tags: apache   archive   business   charity   climbing   comic   communication   database   email   exchange   family   fm2008   hack   hardware   humour   linux   liverpool   microsoft   money   mysql   network   oes   opensource   outlook   php   pictures   process   project   quote   real_life   review   rss   science   security   software   thought   tsm   updates   webdev   website   windows  

AD Restore

Wed, 19 Mar 2008 14:22:10

Yesterday I worked through an authoritative restore of active directory. A number of user accounts, including the 'system mailbox' account had been deleted. We decided a full AD restore would address the issues without too much pain, as nothing had changed in the AD schema recently. There were some pain points, mainly waiting around unsure to force a server offline or continue to wait. Here I document what we followed and some tips to help anyone in the similar situation.

Update: 07/04/08
Before the restore, whilst troubleshooting we recreated the user object. This did not solve our problem so we decided to go ahead with the restore, after which we had many problems. Once we restored AD, it restored the original user object and also KEPT a copy of the one we created prior to restore. Long story into a much smaller easy to read one, if you re-created the object whilst troubleshooting but have now decided to perform a restore, DELETE the object first!!! AGHH!!11122234541212

The following was done on a Windows 2000 DC

  • Arrange for system downtime, all users off the system. Put aside 3 hours for the operation
  • Before scheduled downtime; restore system state (including AD component) to an alternative location on the domain controller, a temp directory
  • If you do not know your 'Directory Services Restore Mode' password, reset it by following this document
  • If the domain controller you are restoring has the backup software installed, shut down all systems including this server. If the backup software is installed on another system, shut down all systems apart from this one
  • Boot up the DC you are restoring in 'AD Recovery mode'
  • Open your backup software and restore the system state, including AD objects. Normally this is an 'all or nothing' restore of the system state, you cannot select individual components
  • At this stage, the server started running very slow. Opening explorer could take 10 minutes.
  • Once complete, START>RUN>'cmd' | ntdsutil | authoritative restore | restore database | click OK, and then click Yes.
  • Reboot the system, but be aware, as it was shutting down we waited 30 minutes
  • As the server was booting up, it appeared to hang on "starting network connections" just before the CTRL - ALT - DEL prompt. It was even coincidental, or turning on another DC resolved our problem. As when booted up another DC, the original server we had ran the restore on, suddenly kicked into life and loaded the CTRL - ALT - DEL prompt
  • Once the SYSVOL share is published, which you can check by running \\servername, copy the SYSVOL folder you restored to an alternative location, OVER the current one on the DC you've just ran an authoritative restore on. This is to ensure correct permissions etc on the folders and files. I just followed the Microsoft documentation.

Hope it helps
Ryan Partington

windows/