AD 林恢复-恢复多域林中的单个域AD Forest Recovery - Recovering a single domain in a multidomain forest

适用于: Windows Server 2016、Windows Server 2012 和 2012 R2、Windows Server 2008 和 2008 R2Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2

有时需要仅恢复林中具有多个域的单个域,而不是完全林恢复。There can be times when it is necessary to recover only a single domain within a forest that has multiple domains, rather than a full forest recovery. 本主题介绍了有关恢复单个域和可能的恢复策略的注意事项。This topic covers considerations for recovering a single domain and possible strategies for recovery.

单域恢复为重建全局编录 (GC) 服务器带来了独特的挑战。A single domain recovery presents a unique challenge for rebuilding global catalog (GC) servers. 例如,如果从之前创建的备份中还原域的第一个域控制器 (DC) ,则林中的所有其他 Gc 将具有该域的最新数据,而不是还原的 DC。For example, if the first domain controller (DC) for the domain is restored from a backup that was created one week earlier, then all other GCs in the forest will have more up-to-date data for that domain than the restored DC. 若要重新建立 GC 数据一致性,有几个选项可供选择:To re-establish GC data consistency, there are a couple options:

  • Unhost,然后 rehost 已恢复域分区,该分区来自林中的所有 Gc,同时恢复域中的所有 Gc 除外。Unhost and then rehost the recovered domains partition from all GCs in the forest, except those in the recovered domain, at the same time.
  • 按照林恢复过程恢复域,然后从其他域的 Gc 中删除延迟对象。Follow the forest recovery process to recover the domain, and then remove lingering objects from GCs in other domains.

以下各节提供了有关每个选项的一般注意事项。The following sections provide general considerations for each option. 对于不同 Active Directory 环境,需要执行的完整步骤集将有所不同。The complete set of steps that need to be done for the recovery will vary for different Active Directory environments.

Rehost 所有 GcRehost all GCs


所有域的域管理员帐户的密码必须可供使用,以防出现问题,导致无法访问 GC 进行登录。The password of the Domain Administrator account for all domains must be ready for use in case a problem prevents access to a GC for logon.

重新承载可以使用 repadmin/unhost 和 repadmin/rehost 命令来完成所有 Gc, (repadmin/experthelp) 的一部分。Rehosting all GCs can be done using repadmin /unhost and repadmin /rehost commands (part of repadmin /experthelp). 你将在每个未恢复的域中的每个 GC 上运行 repadmin 命令。You would run the repadmin commands on every GC in each domain that is not recovered. 需要确保所有 Gc 不再持有已恢复域的副本。It needs to be ensured, that all GCs do not hold a copy of the recovered domain anymore. 若要实现此目的,请首先从林的所有无恢复域中的所有域控制器 unhost 域分区。To achieve this, unhost the domain partition first from all domain controllers across all none-recovered domains of the forest first. 在所有 Gc 不再包含分区后,可以 rehost 它。After all GCs do not contain the partition anymore, you can rehost it. 在重新承载时,请考虑林的站点和复制结构,例如,在重新承载该站点的其他 Dc 之前,先完成每个站点的一个 DC 的 rehost。When rehosting, consider the site- and replication-structure of your forest, for example, finish the rehost of one DC per site prior to rehosting the other DCs of that site.

对于每个域只有几个域控制器的小型组织而言,此选项非常有利。This option can be advantageous for a small organization that has only a few domain controllers for each domain. 所有 Gc 可以在星期五晚上重建,如有必要,还可以在星期一早上之前完成所有只读域分区的复制。All of the GCs could be rebuilt on a Friday night and, if necessary, complete replication for all read-only domain partitions before Monday morning. 但是,如果你需要恢复涵盖全球各地站点的大型域,则在其他域的所有 Gc 上重新承载只读域分区会明显影响操作,并且可能需要停机时间。But if you need to recover a large domain that covers sites across the globe, rehosting the read-only domain partition on all GCs for other domains can significantly impact operations and potentially require down time.

删除延迟对象Remove lingering objects

与林恢复过程类似,你可以从需要恢复的域中的备份还原一个 DC,执行剩余 Dc 的元数据清除,然后重新安装 AD DS 来构建域。Similar to the forest recovery process, you restore one DC from backup in the domain that you need to recover, perform metadata cleanup of remaining DCs, and then re-install AD DS to build out the domain. 在林中所有其他域的 Gc 上,删除已恢复域的只读分区的延迟对象。On the GCs of all other domains in the forest, you remove the lingering objects for the read-only partition of the recovered domain.

延迟对象清理的源必须是已恢复域中的 DC。The source for the lingering object cleanup must be a DC in the recovered domain. 若要确保源 DC 没有任何域分区的延迟对象,可以删除全局编录(如果它是 GC)。To be certain that the source DC does not have any lingering objects for any domain partitions, you can remove the global catalog if it was a GC.

对于较大的组织,删除延迟对象非常有利,这些组织不会面临与其他选项相关联的停机时间。Removing lingering objects is advantageous for larger organizations that cannot risk the down time associated with the other options.

有关详细信息,请参阅 使用 Repadmin 删除延迟对象For more information, see Use Repadmin to remove lingering objects.

