restore, as well as that object’s location within the Active Directory.
Because we are restoring an object that has been previously overwritten or deleted, we will have to perform an authoritative restore. That way the item that you have restored will not be overwritten by a newer copy during the Active Directory replication process.
However, we can’t just jump right in to an authoritative restoration, because the entire Active Directory would be rolled back to a previous state and defeat the purpose of performing a granular restoration.
To keep that from happening, we’ll perform a non-authoritative restore of the entire Active Directory. After doing so, we can make the restoration authoritative for the specific object that needs to be restored.
Performing a non-authoritative restoration
There are a variety of methods for performing the initial non-authoritative restore. The easiest way to complete this process is to stop the Active Directory Domain Services and then restore a valid system state. To stop the Active Directory Domain Services you will need to open an elevated command prompt and then enter the following command:
Net Stop NTDS
As you can see in Figure A, shutting down the Active Directory Domain Services causes several other dependency services to stop as well. The dependency services that are affected by this operation include:
Kerberos Key Distribution Center
Once the Active Directory Domain Services have been stopped, you can restore a System State backup. When the restoration process completes, you will likely be prompted to reboot your server. You should avoid rebooting because doing so will cause the Active Directory Domain Services to be restarted, which will cause your restoration to be overwritten.
Performing an authoritative restore
Before the server is rebooted, we need to tell Windows which Active Directory object needs to be restored authoritatively. This can be accomplished by using the NTDSUTIL utility. You can begin the process by entering the following commands:
Activate Instance NTDS
Although not technically required, I recommend entering the LIST NC CRs command at this point. This command will list the various Active Directory partitions and their cross references. It allows you to validate that you are about to perform an authoritative restore within the correct Active Directory partition, as shown in Figure B.
Now it’s time to specify the object that needs to be restored. You can do so by using the Restore Object command. For example, suppose that you wanted to restore a user account named User1 that existed in the Users container in a domain named Contoso.com. To perform such a restoration, you would use the following command:
Restore Object “CN=User1,CN=Users,DC=Contoso,DC=com”
Wrapping it up
Now that you have marked the object that needs to be restored, the only thing that is left do is to restart the Active Directory Domain Services. This can be accomplished by entering the following command:
Net Start NTDS
When the Active Directory Domain Services start, the object that you restore will be replicated to the other domain controllers in the domain.
About the author: Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and has been responsible for the Department of Information Management at Fort Knox. You can visit Brien's personal website at www.brienposey.com.