Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Server TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Windows
Windows Server
Windows Server 2003
Operations
 Mark the object or objects authorit...

  Switch on low bandwidth view
Mark the object or objects authoritative

Updated: August 22, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In this procedure, you select which objects are to be marked authoritative to have them replicate to other domain controllers. You must have completed a nonauthoritative restore procedure, following which the domain controller has not been restarted and remains in Directory Services Restore Mode. To complete this procedure, you must know the full distinguished name of the object or objects that you want to restore.

Administrative credentials

To perform this procedure, you must provide the Administrator password for Directory Services Restore Mode.

To mark a subtree or individual object authoritative

  1. In Directory Services Restore Mode, click Start, click Run, type ntdsutil, and then press ENTER.

  2. At the ntdsutil: prompt, type authoritative restore, and then press ENTER.

  3. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER:

    To restore a subtree (for example, an organizational unit and all child objects):

    restore subtree DistinguishedName

    To restore a single object:

    restore object DistinguishedName

    DistinguishedName
    The distinguished name of the subtree or object that is to be marked authoritative

  4. Click Yes in the message box to confirm the command.

    For example, if you want to restore a deleted organizational unit named Marketing NorthAm in the corp.contoso.com domain, type:

    restore subtree “OU=Marketing NorthAm,DC=corp,DC=contoso,DC=com”

    (Always enclose the distinguished name in quotes when there is a space or other special characters within the distinguished name.)

    Ntdsutil attempts to mark the object as authoritative. The output message indicates the status of the operation. The most common cause of failure is an incorrectly specified distinguished name or a backup for which the distinguished name does not exist (which occurs if you try to restore a deleted user that was created after the backup).

    If you are running this command on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), Ntdsutil provides output that indicates whether a restored object has back-links that must be restored. If objects that have back-links are found, Ntdsutil generates a set of files that you can use to restore the back-links in this domain and in other domains, if necessary.

    The following sample output on a domain controller running Windows Server 2003 with SP1 shows that Ntdsutil created a text file (.txt) and an LDAP Data Interchange Format (LDIF) file (.ldf) when the marked object was found to have back-links:

    Successfully updated 3 records.

The following text file with a list of authoritatively restored
objects has been created in the current working directory:        
ar_20050209-091249_objects.txt

One or more specified objects have back-links in this domain. The
following LDIF files with link restore operations have been created
in the current working directory:
        ar_20050209-091249_links_Test1.com.ldf

Authoritative Restore completed successfully.

  5. Make a note of the location of the .txt and .ldf files, if any. You will use the .ldf file to restore back-links in this domain. You will use the .txt file to generate an LDIF file to restore back-links in a different domain, if necessary. If you have other domains in which you want to restore back-links for this restored object, make a copy of this .txt file to use on a domain controller in another domain.

  6. At the authoritative restore: and ntdsutil: prompts, type quit, and then press ENTER.

  7. Restart the domain controller in normal operating mode, as follows:

    1. For a domain controller running Windows Server 2003 with no service pack installed: Disconnect the domain controller from the network, and then restart normally. Follow the instructions in "Procedures for Domain Controllers Running Windows Server 2003 with No Service Pack Installed" as described in Performing an Authoritative Restore of Active Directory Objects.

    2. For a domain controller running Windows Server 2003 with SP1: Restart the domain controller normally, and then follow the instructions in "Procedures for Domain Controllers Running Windows Server 2003 with SP1" as described in Performing an Authoritative Restore of Active Directory Objects.

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker