The official blog for Windows Server Essentials and Small Business Server support and product group communications.
EPS Team Blogs
[Today's post comes to us courtesy of Shawn Sullivan from Commercial Technical Support]
If you have ever been in the situation where you had to recover an Active Directory object that was accidentally deleted within a multiple Domain Controller environment, then you are probably somewhat familiar with the term “authoritative restore” and what it does. This link gives a pretty in-depth look at the procedure, however, some important points I want to call out on this post are:
Scenarios where you would mark the entire copy of Active Directory as authoritative are rare and the situation is most likely catostrophic. If you believe you might be in a situation like this, you should probably contact Microsoft Product Support Services for troubleshooting assistance.
Performing an authoritative restore of objects in Active Directory can become a very complicated proposition, depending on what it is that you intend to recover. There are just too many variables and different situations you could find yourself in to cover in one comprehensive article. However, to give you a good idea of the whole process, we will go through the common scenario where you wish to restore a single user account to its complete original state.
Note: There are tools, such as ADRestore, that can pull a deleted object out of its tombstone and place it in its previous location. However, certain attributes that are stripped from the object when it was deleted cannot be restored by such tools; for instance passwords and group memberships for user accounts. A tool like ADRestore is meant to be used if you do not have system state backup, not as a replacement for a system state backup.
You can see from the output that the attribute’s version number was incremented by 100000, which essentially make it more up-to-date as compared with what the remaining Domain Controllers have for this object. You can also see that 4 records were updated, this is the security group membership held by the account that I had deleted. In a simple recovery of a single user account, we do not have to take any further action at this point other than rebooting the server into normal mode.
New for SBS 2011 Standard
Windows 2008 R2 introduces a new feature called the AD Recycle Bin, which allows you to restore a deleted object in its entirety without having to go through the process I just talked about. This can save you quite a bit of time, but there are some caveats:
You can find a step-by-step walkthrough at the following link, this covers everything from raising the functional level to performing a restore: http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx
Thanks for nice article.
Can this procedure work if we have used third party backup utilities like Symantec Backup Exec for backing up system state?
Mohammad Ali Khan
So the latest patches from MSFT suddenly have rendered my system usless. Similar issues to the 3 of 3 problem, then it then just dies. Restore to last known good doesn't work. Thanks. Here we go with a reinstall.