Active Directory

Doing an Authoritative Restore on an Active Directory Domain

Sometimes organizations no matter the size allow people to have way more Administrative Access than they should. Have you ever had someone who didn’t know what they were doing mess up your Active Directory Infrastructure?

If you are an architect or IT manager in your organization take a second to think about how many Domain Admins that you have? Do you really need many admins? Are you admins abiding by your change management process? Far too often even with a change management process in place, admins try to sneak changes in under the wire hoping no one will notice. If you work for an enterprise you will see this on a much larger scale than perhaps a small to medium business.

A good practice is to have object auditing enabled on your AD infrastructure. There are number of tools available that do a really good job at this. Some good examples are the tools provided by Quest and Scriptlogic both of these products do a really good job of helping you keep solid track of what is occurring in your infrastructure. If you are using tools like Arcsight or Tripwire to audit your entire network these tools will give you generic information about AD but not the granular info that you need e.g. what changed and who changed it.

However, unless a government regulation requires them to . Most organizations do not have these types of tools in place and sometimes things get deleted or even worse yet entire portions of your tree gets corrupted.

This is when you need to do authoritative restore. This should be a last resort after you have tried everything else to reverse the changes.

1. You need a backup. If you do not have a vaild Systems State backup then I am afraid you are out of luck.

2. Reboot your DC Press F8 until the Advanced Options Menu shows up

3. Choose DSRM (Directory Services Restore Mode) and press enter

4. Logon using the DSRM password. (You created this when you promoted the Domain Controller.. If you didn’t promote the DC find the person who did or check your organizations AD documentation)

5. Click Start –> Run – > Ntbackup.exe

6. Click Restore – and select System State

7. Reboot server and go back into the DSRM

8. Once you have rebooted start a command prompt


10. Type authoritative restore

11. Restore the OU  – type “restore subtree (e.g. OU=Users,OU=Employees,DC=chrismadge,DC=com

12. A popup will occur asking if you are sure you want to perform the Authoritative Restore.. Click Yes

13. The restore will occur. Hooray!

nbd…. Should you need to restore your entire active directory cause this person caused wide spread damage. Instead of typing “restore subtree” and specifying the OU. type “restore database”

Know your roles

I was asked the other day what the FSMO roles were. I remember them being apart of one of the Windows 2k3 MCSE exams but couldn’t remember for the life of me what they were. It was certainly embarrassing and as soon as I was at a workstation I looked up what they were. I thought that I would share them all with you just in case you forgot as well.

When there is only one Domain Controller in an environment that DC holds obviously all the roles. However in larger environments it is a best to distribute them amongst your other Domain Controllers in the forest.

Schema Master

In an AD forest the Schema Master is where all the Schema changes and updates happen. Once the changes to the Schema are made it is replicated to the other Domain controllers. Like most FSMO roles, there can only be one Schema Master in the whole forest.

Domain Naming Master

This Server/Role holds the rights to add and delete domains from the forest. It is also the server that controls federation and links to other directory environments. Like the Schema role, there can only be one Domain Naming Master.

Infrastructure Master

The Infrastructure Master role is a little more complicated. Within an AD structure all the different elements are referenced by the GUID, SID and the DN for the object. Within the forest and the federated relationships the Infrastructure Master is responsible for updating the GUID/SID and DN for the other Domain Controllers.

Relative ID (RID) Master
The GUID and SID’s that we referenced earlier when they are created they are created on the various domain controllers. So whenever someone creates a user account, an OU or a Security Group it creates the GUID and SID as well as the Relative ID. A RID is created for each GUID and SID. Each DC is allotted a certain amount of RID’s when it runs out of RID’s it must ask the RID master for more. There can only be one RID master.

PDC Emulator

In NT4 days (1997-2000) there were two types of domain controllers Primary DC’s and Backup DC’s. A PDC emulator is only required only in a mixed environment.

  • Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
  • Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
  • Account lockout is processed on the PDC emulator.
  • Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.
  • The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.* (Borrowed from Daniel Petri)

There can be a PDC emulator in each Domain in the Forest and the only role that can be held by multiple servers in a forest.

and that’s the FSMO roles.. Next time I’m asked hopefully I’ll remember!