Please Note: The contents mentioned below are valid for Active Directory Infrastructure which has its Active Directory domain services working in either Windows 2000 or Windows 2003 or has Windows 2008 Active Directory DS working in Mixed mode with Windows 2003 DCs still alive.
Restoration of objects deleted accidently in Windows 2008 or Windows 2012 Active Directory Domain services working in native mode has become easy with introduction of "Recycle Bin". First you need to enable it to use it. While Recycle bin can be used only using PowerShell in Windows 2008 Active Directory Domain Services, GUI has been introduced in Windows 2012 AD DS and this has made restoration of objects deleted accidently very easy.
Recycle Bin Windows 2008 R2
Recycle Bin Windows 2012
Authoritative Restore and Non Authoritative Restore in Windows 2000 and Windows 2003 Active Directory Domain Services.
Non-authoritative restore of Active Directory
A non-authoritative restore returns the domain controller to its state at the time of backup, then allows normal replication to overwrite that state with any changes that have occurred after the backup was taken. After you restore the system state, the domain controller queries its replication partners. The replication partners replicate any changes to the restored domain controller, ensuring that the domain controller has an accurate and updated copy of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, and you will use it in most situations that result from Active Directory data loss or corruption. To perform a non-authoritative restore, you must be able to start the domain controller in Directory Services Restore Mode.
Authoritative restore of Active Directory
An authoritative restore is an extension of the non-authoritative restore process. You must perform the steps of a non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the attributes of all objects in an entire directory, all objects in a subtree, or an individual object (provided that it is a leaf object) to make it authoritative in the directory. Restore the smallest unit necessary, for example, do not restore the entire directory in order to restore a single subtree.
As with a non-authoritative restore, after a domain controller is back online, it will contact its replication partners to determine any changes since the time of the last backup. However, because the version number of the object attributes that you want to be authoritative will be higher than the existing version numbers of the attribute held on replication partners, the object on the restored domain controller will appear to be more recent and therefore will be replicated out to the rest of the domain controllers within the environment.
Unlike a non-authoritative restore, an authoritative restore requires the use of a separate tool, Ntdsutil.exe. No backup utilities— including the Windows 2000 Server system tools— can perform an authoritative restore.
An authoritative restore will not overwrite new objects that have been created after the backup was taken. You can authoritatively restore only objects from the configuration and domain-naming contexts. Authoritative restores of schema-naming contexts are not supported.
Perform an authoritative restore when human error is involved, such as when an administrator accidentally deletes a number of objects and that change replicates to the other domain controllers and you cannot easily recreate the objects. To perform an authoritative restore, you must start the domain controller in Directory Services Restore Mode.
If you wish to read more and know more about active directory restore and backup, please read this article.
The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting
Restoration of objects deleted accidently in Windows 2008 or Windows 2012 Active Directory Domain services working in native mode has become easy with introduction of "Recycle Bin". First you need to enable it to use it. While Recycle bin can be used only using PowerShell in Windows 2008 Active Directory Domain Services, GUI has been introduced in Windows 2012 AD DS and this has made restoration of objects deleted accidently very easy.
Recycle Bin Windows 2008 R2
Recycle Bin Windows 2012
Authoritative Restore and Non Authoritative Restore in Windows 2000 and Windows 2003 Active Directory Domain Services.
Non-authoritative restore of Active Directory
A non-authoritative restore returns the domain controller to its state at the time of backup, then allows normal replication to overwrite that state with any changes that have occurred after the backup was taken. After you restore the system state, the domain controller queries its replication partners. The replication partners replicate any changes to the restored domain controller, ensuring that the domain controller has an accurate and updated copy of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, and you will use it in most situations that result from Active Directory data loss or corruption. To perform a non-authoritative restore, you must be able to start the domain controller in Directory Services Restore Mode.
Authoritative restore of Active Directory
An authoritative restore is an extension of the non-authoritative restore process. You must perform the steps of a non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the attributes of all objects in an entire directory, all objects in a subtree, or an individual object (provided that it is a leaf object) to make it authoritative in the directory. Restore the smallest unit necessary, for example, do not restore the entire directory in order to restore a single subtree.
As with a non-authoritative restore, after a domain controller is back online, it will contact its replication partners to determine any changes since the time of the last backup. However, because the version number of the object attributes that you want to be authoritative will be higher than the existing version numbers of the attribute held on replication partners, the object on the restored domain controller will appear to be more recent and therefore will be replicated out to the rest of the domain controllers within the environment.
Unlike a non-authoritative restore, an authoritative restore requires the use of a separate tool, Ntdsutil.exe. No backup utilities— including the Windows 2000 Server system tools— can perform an authoritative restore.
An authoritative restore will not overwrite new objects that have been created after the backup was taken. You can authoritatively restore only objects from the configuration and domain-naming contexts. Authoritative restores of schema-naming contexts are not supported.
Perform an authoritative restore when human error is involved, such as when an administrator accidentally deletes a number of objects and that change replicates to the other domain controllers and you cannot easily recreate the objects. To perform an authoritative restore, you must start the domain controller in Directory Services Restore Mode.
If you wish to read more and know more about active directory restore and backup, please read this article.
The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting
0 comments:
Post a Comment