AD with Ntdsutil
directory database doesn't always achieve successful results. For
example, if a database file is corrupted, using the Ntdsutil Repair
feature might not restore all objects and attributes. In fact, in some
cases, using the Repair feature could cause further data loss.
Isolating a DC from the rest of the network before you attempt this
kind of repair can prevent additional corruption to other DCs' AD
replicas. After you ensure that all is well, you can reattach the DC
to the network.
How to use Ntdsutil
to repair the AD database. To perform a repair operation on the AD
database file, follow these steps:
utility will display the File Maintenance category.
these questions will help you determine which AD restore modes—nonauthoritative
or authoritative—to use. (To read more about recovering AD, see the
sidebar "AD Recovery Resources.")
can use backup data from one DC to restore to only the same DC; you
can't use a backup of one DC to restore another machine. However, if
the DC system fails, you can restore the backup data to another
computer that replaces the original DC. Keep this restriction in mind
when you develop your backup strategy. To completely back up your
environment, you need a backup of every DC in the network. In
addition, you need to frequently back up the first DC that you
installed in the forest root domain. This DC typically hosts unique
forestwide roles and contains unique data essential to network
you're using Win2K's backup utility (ntbackup.exe) to perform a
restore, you must meet the following additional conditions to
successfully restore the system state (including AD). If you don't
meet all these conditions, the restore operation will fail.
restore AD, start the Win2K DC in a special startup mode called
Directory Services Restore Mode. Select this mode at system startup by
pressing F8 when the Win2K Boot Loader menu appears, then selecting
the option from the alternative boot menu. Win2K will start in Safe
Mode, and you can use the following steps to restore AD information on
DC will now participate in AD replication and will receive directory
updates from the other DCs. After the completion of the
nonauthoritative restore, the restored data (which might be out of
date) is synchronized.
the nonauthoritative restore if the DC fails or the entire AD database
is corrupted. A nonauthoritative restore will maintain its original
USN. (AD uses this number to detect and propagate the most recent
changes to other DCs.)
minimize replication traffic on the network, the nonauthoritative
restore provides a start point (the point at which backup began) for
data replication—only changed data (rather than the entire
directory) is replicated. Without this start point, all data from
other servers would be replicated. Simply reinstalling Win2K and
reconfiguring the system as a DC (through dcpromo.exe) is another
option for restoring AD on a Win2K DC. The AD-replication process will
automatically repopulate the DC with current directory information.
authoritative restore modifies the USN of the AD objects that you're
restoring to the DC so that each object has the highest value of any
AD replica on any DC in the domain. This, in turn, forces replication
of the newly restored objects to the other replicas residing on all
restores are unusual; they can roll back all the AD objects in the DC
to the point in time when you performed the original backup. You can
use this action to restore information that was erroneously deleted
from a replicated data set. For example, if you inadvertently delete
or modify objects stored in AD, you can authoritatively restore those
objects so that you can replicate them again to the other DCs. If you
don't authoritatively restore the missing objects, they'll never get
replicated to the other DCs in the same domain because the missing or
deleted objects you're restoring appear to be older than the objects
currently on your DC.
mark the target objects for authoritative restore, you can use the
Ntdsutil utility, which ensures that the data you want to restore is
replicated to the appropriate DCs after the restoration.Table
1 lists and describes the authoritative Ntdsutil restore commands.
definition, an authoritative restore replicates any changes you made
to the current data set to its outbound replication partners. Use the
following steps to perform an authoritative restore of AD on a
press Enter. This action puts Ntdsutil into Authoritative Restore
set the entire database as authoritative. Alternatively, you
can set only a subtree of the database (for example, an individual OU);
doing so requires that you use the Lightweight Directory Access
Protocol (LDAP) string that identifies the AD portion that you're
authoritatively restoring. For example, to authoritatively restore an
OU called Engineering in the mycompany.com domain, type the following
command at the Authoritative Restore prompt:
restore subtree ou=engineering,dc=mycompany,dc=com
authoritatively restore the Sysvol folder whenever you authoritatively
restore AD. This process ensures that Sysvol and AD remain
synchronized. Also, be aware that authoritative restores have several
potentially negative consequences.
such effect relates to trust relationships and computer account
passwords, which are automatically negotiated at a specific interval
(every 7 days by default, except for computer accounts that
administrators can disable). During an authoritative restore, you can
restore a previously used password for the AD objects that maintain
trust relationships and computer accounts. For trust relationships,
this action could void communication with DCs from other domains. For
computer account passwords, it could void communications between the
member workstation or server and a DC.
this article, I've attempted to cover some of the more important
maintenance activities related to AD upkeep and give you information
about how to repair and restore AD when things go awry. Following
these recommendations can help ensure that your network stays healthy
and available, that your users are productive, and that the boss stays
off your back.
1: Ntdsutil Authorative Restore Commands
you use the authoritative restore submenu options listed below. Run
this option only on a DC that operates in Directory Services Restore
option that marks the entire AD database (ntds.dit) as authoritative.
database verinc %d
option that marks the entire AD database (ntds.dit) as authoritative
and increments the version number by %d. Use this option only to
authoritatively restore a previous sequential authoritative restore.
option that marks a subtree (all objects in subtree) as authoritative.
Use the Fully Distinguished Name (FDN) of the OU object to define the
subtree %s verinc %d
option that marks a subtree (all objects in subtree) as authoritative
and increments the version number by %d. Use the FDN of the OU object
to define the subtree. Use this option only to authoritatively restore
from a backup that contains the objects you want to replace.