Authoritative, primary, and normal restores

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Authoritative, primary, and normal restores

In Backup, distributed services data that is part of the System State data, such as the Active Directory directory service data, can be restored using one of three restore methods:

• Primary restore

• Normal (nonauthoritative) restore

• Authoritative restore

To understand how each restore method works, it is important to understand how the Backup utility backs up data for distributed services. When you back up the System State data on a domain controller, you are backing up all Active Directory data that exists on that server (along with other system components such as the SYSVOL directory and the registry). To restore these distributed services to that server, you must restore the System State data. However, the number and configuration of domain controllers in your system will dictate the type of restore method you choose. For example, if you need to roll back replicated Active Directory changes, but have more than one domain controller in your organization, you will need to perform an authoritative restore to ensure that your restored data gets replicated to all of your servers. However, if you need to restore Active Directory data on a standalone domain controller or on the first of several domain controllers, you will need to perform a primary restore. If you need to restore Active Directory data on just one domain controller in a system where Active Directory data is replicated across several domain controllers, you can use a normal restore if your restored data does not have to be replicated to all your servers.

Primary restore

Use this type of restore when the server you are trying to restore is the only running server of a replicated data set (for example, the SYSVOL and FRS are replicated data sets). Select primary restore only when restoring the first replica set to the network. Do not use primary if one or more replica sets have already been restored. Typically, perform a primary restore only when all the domain controllers in the domain are lost, and you are trying to rebuild the domain from backup.

To perform a primary restore, select When restoring replicated data sets, mark the restored data as the primary data for all replicas in the advanced options. For more information, see Set advanced restore options.

Normal restore

During a normal restore operation, Backup operates in nonauthoritative restore mode. That is, any data that you restore, including Active Directory objects, will have their original update sequence number. The Active Directory replication system uses this number to detect and propagate Active Directory changes among the servers in your organization. Because of this, any data that is restored nonauthoritatively will appear to the Active Directory replication system as though it is old, which means the data will never get replicated to your other servers. Instead, if newer data is available from your other servers, the Active Directory replication system will use this to update the restored data. To replicate the restored data to the other servers, you must use an authoritative restore.

Authoritative restore

To authoritatively restore Active Directory data, you need to run the Ntdsutil utility after you have restored the System State data but before you restart the server. The Ntdsutil utility lets you mark Active Directory objects for authoritative restore. When an object is marked for authoritative restore its update sequence number is changed so that it is higher than any other update sequence number in the Active Directory replication system. This will ensure that any replicated or distributed data that you restore is properly replicated or distributed throughout your organization.

For example, if you inadvertently delete or modify objects stored in the Active Directory directory service, and those objects are replicated or distributed to other servers, you will need to authoritatively restore those objects so they are replicated or distributed to the other servers. If you do not authoritatively restore the objects, they will never get replicated or distributed to your other servers because they will appear to be older than the objects currently on your other servers. Using the Ntdsutil utility to mark objects for authoritative restore ensures that the data you want to restore gets replicated or distributed throughout your organization. On the other hand, if your system disk has failed or the Active Directory database is corrupted, then you can simply restore the data nonauthoritatively without using the Ntdsutil utility.

You can run the Ntdsutil command-line utility from the command prompt. For more information about using ntsustil to perform an authoritative restore, see Ntdsutil. Help for the Ntdsutil utility is also available through the command prompt by typing ntdsutil /?.

Caution

• When you restore the System State data, and you do not designate an alternate location for the data, Backup will erase the System State data that is currently on your computer and replace it with the System State data you are restoring.

Notes

• To restore the System State data on a domain controller, you must first start your computer in Directory Services Restore Mode. This will allow you to restore the SYSVOL directory and the Active Directory. For more information on starting your computer in Directory Services Restore Mode, see Startup options.

• You can only restore the System State data on a local computer. You cannot restore the System State data on a remote computer.

For more information, see Set advanced restore options.