Best Practices for Authoritative Restore
Updated: January 9, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
The following best practices are provided to ensure successful recovery of the data that is being restored. Group membership is particularly sensitive. It can be affected greatly by the procedures that you follow during an authoritative restore.
The following best practices help ensure successful recovery of data when you use them to perform authoritative restore:
Restore a latent domain controller.
If possible, find a domain controller (preferably a global catalog server) that has not received replication of the deleted objects, and perform authoritative restore on that domain controller. In this case, you do not have to perform a preliminary nonauthoritative restore from backup.
Restore a global catalog server.
Attempt to find a global catalog server to use as the recovery domain controller. Only a global catalog server can recover universal group memberships for other domains. If you cannot find a latent global catalog server or other domain controller in the domain where the deletion occurred, find the most recent system state or critical-volume backup of a global catalog server in that domain. Use this global catalog server as the recovery domain controller. In addition, locate the most recent backup of a non-global-catalog domain controller.
Stop changes to groups.
Stop making changes to security groups in the forest if all of the following statements are true:
You are restoring individual, deleted user or computer accounts by their distinguished name (DN) paths.
You are restoring a domain controller that has not received replication of the deletions.
You are not restoring security groups or their parent containers.
Keep users and administrators informed.
If you are restoring security groups or organizational unit (OU) containers that host security groups or user accounts, notify users, administrators, and help desk administrators in the domain of the deletions—and in any other domains that might have group memberships for the deleted accounts—to temporarily stop all changes to these objects.
Create a preliminary backup.
If system state or critical-volume backup is not current up to the point of the deletion, before you perform authoritative restore, create a new system state or critical-volume backup in the domain of the deletions. You can use this backup if you need to roll back your changes.
Select objects as low as possible in the directory tree.
When you are selecting objects to mark for authoritative restore, find the lowest possible container or set of objects to restore so that you do not roll back objects unnecessarily. For more information, see Performing Authoritative Restore of Active Directory Objects.
Process the .ldf file after replication.
After the authoritatively restored objects have replicated to all domain controllers in the domain, always use the Ldifde.exe tool to process the .ldf file that is generated by Ntdsutil. Even when memberships are being restored automatically by Ntdsutil for groups that use linked-value replication (LVR), processing the .ldf file ensures that memberships are retained when replicated. For more information about the effect of replication order on group memberships following authoritative restore, see Known Issues for Authoritative Restore.
It is possible for the .ldf file to contain memberships in groups from which the restored security principal was removed before backup. For more information, see Known Issues for Authoritative Restore.
Perform follow-up steps.
After the authoritative restore procedure is complete, perform the following steps:
Verify group memberships in the domain of the recovery domain controller and on a global catalog server in every other domain.
Create a new system state or critical-volumes backup in the recovery domain.
Notify users, administrators, and help desk administrators that they can resume making changes.
Instruct help desk administrators to reset the passwords of restored user accounts and computer accounts whose domain passwords changed after the restored backup was created.