Mark the object or objects authoritative

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In this procedure, you select which objects are to be marked authoritative to have them replicate to other domain controllers. You must have completed a nonauthoritative restore procedure, following which the domain controller has not been restarted and remains in Directory Services Restore Mode. To complete this procedure, you must know the full distinguished name of the object or objects that you want to restore.

Administrative credentials

To perform this procedure, you must provide the Administrator password for Directory Services Restore Mode.

To mark a subtree or individual object authoritative

  1. In Directory Services Restore Mode, click Start, click Run, type ntdsutil, and then press ENTER.

  2. At the ntdsutil: prompt, type authoritative restore, and then press ENTER.

  3. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER:

    To restore a subtree (for example, an organizational unit and all child objects):

    restore subtree DistinguishedName

    To restore a single object:

    restore object DistinguishedName

    • DistinguishedName
      The distinguished name of the subtree or object that is to be marked authoritative

  4. Click Yes in the message box to confirm the command.

    For example, if you want to restore a deleted organizational unit named Marketing NorthAm in the corp.contoso.com domain, type:

    restore subtree “OU=Marketing NorthAm,DC=corp,DC=contoso,DC=com”

    (Always enclose the distinguished name in quotes when there is a space or other special characters within the distinguished name.)

    Ntdsutil attempts to mark the object as authoritative. The output message indicates the status of the operation. The most common cause of failure is an incorrectly specified distinguished name or a backup for which the distinguished name does not exist (which occurs if you try to restore a deleted user that was created after the backup).

    Note

    If the object is marked authoritative and the restore did not work as expected and then the same backup is used to restore the Active Directory database again, the attribute version numbers of the object to be restored authoritatively must be increased higher than the default of 100000 or the object will not replicate out after the second restore. The syntax below is needed to script an increased version number higher than 100000 (default): ntdsutil "authoritative restore" "restore object "CN=Smith, John,OU=sales,DC=contoso,DC=com" verinc 150000"" q q If the script prompts for confirmation on each object being restored you can turn off the prompts. The syntax to turn off the prompts is: ntdsutil "popups off" "authoritative restore" "restore object "CN=John Smith,OU=sales,DC=contoso,DC=com" verinc 150000"" q q

    If you are running this command on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), Ntdsutil provides output that indicates whether a restored object has back-links that must be restored. If objects that have back-links are found, Ntdsutil generates a set of files that you can use to restore the back-links in this domain and in other domains, if necessary.

    The following sample output on a domain controller running Windows Server 2003 with SP1 shows that Ntdsutil created a text file (.txt) and an LDAP Data Interchange Format (LDIF) file (.ldf) when the marked object was found to have back-links:

    Successfully updated 3 records.

The following text file with a list of authoritatively restored
objects has been created in the current working directory:        
ar_20050209-091249_objects.txt

One or more specified objects have back-links in this domain. The
following LDIF files with link restore operations have been created
in the current working directory:
        ar_20050209-091249_links_Test1.com.ldf

Authoritative Restore completed successfully.

  5. Make a note of the location of the .txt and .ldf files, if any. You will use the .ldf file to restore back-links in this domain. You will use the .txt file to generate an LDIF file to restore back-links in a different domain, if necessary. If you have other domains in which you want to restore back-links for this restored object, make a copy of this .txt file to use on a domain controller in another domain. For more information, see Procedures for Recovering Group Memberships (and Any Other Back-Link Attributes) in Other Domains.

    While still in Directory Services Restore Mode, use Ntdsutil to Create an LDIF file for recovering back-links for authoritatively restored objects. In this procedure, you must specify the location of the .txt file that was generated by Ntdsutil during the authoritative restore procedure.

  6. At the authoritative restore: and ntdsutil: prompts, type quit, and then press ENTER.

  7. Restart the domain controller in normal operating mode, as follows:

    1. For a domain controller running Windows Server 2003 with no service pack installed: Disconnect the domain controller from the network, and then restart normally. Follow the instructions in "Procedures for Domain Controllers Running Windows Server 2003 with No Service Pack Installed" as described in Performing an Authoritative Restore of Active Directory Objects.

    2. For a domain controller running Windows Server 2003 with SP1: Restart the domain controller normally, and then follow the instructions in "Procedures for Domain Controllers Running Windows Server 2003 with SP1" as described in Performing an Authoritative Restore of Active Directory Objects.