Windows Server 2008 : Using ntdsutil - Performing an Authoritative Restore, Removing a Domain Controller from Active Directory

1. Performing an Authoritative Restore

When you do a normal nonauthoritative restore in a domain with more than one DC, the restored DC will replicate with other DCs in the domain to update itself. The restored DC will quickly have all the changes that occurred since the last backup. However, there are times when you want to restore objects authoritatively. In other words, when the restored DC comes back up, you want objects restored on the DC to be replicated to other DCs. You want this DC to communicate to all the other DCs that its change is the authoritative change.

For example, if an administrator accidentally deletes a user object and you perform a nonauthoritative restore, the user object will be deleted again as soon as the DC replicates with other DCs. However, you can restore the user object authoritatively, and you can even restore entire OUs authoritatively.

You can use the commands in the following table to authoritatively restore AD objects from the authoritative restore prompt in ntdsutil.

Restore Command	Comments
Restore OU. restore subtree dn authoritative restore: restore subtree "ou=sales,dc=pearson,dc=pub"	You can use this to restore an OU (including child OUs). The example command restores the Sales OU.
Restore Object. restore object dn authoritative restore: restore object "cn=Sally, ou=sales,dc=pearson,dc=pub"	This enables you to restore an individual object. The example command restores the Sally user object in the sales OU.

The following table shows the overall steps to perform an authoritative restore.

Step	Command
1.	Reboot the DC and press F8 to access Advanced Boot Options.
2.	Select Directory Services Restore Mode. When prompted, log on with the user name of .\administrator and the DSRM password.
3.	Restore AD nonauthoritatively from a backup. You can use the command-line backup tool, wbadmin, or any other method your organization has available. Do not reboot after the restore is complete.
4.	Launch a command prompt, type ntdsutil, and then press Enter.
5.	Type activate instance ntds and press Enter.
6.	Type authoritative restore and press Enter.
7.	At this point, determine whether you’re restoring an OU or an object. The previous table showed the syntax to restore either an OU or an object. Type the restore command and press Enter. For example, to restore a user object, use the following format: restore object dn restore object “cn=Sally,ou=sales,dc=pearson,dc=pub” Or, to restore an OU, use the following format: restore subtree dn restore subtree “ou=sales,dc=pearson,dc=pub” Note This increments the update sequence number (USN) so that all other DCs consider it the most recent change.
8.	Type quit and press Enter twice to exit ntdsutil.
9.	Restart the DC normally.

2. Removing a Domain Controller from Active Directory

If you run dcpromo on a DC to remove AD, the AD database will be updated to show that this server is no longer a DC. However, if a DC fails, you won’t be able to run dcpromo.

If the DC has failed, AD still thinks it’s an active DC. This causes a wide variety of errors that can be resolved if you remove the DC from AD, as shown in the following steps.

Step	Command
1.	Start a command prompt with administrative permissions.
2.	Type ntdsutil and press Enter.
3.	Type metadata cleanup and press Enter. This accesses the metadata cleanup prompt.
4.	Type connections and press Enter. This accesses the connections prompt.
5.	Connect to an active DC in the domain with the following command. Substitute the FQDN of an active DC in your domain. connect to server dc-fqdn connect to server dc1.pearson.pub
6.	Type quit and press Enter. This brings you back to the metadata cleanup prompt.
7.	Type select operation target and press Enter. This accesses the select operation target prompt.
8.	Select the site where the damaged DC is located with the following commands. Substitute the number of the site in the second command based on the output of the list sites command. Type list sites and press Enter. Type select site number and press Enter.
9.	Select the damaged DC with the following commands. Substitute the number of the server in the second command based on the output of the list servers in site command. Type list servers in site and press Enter. Type select server number and press Enter.
10.	Type quit and press Enter. This brings you back to the metadata cleanup prompt.
11.	Type remove selected server and press Enter. This removes the instance of the server from AD.
12.	Type quit and press Enter.

Other

Windows Server 2008 : Using ntdsutil - Moving Active Directory to a Different Drive, Defragmenting Active Directory

Windows Server 2008 : Using ntdsutil - Resetting the Directory Services Restore Mode Password, Changing the Garbage Collection Logging Level

Windows Server 2003 : Deploying Stub Zones - Benefits of Stub Zones, Stub Zone Updates

Windows Server 2003 : Creating Zone Delegations - Delegating Zones

Windows Server 2003 : Configuring Advanced DNS Server Properties (part 2)

Windows Server 2003 : Configuring Advanced DNS Server Properties (part 1)

Windows 7 : Working with the Multi-Touch User Interface (part 3) - Adding Multi-Touch Interface Functionality

Windows 7 : Working with the Multi-Touch User Interface (part 2) - Obtaining the Multi-Touch Platform Interop Library, Configuring the Application

Windows 7 : Working with the Multi-Touch User Interface (part 1)

Windows Server 2003 : Configuring Zone Properties and Transfers (part 4)