Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts

ID: Q216243

The information in this article applies to:

Microsoft Windows 2000 Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server

SUMMARY

The Authoritative Restore feature allows an administrator to select specific objects or subtrees of objects from an archived Active Directory database and restore them to a domain controller. Note that doing so causes Active Directory replication to replicate this restored state (the System State) of objects, overwriting the copies currently held on all domain controllers within the domain. The restored objects receive a USN greater than the current set of domain objects.

For more information about the Authoritative Restore process, see the "Authoritative Restore" topic in Windows Backup Help.

MORE INFORMATION

Trust relationship and computer account passwords are negotiated at a specified interval (every seven days by default, except for computer accounts that can be disabled by the administrator).

When you use the Authoritative Restore method on the Active Directory on a domain controller, a previously used password for the objects in the Active Directory that maintain trust relationships and computer accounts could be restored. In the case of trust relationships, this may void communication with other domain controllers from other domains. In the case of a computer account password, this could void communications between the member workstation or server and a domain controller of its domain.

Note also that Windows 2000 uses a history of two passwords on the trusted domain component of a trust relationship. For additional information, please see the following article in the Microsoft Knowledge Base:

Q154501 How to Disable Automatic Machine Account Password Changes

Non-Authoritative Restore of a Domain Controller

In cases in which a domain controller needs to be recovered from hardware failure or replacement, if the data on other domain controllers is known to be good, only a restore from the most recent backup of a domain controller is necessary.

After the restore process, Active Directory replication automatically begins propagating any changes from other domain controllers that occurred after the time of the backup.

Authoritative Restore of a Domain Controller

In cases in which other domain controllers exist, but you need to recover data, exercise caution when you performing an authoritative restore of data in the domain naming context. Trust relationship data, for both parent/child relationships to Windows 2000 domains in the forest, and NTLM/Kerberos trusts to other downlevel or Windows 2000 domains, resides in the domain naming context.

If data restoration is required, authoritatively restoring only those portions of the naming context should be performed. By restoring the entire naming context, computer passwords and trust relationship passwords are all restored to the value at the time of the backup and may subsequently become invalid because the password may have been re-negotiated after the time of the backup. The result in either the trust or computer account case is that the passwords may no longer be synchronized and must be reset.

To reset NTLM trust relationships to Windows 2000 or downlevel domains, the trust must be removed and re-created. If the administrator is required to do this for multiple domains, the Netdom utility provided with the Windows 2000 Resource Kit can be used to perform this by using a batch process.

When other domain controllers exist and an authoritative restore is performed, any objects that were created in the naming context (in this example, the domain naming context) after the backup will remain in the Active Directory.
For example:

On day 1, the administrator performs a backup of the system.

On day 2, the administrator creates a user named "User Two" and this data replicates to other domain controllers in the domain.

On day 3, the user named "User One" is inadvertently deleted.

On day 4, an authoritative restore of the domain controller is performed with the backup created on day 1.

As a result, both "User One" and "User Two" exist within the domain.

Authoritative Restore of a Domain Controller Where No Other Domain Controllers Exist

When no other domain controllers exist to replicate recent changes to a restored system, or an authoritative restore is necessary to bring domain controllers back to a known state, an authoritative restore of the entire naming context should be performed.

Doing so creates the same scenario as previously mentioned. If trust relationships or computer account passwords are effected, these will need to be reset.

Additional query words:

Keywords : kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo