15.7. Restoring Active Directory


You want to perform a nonauthoritative or authoritative restore of a domain controller. A nonauthoritative restore can be useful if you want to quickly restore a domain controller that failed due to a hardware problem. An authoritative restore is needed if data was deleted from Active Directory that you want to bring back.


To restore a domain controller without restoring any objects (i.e., nonauthoritative restore), do the following:

  1. First, boot the domain controller into Directory Services Restore Mode.

  2. Open the NT Backup utility; go to Start All Programs (or Programs for Windows 2000) Accessories System Tools Backup.

  3. Click the Advanced Mode link.

  4. Under the Welcome tab, click the Restore Wizard button and click Next.

  5. Check the box beside System State and any other drives you want to restore and click Next.

  6. Click the Advanced button.

  7. Select Original location for Restore files to.

  8. For the How to Restore option, select Replace existing files and click Next.

  9. For the Advanced Restore Options, be sure that the following are checked: Restore Security Settings, Restore junction points, and Preserve existing mount volume points. Then click Next.

  10. Click Finish.

  11. Restart the computer.

When the system starts up, any changes that have occurred in the domain since the backup was taken will be replicated to it.

If you want to restore a single object (i.e., authoritative restore), before you restart (step 11), run the following command:

> ntdsutil "auth ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.