none
A question about Active Directory Authoritative Restore

    Question

  • Hello

    Can someone please help with the following question.

    I as reading a Microsoft document pertaining to Active Directory restore, now the particular document I was reading was for Windows 2000 AD (yes there are still some out there in the world) 

    When I say "I understand" below this is based on current knowledge from what I have read etc. so please correct if wrong.

    Before I ask my question I understand the way AD deals with the synchronisation of multi-valued linked attributes (e.g. group memberships) in Windows 2000 changed in Windows 2003. From what I have read in Windows 2000 if you added or removed a user from a group the 'whole' group membership would by synced out, rather than just to alteration/s themselves. where as with Windows 2003 onward just the alterations are synced (e.g. not the whole group membership). 


    I also understand, when deleting a user in AD who is a member of a group the back-link (is it the group that has the back-link and the user the forward-link of the other way around?) the group members attribute does not refer to the users tombstone but rather the that particular entry (e.g. for the deleted user) is marked 'absent' until garbage cleanup takes place.

    So it makes sense when restoring deleted users and groups (e.g. in an authoritative restore scenario) the user objects should eb restored and synced out before the groups are restored and synced out so the user/group 'MemberOf/Members'  can be reconnected (for that reason I believe it is the user which is the forward-link and the group the back-link) 

    However the document I read goes on to say you cannot predict (unless you do and object by object restore) which would be restored and synced first when it comes to users and their group memberships.

    it said the way around this problem is to do the following

    Before you let the DC (on which you have done the authoritative restore) to sync with the rest of the DCs; create a new dummy user and add this user to all the restored groups, then remove the user from all these groups again. Once done let the DC sync with the remainder of the domain.

    My Question is as follows:

    As this particular document was referring to Windows 2000 (and regarding behavioural changed to how multi-values back-linked objects are now handled) I was wondering if these step (adding removing dummy user to from all authoritatively groups) is still required with Windows 2003 and above in order to perform a successful authoritative restore (e.g. user restore users and group have their correct group memberships back following the restore and sync).

    Any advise most welcome

    Thanks
    EBrant


    Sunday, December 4, 2016 12:14 PM

All replies

  • Further to the above

    I built a LAB and tested the behaviour of Authoritative Restore in a Windows 2012 R2  domain (single domain forest and function levels at their highest)

    In this scenario the groups membership information for the restored user accounts (groups were not deleted) can back OK (all be it a small domain) next I will test it by deleting both users and group accounts.

    In the meantime if anyone has any information concerning my original question above please reply to this post.

    Thanks

    EBrant 

    Sunday, December 4, 2016 5:46 PM
  • Hi EBrant,
    Thank you for the test and sharing the result, it will be greatly helpful to others who have the same question.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, December 6, 2016 8:12 AM
    Moderator