Recover deleted AD objects using a daily System State backup

This tip was submitted to the SearchWin2000.com tip exchange by member Kevin Crandall. Let other users know how useful it is by rating it below.

Whoops! Through a glitch in replication or simultaneous administrative activity, an OU or user(s) has been deleted from your Active Directory. With a little planning, without bothering your backup operator for tapes, you can restore the deleted object(s) in 10 minutes without having to restore from tape by implementing a daily, local backup of System State to the local filesystem.

Then, if necessary, you can perform an Authoritative Restore from that local System State backup without scrambling for tapes.

On a domain controller, use the Win2k backup utility's backup wizard to quickly configure a daily backup of System State to a local filesystem. I usually choose %systemroot%SYSTEM_STATE_BACKUPSYSTEM_STATE.bkf.

Set the backup job to overwrite -- your System State backup will never be more than 24 hours old. If you like, make it more often -- perhaps where a lot of OU manipulation is happening, every 12 hours.

Now, if you ever need to perform a restore of an OU, reboot the DC in safe mode (F8) and choose Directory Services Restore Mode. You'll know at this point whether you remember the Restore Mode password -- because if you don't remember it, you're out of luck.

Use the NT Backup Restore Wizard to restore the System State from %systemroot%SYSTEM_STATE_BACKUPSYSTEM_STATE.bkf.

Do not reboot the server at this time. If you do, you'll have performed what is called an "Unauthoritative Restore" and your restoration will have to compete with replication priorities that might be higher from other DCs.

You want an authoritative restore if you are certain that the entire pie, or just a piece, is missing and should be restored without argument from other DCs.

From a command prompt, start ntdsutil.
At the ntdsutil: prompt, enter 'authoritative restore'.

Any restores from this prompt, like:

authoritative restore: restore subtree "cn=Web Administrator,ou=ITG,dc=nwtraders,dc=msft"

will mark that restore as authoritative and it will replicate appropriately to the other DCs as if it had a high priority, which indeed it does: authoritatively restored data is given the highest update sequence number in the AD replication system.

You can restore any AD object authoritatively, or the entire database.

Rate this Tip To rate tips, you must be a member of SearchWinIT.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    << PREVIOUS | NEXT >>: Restoring deleted or 'tombstoned' objects in... VIEW ALL IN THIS CATEGORY RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.