لطفا منتظر باشید ...
Lesson 7: Restoring Active Directory
There are two ways to restore Active Directory: nonauthoritatively and authoritatively. In this lesson you will learn how to restore Active Directory.
After this lesson, you will be able to
Explain the difference between nonauthoritative and authoritative restoreRestore Active Directory
Estimated lesson time: 25 minutes
Preparing to Restore Active Directory
Like the backup process, when you choose to restore Active Directory, you can only restore all of the System State data that was backed up, including the registry, the COM+ Class Registration database, system boot files, the SYSVOL directory, the Active Directory, and the Certificate Services database (if the server is a certificate server). You cannot choose to restore individual components (for example, only the Active Directory) of the System State data.If you are restoring the System State data to a domain controller, you must choose whether you want to perform a nonauthoritative restore or an authoritative restore. The default method of restoring the System State data to a domain controller is nonauthoritative.
Nonauthoritative Restore
In nonauthoritative mode, any component of the System State that is replicated with another domain controller, such as Active Directory directory service, will be brought up to date by replication after you restore the data. For example, if the last backup was performed a week ago, and the System State is restored nonauthoritatively, any changes made subsequent to the backup operation will be replicated from the other domain controllers. The Active Directory replication system will update the restored data with newer data from your other servers.
Authoritative Restore
If you do not want to replicate the changes that have been made subsequent to the last backup operation you must perform an authoritative restore. For example, you must perform an authoritative restore if you inadvertently delete users, groups, or OUs from Active Directory and you want to restore the system so that the deleted objects are recovered and replicated.To authoritatively restore Active Directory data, you must run the NTDSUTIL utility after you have performed a nonauthoritative restore of the System State data but before you restart the server. The NTDSUTIL utility allows you to mark objects as authoritative. Marking objects as authoritative changes the update sequence number of an object so it is higher than any other update sequence number in the Active Directory replication system. This ensures that any replicated or distributed data that you have restored is properly replicated or distributed throughout your organization. The NTDSUTIL utility can be found in the systemroot\system32 directory and accompanying documentation within the Windows 2000 Help files (available from the Start menu).For example, suppose you back up the system on Monday, and then create a new user called James Smith on Tuesday, which replicates to other domain controllers in the domain, but on Wednesday, another user, Amy Anderson, is accidentally deleted. To authoritatively restore Amy Anderson without reentering information, you can nonauthoritatively restore the domain controller with the backup created on Monday. Then, using NTDSUTIL, you can mark Amy Anderson as authoritative. The result is that Amy Anderson is restored without any effect on James Smith.
Performing a Nonauthoritative Restore
To restore the System State data on a domain controller, you must first start your computer in a special safe mode called Directory Services Restore Mode. This allows you to restore the SYSVOL directory and Active Directory database. You can only restore System State data on a local computer. You cannot restore the System State data on a remote computer.NOTE
If you restore the System State data and you do not designate an alternate location for the restored data, Backup will erase the System State data that is currently on your computer and replace it with the System State data you are restoring. Also, if you restore the System State data to an alternate location, only the registry files, SYSVOL directory files, and system boot files are restored to the alternate location. The Active Directory database, Certificate Services database, and COM+ Class Registration database are not restored if you designate an alternate location.
To nonauthoritatively restore Active Directory
Restart the computer. During the phase of startup where the operating system is normally selected, press F8. On the Windows 2000 Advanced Options Menu, select Directory Services Restore Mode and press Enter. This ensures that the domain controller is offline and is not connected to the network. At the Please Select The Operating System To Start prompt, select Microsoft Windows 2000 Server and press Enter. Log on as Administrator. On the Desktop message box that warns you that Windows is running in Safe Mode, click OK.
NOTE
When you restart the computer in Directory Services Restore Mode, you must log on as an Administrator by using a valid Security Accounts Manager (SAM) account name and password, not the Active Directory Administrator's name and password. This is because Active Directory is offline, and account verification cannot occur. Rather, the SAM accounts database is used to control access to Active Directory while it is offline. You specified this password when you set up Active Directory.
Point to Start, point to Programs, point to Accessories, point to System Tools, then select Backup. On the Welcome To The Windows 2000 Backup And Recovery Tools page, select Restore Wizard. Click Next to begin using the Restore Wizard. In the Restore Wizard What To Restore page (see Figure 11.10), expand the media type that contains the data that you want to restore or click Import File. This can be either tape or file media.
Figure 11.10 Restore Wizard What To Restore page
Expand the appropriate media set until the data that you want to restore is visible. You can restore a backup set or specific files and folders. Select the data you want to restore, then click Next. Do one of the following:
Click Finish to start the restore process. The Restore Wizard requests verification for the source of the restore media and then performs the restore. During the restore, the Restore Wizard displays status information about the restore.Click Advanced to specify advanced restore options.
Specifying Advanced Restore Settings
The Advanced settings in the Restore Wizard vary, depending on the type of backup media from which you are restoring. Table 11.10 describes the advanced restore options.Table 11.10 Advanced Restore Options
| Advanced Settings Page | Option | Description |
|---|---|---|
| Where To Restore | Restore Files To | The target location for the data that you are restoring. The choices in the list are:Original Location—replaces corrupted or lost dataAlternate Location—restores an older version of a file to a folder you designateSingle Folder—consolidates the files from a tree structure into a single folder. For example, use this option if you want copies of specific files but do not want to restore the hierarchical structure of the files. If you select either an alternate location or a single folder, you must also provide the path. |
| How To Restore | When Restoring Files That Already Exist | Whether or not to overwrite existing files. The choices are:Do Not Replace The File On My Disk—prevents accidental overwriting of existing data. This is the defaultReplace The File On Disk Only If It Is Older Than The Backup Copy—verifies that the most recent copy exists on the computerAlways Replace The File On Disk—Windows Backup does not provide a confirmation message if it encounters a duplicate file name during the restore operation. |
| Advanced Restore Options | Select The Special Restore Options You Want To Use | Whether or not to restore security or special system files. The choices are:Restore Security—applies the original permissions to files that you are restoring to a Windows NTFS volume. Security settings include access permisions, audit entries, and ownership. This option is only available if you have backed up data from an NTFS volume and are restoring to an NTFS volumeRestore Removable Storage Database—restores the configuration database for removable storage management (RSM) devices and the media pool settings. The database is located in systemroot\ system32\NtmsdataRestore Junction Points, Not The Folders And File Data They Reference—restores junction points on your hard disk as well as the data that the junction points refer to. If you have any mounted drives and you want to restore the data that the mounted drives point to, you should select this check box. If you do not select this check box, the junction point will be restored but the data your junction point refers to may not be accessible. |
After you have finished the Restore Wizard, Windows Backup does the following:
Prompts you to verify your selection of the source media to use to restore data. After the verification, Windows Backup starts the restore process.Displays status information about the restore process. As with a backup process, you can choose to view the report (restore log) of the restore. It contains information about the restore, such as the number of files that have been restored and the duration of the restore process.
Performing an Authoritative Restore
An authoritative restore occurs after a nonauthoritative restore and designates the entire directory, a subtree, or individual objects to be recognized as authoritative with respect to replica domain controllers in the forest. The NTDSUTIL utility allows you to mark objects as authoritative so that they are propagated through replication, thereby updating existing copies of those objects throughout the forest.To authoritatively restore Active Directory
Perform a nonauthoritative restore as described previously. Restart the computer. During the phase of startup where the operating system is normally selected, press F8. On the Windows 2000 Advanced Startup Options Menu, select Directory Services Restore Mode and press Enter. This ensures that the domain controller is offline and is not connected to the network. Select Windows 2000 Server. Log on as Administrator.
NOTE
When you restart the computer in Directory Services Restore Mode, you must log on as an Administrator by using a valid SAM account name and password, not the Active Directory Administrator's name and password. This is because Active Directory is offline and account verification cannot occur. Rather, the SAM accounts database is used to control access to Active Directory while it is offline.
On the Desktop message box that warns you that Windows is running in Safe Mode, click OK. Point to Start, point to Programs, point to Accessories, then select Command Prompt. At the command prompt, type NTDSutil and press Enter. At the NTDSUTIL prompt, type authoritative restore and press Enter. At the authoritative restore prompt:
To authoritatively restore the entire directory, type restore database and press Enter.To authoritatively restore a portion or subtree of the directory, such as an OU, use the OU's distinguished name, type restore subtree <subtree distinguished name> and press Enter.
For example, to restore the Security1 OU in the Microsoft.com domain, the commands would be:
|
To authoritatively restore the entire directory and override the version increase, type restore database verinc <version increase> and press Enter.To authoritatively restore a subtree of the directory and override the version increase, type restore subtree <subtree distinguished name>verinc <version increase> and press Enter.
The authoritative restore opens the NTDS.DIT, increases version numbers, counts the records that need updating, verifies the number of records updated, and reports completion. If a version number increase is not specified, one is automatically calculated. Type quit and press Enter to exit the NTDSUTIL utility, then close the Command Prompt window. Restart the domain controller in normal mode and connect the restored domain controller to the network.
When the restored domain controller is online and connected to the network, normal replication brings the restored domain controller up to date with any changes from the additional domain controllers that were not overridden by the authoritative restore. Replication also propagates the authoritatively restored object(s) to other domain controllers in the forest. The deleted objects that were marked as authoritative are replicated from the restored domain controller to the additional domain controllers. Because the objects that are restored have the same object GUID and object SID, security remains intact, and object dependencies are maintained.
Additional Tasks for Authoritatively Restoring the Entire Active Directory Database
When you authoritatively restore the entire Active Directory database, you also must perform an additional procedure involving the SYSVOL directory. This is necessary to ensure the integrity of the computer's group policy. To ensure the proper elements are authoritatively restored, you must also:
Copy the SYSVOL directory on the alternate location over the existing one after the SYSVOL share is published.
When you authoritatively restore a portion of the Active Directory database (including policy objects), you also must perform an additional procedure involving the SYSVOL directory. To ensure the proper elements are authoritatively restored, you must also:
Copy only policy folders (identified by the GUID) corresponding to the restored Policy objects from the alternate location after the SYSVOL share is published. Then, copy them over the existing ones.
When authoritatively restoring either the entire Active Directory database or selected objects, it is important that you copy the SYSVOL and policy data from the alternate location after the SYSVOL share is published. If the computer is in a replicated domain, it may take several minutes before the SYSVOL share is published because it needs to synchronize with its replication partners. If all computers in the domain are authoritatively restored and restarted at the same time, then each will be waiting (indefinitely) to synchronize with each other. In this case, restore one of the domain controllers first so that its SYSVOL share can be published; then restore the other computers nonauthoritatively.
Lesson Summary
In this lesson you learned how to restore Active Directory using nonauthoritative and authoritative restore. You learned that you must choose whether to restore in nonauthoritative or authoritative mode. In nonauthoritative restore mode, any component of the System State data that is replicated with another domain controller, such as Active Directory directory service, will be brought up to date by replication after you restore the data. In authoritative mode, changes that have been made, subsequent to the last backup operation are not restored; the deleted objects are recovered and replicated.To restore the System State data on a domain controller, you must first start your computer in a special safe mode called Directory Services Restore Mode. This allows you to restore the SYSVOL directory and Active Directory directory services database. You can only restore System State data on a local computer. You cannot restore the System State data on a remote computer.When performing a nonauthoritative restore, the Restore Wizard helps you restore data. When performing an authoritative restore, you first perform a nonauthoritative restore and then use the NTDSUTIL utility to mark objects as authoritative so that they are propagated through replication.
