Active Directory Restore

There are two methods for restoring replicated data on a domain controller. You can reinstall Windows 2000, reconfigure the domain controller, and then let the normal replication process repopulate the new domain controller with data from its replica partners, or, you can use the Backup tool to restore replicated data from backup media without reinstalling the operating system or reconfiguring the domain controller. In addition, there are two general methods for restoring replicated data from backup media: nonauthoritative and authoritative Since Active Directory is replicated data, these methods apply to Active Directory restores.

During nonauthoritative restore, the distributed services on a domain controller are restored from backup media and the restored data is then updated through normal replication. In short, each restored directory partition is updated with that of its replication partners. Nonauthoritative restore is typically performed when a domain controller has completely failed due to hardware or software problems.

Authoritative restore occurs after nonauthoritative restore has been performed. During authoritative restore, an entire directory, a subtree, or individual objects can be designated to take precedence over any other instances of those objects on domain controllers. So, through normal replication, the restored domain controller becomes authoritative in relation to its replication partners. Authoritative restore is typically used to restore a system to a previously known state, for example before Active Directory objects were erroneously deleted. The Ntdsutil command-line tool allows you to authoritatively restore the entire directory, a subtree, or individual objects provided they are leaf objects.