Performing an Authoritative Restore

When a domain contains more than one domain controller, Active Directory replicates directory objects, such as users, groups, organizational units, and computers, to all the domain controllers in that domain.

When you are restoring a domain controller by using backup and restore programs, such as Ntbackup or those from third-party providers, the default mode for the restore is nonauthoritative. This means that the restored server is brought up-to-date with its replicas through the normal replication mechanism. For example, if a domain controller is restored from a backup tape that is two weeks old, when you restart it, the normal replication mechanism brings it up-to-date with respect to its replication partners.

Authoritative restore allows the administrator to recover a domain controller, restore it to a specific point in time, and mark objects in Active Directory as being authoritative with respect to their replication partners. For example, you might need to perform an authoritative restore if an administrator inadvertently deletes an organizational unit containing a large number of users. If you restore the server from tape, the normal replication process would not restore the inadvertently deleted organizational unit. Authoritative restore allows you to mark the organizational unit as authoritative and force the replication process to restore it to all of the other domain controllers in the domain.

Table C.6 lists and describes the authoritative restore commands.

Table C.6 Authoritative Restore Commands

Command	Description
Restore database	Marks the entire Ntds.dit (both the domain and configuration naming contexts held by the domain controller) as authoritative. The schema cannot be authoritatively restored.
Restore database verinc %d	Marks the entire Ntds.dit (both the domain and configuration naming contexts held by the domain controller) as authoritative and increments the version number by % d . Use this option only to authoritatively restore over a previous, incorrect, authoritative restore, such as an authoritative restore from a backup that contains the problem you want to restore over.
Restore subtree %s	Marks subtree (and all children of subtree) as being authoritative. The subtree is defined by using the fully distinguished name of the object.
Restore subtree %s verinc %d	Marks subtree (and all children of subtree) as being authoritative and increments the version number by % d . The subtree is defined by using the fully distinguished name of the object. Use this option only to authoritatively restore over a previous, incorrect, authoritative restore, such as an authoritative restore from a backup that contains the problem you want to restore over.