none
Authoritative Restore not performed after non authoritative restore in windows server 2008 R2

    Question

  • Hi i have Windows Server 2008 R2 domain controller. i have taken system state backup of it through wbadmin command prompt.

    unfortunately a user has been deleted from the OU. I restarted the DC in directory service mode. I logged in with restore mode password and ran the non authoritative system state backup that was taken before the deletion of object.

    The restore from backup runs perfectly but after the completion of restore it only asks for restart. As per the different documents online if i want to restore single object as the case in  my task. i need to first restore system state backup non authoritatively and then at the time of restore completion i should press no and then restore the deleted object authoritatively.

    In Windows Server 2008 SP2 after the restore of system state backup non authoritatively, there will be prompt of whether you want to restart or not. if we press no then we can do the authoritative restore.

    Regards,

    Devang Patel

    • Moved by SriramB[MSFT]Microsoft employee Tuesday, March 08, 2011 12:13 PM Active Directory specific recovery related (From:Backup – Windows and Windows Server)
    Friday, March 04, 2011 7:04 PM

Answers

All replies

  • Hi Devang,

    If you want to perform authoritatively restore, you may need to boot into Directory Service Restore Mode. Please try to hit F8 button when the server is restart. It should prompt up message to let you select boot mode.

    Hope it helps.

    Scorpio


    TechNet Software Assurance Managed Newsgroup MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin | System Architect
    Sunday, March 06, 2011 5:32 AM
  • Hi
    Thanks for reply

    In physical machine after successful restore of Non atuthoritative backup it asked for restart. i restarted it and press F8 and boot again in directory service restore mode successfully. but for same Procedure in hyver-v (virtual machine) not allowed to boot in directory service restore mode after rebooting virtual machine after non atuthoritative restore done successfully.

    After booting again in directory restore mode in physical machine i tried to do authoritative restore of object deleted in Organization Unit SPT -> staff

    below is the output
    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\Administrator.PDC.000>ntdsutil
    ntdsutil: authoritative restore
    Active Instance not set. To set an active instance use "Activate Instance ".
    ntdsutil: activate instance ntds
    Active instance set to "ntds".
    ntdsutil: authoritative restore
    authoritative restore: restore object "cn=ravi sadhu,ou=spt\staff,dc=contoso,dc=c
    om"

    Opening DIT database... Done.

    The current time is 03-08-11 12:12.08.
    Most recent database update occured at 03-08-11 11:28.38.
    Increasing attribute version numbers by 100000.

    Counting records that need updating...
    Records found: 0000000000
    Could not parse the given DN.

    Authoritative Restore failed.

    Error parsing Input - Invalid Syntax.
    authoritative restore: q
    ntdsutil: q

    C:\Users\Administrator.PDC.000>

    Tuesday, March 08, 2011 11:55 AM
  • You don't necessarily need to restore the object in AD booting into DSRM mode, you just need to (net stop ntds )stop/disable Active Directory Domain Services service from services. msc

    Open cmd

    ntdsutil
    activate instance NTDS
    authoritative restore
    restore object “CN=abc,OU=account,DC=MYDOMAIN,DC=COM”

    http://blogs.technet.com/b/marcelodiiorio/archive/2008/11/20/windows-server-2008-active-directory-authoritative-restore-d4-part-1.aspx

    For steps check below link.

    http://technet.microsoft.com/en-us/library/cc779573%28WS.10%29.aspx#BKMK_after_deletions

    The syntax is wrong for specifying OU ou=spt\staff(it should be ou=spt,ou=staff) & if user in USERS contains it has to be cn=ravi,cn=users


    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, March 08, 2011 12:35 PM
    Moderator
  • After the restore, reboot and log back in via the AD RSM from here you should run ntdsutil to set the account to restore authoritatively.  If you choose to boot up into standard mode and use the net stop make sure you have disconnected the server from the network prior to restart, otherwise you could replicate over the top of your changes.  Once up bring up an elevated command prompt and do your net stop commands. 

    Also, when you do a restore of a user object, your backlinks will not be there (Group membership).  Your initial restore will appear to have done what you expected but only the user will be restored and that won't help you a whole lot if the user had a lot of group memberships.

    You should ensure that you follow the link below:
    http://support.microsoft.com/kb/840001

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, March 08, 2011 1:57 PM
    Moderator
  • Thanks Awinish

    I have tried as per your guidelines

    i have created one domain contoso.com. under that  i have created one OU called SPT and created four users in it. i also created one another OU called SPM under Contoso and under spm i created one more OU staff and created two users.
    i delete one user from SPT OU(Named Ravi Sadhu) and one user from SPM->Staff OU (Named Rajul Patel)

    I restarted Server in DSRM Mode . Non authoritatively restore the backup . restarted the server and again boot in DSRM Mode. then authoritatively restore the object of SPT OU (Named Ravi Patel) Successfully with below syntax

    ntdsutil
    activate instance ntds
    authoritative restore
    restore object "CN=Ravi Sadhu,OU=SPT,DC=Contoso,DC=Com"
     it ran successfully

    but for another syntax for SPM->Staff User

    ntdsutil
    activate instance ntds
    authoritative restore
    restore object "CN=Rajul Patel,OU=SPM,OU=Staff,DC=Contoso,DC=Com"

    it failed stating the error i posted here first

    regarding backlinks i successfully restore backlinks for object that i restored successfully.

    Monday, March 14, 2011 11:46 AM
  • The restore object command should have concluded with a q q (Not sure what these mean though).
    http://support.microsoft.com/kb/840001

    ntdsutil
    activate instance ntds
    authoritative restore
    restore object "CN=Ravi Sadhu,OU=SPT,DC=Contoso,DC=Com" q q
    restart

    If there is more than 1 dc in the domain/forest, disconnect the network connections prior to the reboot.  Reboot and then log back on and check to see if the objects are still in your domain.  Once up you can disable inbound replication:
    repadmin /options <var><recovery dc name></var> +DISABLE_INBOUND_REPL  (Per previous link)

    Then you can hook up your dc and it will repl outbound, but this shouldn't matter since this dc is the master for the latest change.

    Anyways, let us know the outcome.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, March 14, 2011 12:19 PM
    Moderator
  • I don't have environment to test the cmd but i find it strange when first command is working why not second.

    Could you restore object from SPM OU & see if tat works. I guess you are only not able to do it from sub folder. Can you test in your lab too if you create a sub folder in SPT OU & do the same restore what happens next.

    I guess there is issue in performing restore of object inside sub OU. Below kb talks about 2003, but just for your reference.

    http://support.microsoft.com/kb/961071

    Could you give a try to adrestor tool & does it also gives a same error.

    http://blogs.microsoft.co.il/blogs/guyt/archive/2007/12/15/adrestore-net-rewrite.aspx

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, March 14, 2011 12:39 PM
    Moderator
  • Thanks Awinish

    regarding the query i have resolved it as below

    As i mentioned earlier in Contoso have SPM OU and in that Staff OU have Rajul Patel user id which i deleted and then restore with below successfully

    ntdsutil
    activate instance ntds
    authoritative restore
    restore object "CN=Rajul Patel,OU=Staff,OU=SPM,DC=Contoso,DC=Com"

    This works successfully

    now i have to look the next steps whether it works or not about replicating the restored objects to other DC.

    Regards,

    devang

    Wednesday, March 16, 2011 11:15 AM
  • So, it was syntax issue, glad to know it worked.

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

     

    Wednesday, March 16, 2011 11:18 AM
    Moderator
  • Thanks pbbergs,

    can you send me the steps for replication after i restore successfully authoritatively?

    i placed below commands

    After Non Authoritative restore completed successfully i plugged out the network cable and restart machine.

    Then  i ran below command by booting the computer regularly.

    ntdsutil
    activate instance ntds
    authoritative restore
    restore object "CN=Rajul Patel,OU=Staff,OU=SPM,DC=Contoso,DC=Com" q q

    after that i ran below command

    repadmin /options  PDC.Contoso.com  +DISABLE_INBOUND_REPL 

    it disables inboound replication on recovery domain controller

    now when i enter command repadmin /replsummary

    it shows error : 1722 The RPC Server is Unavailable

    Wednesday, March 16, 2011 11:22 AM
  • Did you check to see if your object was where you expected on the recovered dc?  If so, then I would then enable replication and verify on a remote dc that the replication was correctly receieved.

    As far as the RPC error, this can be related to a firewall setting.  Are any of the dc's between a firewall or do you have the local firewall turned on and blocking traffic?

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, March 16, 2011 11:54 AM
    Moderator
  • Did you check the link for steps.

    http://support.microsoft.com/kb/840001

    http://technet.microsoft.com/en-us/library/cc779573%28WS.10%29.aspx#BKMK_after_deletions

    For RPC issue check the below link.

    http://blogs.technet.com/b/abizerh/archive/2009/06/11/troubleshooting-rpc-server-is-unavailable-error-reported-in-failing-ad-replication-scenario.aspx

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, March 16, 2011 12:02 PM
    Moderator
  • Thanks Awinish & pbberg i have completed successfully
    Wednesday, March 30, 2011 8:41 AM
  • Good to hear that.

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, March 30, 2011 8:52 AM
    Moderator
  • I Also Got the Same Error Please Provide some correct guidelines

     

    Saturday, August 20, 2011 7:31 AM
  • Why You are did the  Non Authoritative restore  for doing authoritative restore.
    Saturday, August 20, 2011 7:34 AM