authoritative restore

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008

Restores domain controllers to a specific point in time, and marks objects in Active Directory as being authoritative with respect to their replication partners.

This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsdbutil is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

In forests that have a functional level of Windows Server 2003, Windows Server 2003 interim, or Windows Server 2008, this subcommand also restores back-links for links that were created after the functional level was raised. For example, the member attributes of groups to which a restored user object belongs are updated. The authoritative restore subcommand creates an LDAP Data Interchange Format (LDIF) file that can be used to restore back-links for links that were created before the functional level was raised.

At the authoritative restore: prompt, type any of the parameters listed under “Syntax.”

For examples of how to use this command, see Examples.

Syntax

{create ldif file(s) from %s | list nc crs | restore object %s | restore object verinc %d |restore subtree %s | restore subtree %s verinc %d}

Parameters

Parameter Description

create ldif file(s) from %s

This option creates an LDIF file of link updates from the Ntdsutil-generated text file that is named in %s. This file can be used to update back-links on objects in a domain other than the domain of the restored object. For example, this file can be used to restore group membership for a user where the group belongs to a different domain than the user.

List NC CRs

Lists partitions and cross-references. You need the cross-reference of an application directory partition to restore it.

%d

A numeric value that overrides the default value of 100,000. The version number of the object or database being authoritatively restored will be increased by this value times the number of days since backup.

restore object %s

Marks object %s as being authoritative. This option also generates a text file that contains the distinguished name of the restored object and an LDIF file that can be used to restore back-links for objects that are being authoritatively restored (such as group memberships of users).

restore object %s verinc %d

Marks object %s as being authoritative and updates links as described in restore object %s; also increments the version number by %d times the number of days since backup. Use this option only to authoritatively restore over a previous, incorrect authoritative restore, such as an authoritative restore from a backup that contains the problem that you want to restore.

restore subtree %s

Marks subtree %s (and all children of the subtree) as being authoritative. This option also generates a text file that contains the distinguished names of the restored objects and an LDIF file that can be used to restore back-links for objects that are being authoritatively restored (such as group memberships of users).

restore subtree %s verinc %d

Marks subtree %s (and all children of the subtree) as being authoritative and updates links as described in restore subtree %s; also increments the version number by %d times the number of days since backup. Use this option only to authoritatively restore over a previous, incorrect authoritative restore, such as an authoritative restore from a backup that contains the problem that you want to restore.

Toggle recycled objects flag

Note

This parameter is available only if Active Directory Recycle Bin is enabled.

    <p></p>
  </div>
</td>
<td>
  <p>Sets the flag to allow undeletion or authoritative restore of recycled objects. </p>
  <p>This is not recommended and can result in lost linked values after undeletion or authoritative restore. </p>
</td>

%s

An alphanumeric variable, either a distinguished name for a restored object or subtree, or a file name for a text file that is used to create an LDIF file.

quit

Takes you back to the previous menu, or exits the utility.

?

Displays Help at the command prompt.

Help

Displays Help at the command prompt.

Remarks

  • Before you can run the authoritative restore subcommand, you need to set NTDS or an AD LDS instance as the active instance for Ntdsutil. For example, if the AD LDS instance that you want to restore is named instance 1, type the following command at the ntdsutil: prompt before you run the authoritative restore subcommand, and then press ENTER:

    ac in instance 1
    
  • You need to stop the AD DS or AD LDS service before you can run the authoritative restore subcommand. To stop AD DS, click Start, click Server Manager. In the console tree, double-click Configuration, and then click Services. In the details pane, right-click Active Directory Domain Services, and then click Stop.

  • When you are restoring a domain controller by using backup and restore programs, such as Windows Server Backup or those from other providers, the default mode for the restore is nonauthoritative. This means that the restored server is brought up to date with its replicas through the normal replication mechanism. For example, if a domain controller is restored from a backup tape that is two weeks old, when you restart it, the normal replication mechanism brings it up to date with respect to its replication partners.

  • You might have to perform an authoritative restore if an administrator inadvertently deletes an organizational unit (OU) containing a large number of users. If you restore the server from tape, the normal replication process would not restore the inadvertently deleted OU. Authoritative restore allows you to mark the OU as authoritative and force the replication process to restore it to all the other domain controllers in the domain.

  • Ntdsutil does not correctly handle special characters, such as the apostrophe character ('), that you can enter at the ntdsutil: prompt at the command line. In some situations, there may be an alternative workaround. For more information, see local roles (https://go.microsoft.com/fwlink/?LinkId=157320).

Examples

To list the directory partitions on a domain controller and their cross-references, type the following command, and then press ENTER:

authoritative restore: list nc crs

Additional references

Command-Line Syntax Key

Dsdbutil

Ntdsutil

configurable settings

DS behavior

files

group membership evaluation

ifm

LDAP policies

local roles

metadata cleanup

partition management

roles

security account management

semantic database analysis

set DSRM password

snapshot