qUICKLY Explained: Active Directory Authoritative Restore

Hi, it's q again. This time I'd like to open the discussion on Active Directory (AD) Authoritative Restore. What is it, when do we need it, and how? So without further ado, let's try to answer the three questions.

What is an AD Authoritative Restore? As the name suggests, it is the process of restoring active directory or System State data of a domain controller to a previous state. I am sure you have lots of questions and comments on this, and we will cover some of them.

When do we need it? There can be a number of reasons for restoring AD authoritatively, one of the most common reasons are the woops, someone accidentally deletes an object. There have been cases when a rogue administrator intentionally deletes an important person's user account, we will not go there, hehe. We can always recreate the object but it's not the same object, even though we can populate the object with exact same properties and values as the deleted object had. However, the GUID and SID will never be the same, which are system controlled. For instance, if someone accidentally *wink* deletes a user object, I as an administrator in the domain or OU, can create a new user object with same information, membership of same groups, password etc., but the minute this user logs on to his machine, he will notice that something is different, his profile will not be the same, because his SID is not. All security principals get a unique SID value based on the domain SID and RID at the time of creation and unless they are moved to another domain, this value stays the same. When deleted, the SID is one of the few attributes which are kept. A lot more to discuss here... but again this is qUICK explanation. J

How do we restore an object authoritatively? Well, you have to have a valid, tested, and recent backup of AD data, also part of System State Backup (SSB). You can boot into AD Directory Service Repair Mode (DSRM) and restore using NTBACKUP or Windows Server Backup and marking the object as authoritative via NTDSUTIL. All the steps you need are in this KB here https://support.microsoft.com/kb/840001

The one thing I'd like to cover here qUICKLY is that an authoritative restore is simply a merge. Let's take an example of a user account who has the following information

                      displayName = "Test User", department = "Engineering", Title = "ESDE", Mobile = "8675309"

and you take a SSB of AD. Now someone makes the following modifications

department = "ENGG" , and adds description = "qUICK Learner"

You can see that department information was changed and description was added, which did not have a value when we took the SSB. After restoring AD using this SSB, marking this user "Test User" as Authoritative (learn all about it from the above mentioned KB), what do we get. You guessed it:

displayName = "Test User", department = "Engineering", Title = "ESDE", Mobile = "8675309" , description = "qUICK Learner"

Notice that department has the value from SSB and description is current. This is because of Version numbers on each and every attribute of an object and when an object is marked authoritative, its defined attributes' Versions are incremented by 100,000 for every day since the SSB to your current date, making sure this value is the most up to date. My personal favorite tip to see how this happens - check the meta of the user before and after doing Auth restore via LDP or Repadmin /Showobjmeta.

The whole game changes with AD Recycle Bin - new in Windows Server 2008 R2 FFL.

Comments

  • Anonymous
    January 01, 2003
    for an excellent KB on RID / SIDs etc, check support.microsoft.com/.../305475

  • Anonymous
    January 01, 2003
    Instead of explaining SID and RID in these topics, why don't you write a blog for FSMO roles? which will give insight detail and also post some scenarios which you have dealt for eg, in which condition or situation you would seize or transfer FSMO roles? but give some definitions before you start going deep like what is SID, RID then types of roles etc etc etc :D

  • Anonymous
    January 01, 2003
    i think there is plenty of detail on technet and other blogs on fSMORoleOwner (s) and when/how to transfer/seize these roles. SID space / RID pool are also very well documented. I could do one to explain the SIDs some what as there may be cases where RID Pool Exhaustion may be happening... good suggestion though!

  • Anonymous
    October 16, 2010
    Can you do a blog on Recycle Bin? Would love a qUICK read ;) M