locked
Authoritative restore and Non Authoritative restore RRS feed

  • Question

  • Hi

    1.Whats the difference between Authoritative restore and Non Authoritative restore?Please explain with the example.

     

    Also If any one have the Windows question and answers with the troubleshooting and live scenarios please help me

    Tuesday, September 6, 2011 9:11 PM

Answers

  • As everyone's saying, and just to add, with a non-authoritative restore, you're simply restoring AD with a sytem state restore. If there are more than one DC, and you had deleted an object, that object will remain deleted, even after a non-authoritative restore. If it's a single DC (such as SBS or just one non-SBS), you can restore a backup prior to the deletion to restore it. But if there are more than one DC, and you run a non-authoritative restore expecting to bring the object back, it won't, because the replica DC will replicate the fact that it was deleted.

    TO understand this better, keep in mind, that each DC knows of each object, as well as of replica DCs's USN value. THat is the Update Sequence Number. Whenever a change occurs (add/delete/modify, etc), the USN value will change. Each DC keeps track of other DCs USNs. If a DC see a USN was changed on another replication partner DC, it will ask for the changes (replication), then the change will replicate. Each DC has a overall USN, as each object in the directory.

    If you want to re-animate an object in a multi-DC scenario, you can run an authorative restore. During this process, with Windows 2003 and newer, as mentioned, you run a non-authoritative first, and while still in DSRM (Dir Svc Restore Mode), don't restart the DC yet. Before you restart the DC, you want to use ntdsutil to perform the authoritative by identifying the DN of the object, and the system will bump up the USN value of that specific object to a value much higher than other DCs would have for that object, and then restart. Upon restart, during replication, the other DCs will see that that object has a higher USN than it previously had, therefore will reanmate it. 

    IIRC, in Windows 2000, we had to manually bump up the value by adding 100,000 to theobject's USN in ntdsutil. But as mentioned above, that was changed with Windows 2003 and newer where it's now done automatically for you. 

    Read the links that the others provided. They give more info about restoring specific leaf objects, OU subtrees, etc. Please note, that with a single DC environment, and if you were to perform an authoritative restore of the whole directory, you may inadvertently cause issues because you may be restoring the previous secure channel password, which then the current machines in the domain will no longer communicate with that DC.

     

    Also If any one have the Windows question and answers with the troubleshooting and live scenarios please help me

    As for your question above, I'm not sure what you're asking.


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, September 7, 2011 1:01 AM
  • Hello,

    Performing an Authoritative Restore of Active Directory Objects: http://technet.microsoft.com/en-us/library/cc779573(WS.10).aspx

    Exemple: You accidentally deleted an AD user and you want to restore it. You can use an authoritative restore to perform that.

    Note that now you can do that by enabling AD recycle Bin and you don't still need a restore operation.

     

    Performing a Nonauthoritative Restore of a Domain Controller: http://technet.microsoft.com/en-us/library/cc784922(WS.10).aspx

    Example: You had hardware problems on a DC and you solved them after re-installing the DC OS. You can use a non-authoritative restore so that you don't delete recently made changes.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator


     

    Tuesday, September 6, 2011 9:29 PM

All replies

  • Hello,

    authoritative restore will update existing DCs with the restored data.

    Non-authoritative restore will replicate the existing data from another DC.

    Which Windows questions and answers are you talking about?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, September 6, 2011 9:16 PM
  • Read the following document for Authoritative and Non-authoritative restore details:

    http://technet.microsoft.com/en-us/library/bb727048.aspx#EKAA

    Non-authoritative restore is the default method for restoring Active Directory, and you use it in most situations that result from Active Directory data loss or corruption. You must be able to start in Directory Services Restore Mode to perform a non-authoritative restore. After you restore the domain controller from backup media, replication partners use the standard replication protocols to update both the Active Directory and FRS on the restored domain controller

    If you have any other question please post them here.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    Tuesday, September 6, 2011 9:21 PM
  • Hello,

    Performing an Authoritative Restore of Active Directory Objects: http://technet.microsoft.com/en-us/library/cc779573(WS.10).aspx

    Exemple: You accidentally deleted an AD user and you want to restore it. You can use an authoritative restore to perform that.

    Note that now you can do that by enabling AD recycle Bin and you don't still need a restore operation.

     

    Performing a Nonauthoritative Restore of a Domain Controller: http://technet.microsoft.com/en-us/library/cc784922(WS.10).aspx

    Example: You had hardware problems on a DC and you solved them after re-installing the DC OS. You can use a non-authoritative restore so that you don't delete recently made changes.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator


     

    Tuesday, September 6, 2011 9:29 PM
  • As everyone's saying, and just to add, with a non-authoritative restore, you're simply restoring AD with a sytem state restore. If there are more than one DC, and you had deleted an object, that object will remain deleted, even after a non-authoritative restore. If it's a single DC (such as SBS or just one non-SBS), you can restore a backup prior to the deletion to restore it. But if there are more than one DC, and you run a non-authoritative restore expecting to bring the object back, it won't, because the replica DC will replicate the fact that it was deleted.

    TO understand this better, keep in mind, that each DC knows of each object, as well as of replica DCs's USN value. THat is the Update Sequence Number. Whenever a change occurs (add/delete/modify, etc), the USN value will change. Each DC keeps track of other DCs USNs. If a DC see a USN was changed on another replication partner DC, it will ask for the changes (replication), then the change will replicate. Each DC has a overall USN, as each object in the directory.

    If you want to re-animate an object in a multi-DC scenario, you can run an authorative restore. During this process, with Windows 2003 and newer, as mentioned, you run a non-authoritative first, and while still in DSRM (Dir Svc Restore Mode), don't restart the DC yet. Before you restart the DC, you want to use ntdsutil to perform the authoritative by identifying the DN of the object, and the system will bump up the USN value of that specific object to a value much higher than other DCs would have for that object, and then restart. Upon restart, during replication, the other DCs will see that that object has a higher USN than it previously had, therefore will reanmate it. 

    IIRC, in Windows 2000, we had to manually bump up the value by adding 100,000 to theobject's USN in ntdsutil. But as mentioned above, that was changed with Windows 2003 and newer where it's now done automatically for you. 

    Read the links that the others provided. They give more info about restoring specific leaf objects, OU subtrees, etc. Please note, that with a single DC environment, and if you were to perform an authoritative restore of the whole directory, you may inadvertently cause issues because you may be restoring the previous secure channel password, which then the current machines in the domain will no longer communicate with that DC.

     

    Also If any one have the Windows question and answers with the troubleshooting and live scenarios please help me

    As for your question above, I'm not sure what you're asking.


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, September 7, 2011 1:01 AM
  • Hi,

    Non Authoritative Restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state.

    Authoritative Restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain. Perform an authoritative restore for individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. You need to use the NTDSUTIL command line utility to perform an authoritative restore. You need to use it in order to mark Active Directory objects as authoritative, so that they receive a higher version recently changed data on other domain controllers does not overwrite System State data during replication.


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Wednesday, September 7, 2011 2:53 AM
  • A non-authoritative restore returns the domain controller to its state at the time of backup, then allows normal replication to overwrite that state with any changes that have occurred after the backup was taken. After you restore the system state, the domain controller queries its replication partners. The replication partners replicate any changes to the restored domain controller, ensuring that the domain controller has an accurate and updated copy of the Active Directory database.

    An authoritative restore is an extension of the non-authoritative restore process. You must perform the steps of a non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the attributes of all objects in an entire directory, all objects in a subtree, or an individual object (provided that it is a leaf object) to make it authoritative in the directory. Restore the smallest unit necessary, for example, do not restore the entire directory in order to restore a single subtree.Perform an authoritative restore when human error is involved, such as when an administrator accidentally deletes a number of objects and that change replicates to the other domain controllers and you cannot easily recreate the objects. To perform an authoritative restore, you must start the domain controller in Directory Services Restore Mode.

    For question and answer you may search for interview questions. You should be able to find Windows question and answers with the troubleshooting and live scenarios.


    If you found this post helpful, please "Vote as Helpful". If it answered your question, remember to "Mark as Answer". MCSE,MSCITP-EA
    Wednesday, September 7, 2011 3:41 AM
  • Authoritative restore is distributing the restored object changes to another DC's in the domain where as non-authoritative restore is accepting the change to bring to earlier stage from other DC's in the domain.

    Ex: Consider, you deleted an object & you want it back in AD, you do authoritative restore & it does by increasing the USN(Update sequence no) no of the object to almost 100,000 times, where as non-authoritative restore is normally used in a scenario where you have extended the schema(disabling the outbound replication) or any change in AD done causing it behave unstable or created issues in the AD, then you want to restore the DC as well as domain in earlier healthy state using system state backup & then changes to replicated to restored DC.

    Even though, now a day due to AD recycle bin feature, you don't have to go through such big process. Non authoritative is rarely performed. Authoritative restore is only performed when you want to recover some deleted objects or group.

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com 

    • Edited by Awinish Wednesday, September 7, 2011 8:15 AM
    Wednesday, September 7, 2011 6:22 AM
  • In addition,

    http://www.petri.co.il/restore-windows-server-2003-active-directory.htm


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Wednesday, September 7, 2011 8:26 AM
  • Hello meinolf,

    Really superb answer, a two lines explained main difference between two types of retore method


    Thanks & Regards, Mani S

    Thursday, May 31, 2012 1:23 AM
  • Hello,

    I know its late but let me give you the simple difference between Non-Authoritative and Authoritative Restore of Active Directory which you will never forget,

    Non- Authoritative Restore: If we have a problem with hardware or software then we are suppose to perform non-authoritative restore, so that we can restore full active directory from Backup (using system state back) or from command line (using NTDS Utility)

    Authoritative Restore: By mistake if we delete an AD Object (user/OU) and later we released that particular object is required then we are suppose to perform authoritative restore, so that we can restore only that particular object which was deleted, authoritative restore can be done using Backup or from command line (using NTDS Utility)


    For Step by Step instructions please refer below link:

    <style type="text/css"><!-- @page { margin: 0.79in } P { margin-bottom: 0.08in } --> </style>

    http://www.isaacoben.com/2009/07/04/performing-an-authoritative-restore-for-active-directory-deleted-objects-or-containers/

    For L3 Authoritative and Non-Authoritative Restore, please refer below link:

    http://technet.microsoft.com/en-us/library/cc816878%28v=ws.10%29.aspx


    Friday, May 23, 2014 8:41 PM
  • Hi Sir,

    Thanks for the advice, I got the answer I was looking for

    Monday, January 11, 2016 12:34 PM
  • Nice and simple explanation
    Friday, May 27, 2016 5:41 PM
  • Hello,

    Authoritative restore will update existing DCs with the restored data which will eventually replicated to all other DCs in multi DC environment.

    But Non-authoritative restore will replicate the existing data from another DC to the one on which you performed restore.

    Hence as per your requirement if you want to restore previous data, you can do authoritative restore but if you want to bring the DC up which may have failed to boot/hardware failure, you can do non-authoritative restore.

    Wednesday, November 21, 2018 11:16 AM