Doing an Authoritative Restore on an Active Directory Domain

Sometimes organizations no matter the size allow people to have way more Administrative Access than they should. Have you ever had someone who didn’t know what they were doing mess up your Active Directory Infrastructure?

If you are an architect or IT manager in your organization take a second to think about how many Domain Admins that you have? Do you really need many admins? Are you admins abiding by your change management process? Far too often even with a change management process in place, admins try to sneak changes in under the wire hoping no one will notice. If you work for an enterprise you will see this on a much larger scale than perhaps a small to medium business.

A good practice is to have object auditing enabled on your AD infrastructure. There are number of tools available that do a really good job at this. Some good examples are the tools provided by Quest and Scriptlogic both of these products do a really good job of helping you keep solid track of what is occurring in your infrastructure. If you are using tools like Arcsight or Tripwire to audit your entire network these tools will give you generic information about AD but not the granular info that you need e.g. what changed and who changed it.

However, unless a government regulation requires them to . Most organizations do not have these types of tools in place and sometimes things get deleted or even worse yet entire portions of your tree gets corrupted.

This is when you need to do authoritative restore. This should be a last resort after you have tried everything else to reverse the changes.

1. You need a backup. If you do not have a vaild Systems State backup then I am afraid you are out of luck.

2. Reboot your DC Press F8 until the Advanced Options Menu shows up

3. Choose DSRM (Directory Services Restore Mode) and press enter

4. Logon using the DSRM password. (You created this when you promoted the Domain Controller.. If you didn’t promote the DC find the person who did or check your organizations AD documentation)

5. Click Start –> Run – > Ntbackup.exe

6. Click Restore – and select System State

7. Reboot server and go back into the DSRM

8. Once you have rebooted start a command prompt

9. Type NTDSUTIL

10. Type authoritative restore

11. Restore the OU  – type “restore subtree (e.g. OU=Users,OU=Employees,DC=chrismadge,DC=com

12. A popup will occur asking if you are sure you want to perform the Authoritative Restore.. Click Yes

13. The restore will occur. Hooray!

nbd…. Should you need to restore your entire active directory cause this person caused wide spread damage. Instead of typing “restore subtree” and specifying the OU. type “restore database”