none
Can't find "restore database" command in ntdsutil on server 2008

    Question

  • Hello,
    I am trying to learn how to do a full authoritative restore of AD in server 2008.
    In 2003 and 2000 you could choose in ntdsutil the command "restore database" which marked the whole AD restore as authoritative.
    But in 2008 I can't see this command anymore.
    What's happend? I can't find any documentation about it.
    What do I do if AD have problems and need a full restore?

    Thanks
    Wednesday, June 03, 2009 6:03 PM

Answers

  • This is no longer supported. Refer to http://technet.microsoft.com/en-us/magazine/cc462796.aspx for alternatives...

    hth
    Marcin
    Wednesday, June 03, 2009 6:39 PM
  • Hi Zivsh,

     

    Thank you for your query.

     

    We removed the “restore database” option from ntdsutil utility because we found that it may cause some serious problems.

     

    As Marcin stated, an authoritative restore will not overwrite new objects that have been created after the backup was taken. It can only be carried out on objects from the configuration and domain contexts. Authoritative restores of schema naming contexts are not supported. In fact, we can use “restore subtree” to mark a whole partition as authoritative for the directory. The recommendation is to mark the lowest possible point in the tree

    as authoritative but you could mark the entire domain subtree authoritative.

     

    In addition, please remember that it is recommended to have multiple domain controllers in a domain. 

     

    Friday, June 12, 2009 8:08 AM

All replies

  • This is no longer supported. Refer to http://technet.microsoft.com/en-us/magazine/cc462796.aspx for alternatives...

    hth
    Marcin
    Wednesday, June 03, 2009 6:39 PM
  • Thank you Marcin,

    I read the link you sent me, but can't find there a stright foreward way to restore entire AD, also it all talks about the native backup that comes with 2008. I am, like most places don't use it but use backupexec.
    I searched the Web for a few hours and still can't find a stright foreward answear to it.

    Thanks
    Friday, June 05, 2009 1:48 PM
  • Understand, but you still can use the backup (and restore) approach as described in the article - regardless of what your enterprise solution is. More specifically, you can still create either system state or volume level backup using Windows Server 2008 built-in functionality, and then offload the results to a long-term storage via whatever solution you have in place. For restores, you would simply reverse this process...
    Note that this methodology will most likely require having a separate volume on each domain controller that will host the local backups (and can be used in case of restores).
    Alternatively, you might want to check with the vendor regarding their recommendations, ensure that they are approved by Microsoft - and test thoroughly their reliability...

    hth
    Marcin

    Friday, June 05, 2009 2:05 PM
  • Thanks Marcin, I read the artical again top to bottom and can't find anywhere in it instruction how to do a full AD authoritative restore, I mean retoring all of the active directory database and making sure that it will overwrite all the other DC's. There are all kind of instruction on how to restore objects with in AD, but not full authoritative restore. There are also some mistakes in this artical, I notice that they have a very complictated why to load 2008 in active directory restore mode, which you don't need. Just click F8 at boot.

    I don't know why Microsoft discarded of it. But there most be some why back.

    Thanks
    Friday, June 05, 2009 9:07 PM
  • P.S. I heard a suggetion to restore all your DC's system state togather to the same day, but there must be something better.
    Friday, June 05, 2009 9:10 PM
  • I guess I wasn't clear enough in my earlier responses.

    There is no full authoritative database restore option in Windows Server 2008 AD. Instead, you can either:
    - authoritatively restore arbitrary AD objects
    - non-authoritatively restore full database
    Both of these options are covered in the article I referenced.

    In case of a disaster/failure that affects your entire domain/forest, you would need to perform non-authoritative restore of a single domain controller (starting with the root domain) and either promote remaining ones or non-authoritatively restore them as well. Then you would need to repeat this process for all other domains in the forest.

    hth
    Marcin
    Friday, June 05, 2009 9:47 PM
  • Thanks Marcin,
    I really find it as a surprise that MS removed this option and haven't made an alternative.
    Is there an explenation why?

    Regards
    Monday, June 08, 2009 2:54 PM
  • Keep in mind that the full authoritative restore is really valid within the context of a single domain controller only (since it does not take into account any changes - on the same or other domain controllers - that took place following the backup on which the restore is based) - which leads to inconsistent outcome.
    In order to avoid these inconsistencies, you should use either full non-authoritiative restore or authoritiative restore of selected objects. This applies as well to pre-Windows Server 2008-based domains...

    hth
    Marcin

    Monday, June 08, 2009 3:01 PM
  • A full AD authoritative restore marks the whole database as the latest version of AD so all other DCs' will replicate it as the latest copy and overwrite their own database.
    In case of a single DC there is no need for authoritative restore as non-authoritative restore will do just the same, since there are now other DCs' to replacte.
    A non-authoritative restore in multi DCs' environment is pointless as the AD database from another DC in the domain will very soon overwrite it with it own version because it is newer.

    The problem now what do you do if your AD gone beserk. If you only need to restore a user or an OU that is easier, but what do you do in the rare case that there is a much bigger problem.

    Thanks
    Tuesday, June 09, 2009 9:14 PM
  • Zivsh,

    I don't believe that this is correct. A full authoritative restore does not overwrite instances of AD database on all other domain controllers - but increases version number of attributes of its local objects by a value large enough to ensure that it will be higher than attributes of instances of the same objects stored on other domain controllers (so effectively, when they replicate out, they will end up overwriting the lower-version attributes). Note that this does not take into account any new objects created on other domain controllers (or newly set attributes that were not set on the objects on the local DC). As the result, you end up with rather unpredictable outcome, unless you are able to identify all changes that took place across all domain controllers between the time of the backup and its restore.

    As I stated before, if you run into a situation that you described as "AD gone berserk", you need to shut down all of your domain controllers with exception of one, perform a non-authoritative restore on it, and then either non-authoritiatively restore the others or clean-up AD and re-promote them...

    hth
    Marcin

     

    Tuesday, June 09, 2009 9:58 PM
  • Thank you Marcin, I appreciate your time and effort. It is still a mistory to me why Microsoft removed the restore database from ntdsutil command, that was available on 2003.

    Thanks for taking time to answear

      
    Wednesday, June 10, 2009 7:47 PM
  • Hi Zivsh,

     

    Thank you for your query.

     

    We removed the “restore database” option from ntdsutil utility because we found that it may cause some serious problems.

     

    As Marcin stated, an authoritative restore will not overwrite new objects that have been created after the backup was taken. It can only be carried out on objects from the configuration and domain contexts. Authoritative restores of schema naming contexts are not supported. In fact, we can use “restore subtree” to mark a whole partition as authoritative for the directory. The recommendation is to mark the lowest possible point in the tree

    as authoritative but you could mark the entire domain subtree authoritative.

     

    In addition, please remember that it is recommended to have multiple domain controllers in a domain. 

     

    Friday, June 12, 2009 8:08 AM
  • the RESTORE DATABASE command was useless and it could even be dangerous.
     
    what do you want to use it for?

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
     
    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
     
    BLOG (WEB-BASED)--> http://blogs.d irteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirte am.com/blogs/jorge/rss.aspx
    -------------------------------------- ----------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------- ----------------------------------
    ################################### ##############
    #################################################
    -- ------------------------------------------------------------------------- ---------------
    "Zivsh" wrote in message news:912ac18d-acb6-400 7-a761-e250f6e8b376...
    Thanks Marcin,
    I really find it as a surprise that MS removed this option and haven't made an alternative.
    Is there an explenation why?

    Regards


    __________ Information from ESET Smart Security, version of virus signature database 4150 (20090612) __________

    The message was checked by ESET Smart Security.

    http://www.eset.com
    Friday, June 12, 2009 2:02 PM
  • Hello
    Tuesday, June 16, 2009 1:54 PM
  • Hello, thank you both for your reply.
    If I understand correctly to restore the whole domain objects in active directory will use the following command in ntdsutil

    Restore subtree dc=mydomain,dc=com

    Is that the right syntax?

    Can I restore the schema if it has gone faulty? If yes then how?

    Many thanks
    Tuesday, June 16, 2009 1:58 PM
  • To restore a domain, shut down all of its domain controller, restart one of them in DSRM and perform non-authoritative restore. Once this is completed, perform non-authoritiative restore on other domain controllers or remove references to them and reinstall/repromote them.
    To restore a forest, shut down all of its domain controllers - and then apply the domain restore - starting with the root domain...

    hth
    Marcin

    Tuesday, June 16, 2009 2:58 PM
  • you cannot restore the schema like that. to restore the schema to a "previous version" you must restore ALL DCs in the AD forest OR restore at least one DC for each AD domain in the AD forest, cleanup the AD metadata of the others and repromote them again.
     
    before continuing....
    TELL US what has happened and what you want to achieve!

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
     
    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
     
    BLOG (WEB-BASED)--> http://blogs.d irteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirte am.com/blogs/jorge/rss.aspx
    -------------------------------------- ----------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------- ----------------------------------
    ################################### ##############
    #################################################
    -- ------------------------------------------------------------------------- ---------------
    "Zivsh" wrote in message news:f15cb3a2-1650-49b e-bf2e-5f8dfaa5bdd3...
    Hello, thank you both for your reply.
    If I understand correctly to restore the whole domain objects in active directory will use the following command in ntdsutil

    Restore subtree dc=mydomain,dc=com

    Is that the right syntax?

    Can I restore the schema if it has gone faulty? If yes then how?

    Many thanks


    __________ Information from ESET Smart Security, version of virus signature database 4160 (20090616) __________

    The message was checked by ESET Smart Security.

    http://www.eset.com
    Tuesday, June 16, 2009 7:59 PM
  • Thanks,
    I think that restoring all the DCs' in the forest is a very very problematic task, also demoting them and promoting them again will cause you to lose active directory in that domain and all kind of other problems.
    That way I am surprise that MS don't have a more stright forward why.

    Nothing have happend to my domain, I am just prepring and studing for all kind of situations, and found out that the restore database command doesn't exist any more.

    Will the command  Restore subtree dc=mydomain,dc=com work for restoring all users,computers and OU objects?

    Thanks
    Wednesday, June 17, 2009 10:45 AM
  • Hi,

     

    The command is used to mark the whole domain partition (dc=mydomain,dc=com) as authoritative.


    You may refer to the following article for more information:

    Planning for Active Directory Forest Recovery
    http://technet.microsoft.com/en-us/library/cc786327(WS.10).aspx
     

    Thanks

    Friday, June 19, 2009 1:47 AM