Restores domain controllers to a specific point in time and marks objects in Active Directory as being authoritative with respect to their replication partners.
Ntdsutil is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
In forests that have a functional level of Windows Server 2003, Windows Server 2003 interim, or Windows Server 2008, this subcommand also restores backlinks for links that were created after the functional level was raised. For example, the member attributes of groups to which a restored user object belongs are updated. The authoritative restore subcommand creates an LDAP Data Interchange Format (LDIF) file that can be used to restore backlinks for links that were created before the functional level was raised.
At the authoritative restore: prompt, type any of the parameters listed under Syntax.
For examples of how to use this command, see Examples.
Syntax
{create ldif file(s) from %s | list nc crs | restore object %s | restore object verinc %d |restore subtree %s | restore subtree %s verinc %d}
Parameters
| Parameter | Description |
|---|---|
|
create ldif file(s) from %s |
This option creates an LDIF file of link updates from the Ntdsutil-generated text file that is named in %s. This file can be used to update backlinks on objects in a domain other than the domain of the restored object. For example, this file can be used to restore group membership for a user where the group belongs to a different domain than the user. |
|
List NC CRs |
Lists partitions and cross-references. You need the cross-reference of an application directory partition to restore it. |
|
%d |
A numeric value that overrides the default value of 100,000. The version number of the object or database being authoritatively restored will be increased by this value times the number of days since backup. |
|
restore object %s |
Marks object %s as being authoritative. This option also generates a text file that contains the distinguished name of the restored object and an LDIF file that can be used to restore backlinks for objects that are being authoritatively restored (such as group memberships of users). |
|
restore object %s verinc %d |
Marks object %s as being authoritative and updates links as described in restore object %s, and also increments the version number by %d times the number of days since backup. Use this option only to authoritatively restore over a previous, incorrect, authoritative restore, such as an authoritative restore from a backup that contains the problem that you want to restore. |
|
restore subtree %s |
Marks subtree %s (and all children of the subtree) as being authoritative. This option also generates a text file that contains the distinguished names of the restored objects and an LDIF file that can be used to restore backlinks for objects that are being authoritatively restored (such as group memberships of users). |
|
restore subtree %s verinc %d |
Marks subtree %s (and all children of the subtree) as being authoritative and updates links as described in restore subtree %s, and also increments the version number by %d times the number of days since backup. Use this option only to authoritatively restore over a previous, incorrect, authoritative restore, such as an authoritative restore from a backup that contains the problem that you want to restore. |
|
%s |
An alphanumeric variable, either a distinguished name for a restored object or subtree, or a file name for a text file that is used to create an LDIF file. |
|
quit |
Takes you back to the previous menu or exits the utility. |
|
? |
Displays help at the command prompt. |
|
Help |
Displays help at the command prompt. |
Remarks
- Before you can run the authoritative restore subcommand, you
need to set NTDS or an AD LDS instance as the active instance for
ntdsutil. For example, if the AD LDS instance that you want to
restore is named instance 1, type the following command at the
ntdsutil prompt before you run the authoritative restore
subcommand:
ac in instance 1
- You need to stop the AD DS or AD LDS service before
you can run the authoritative restore subcommand. To stop
AD DS, click Start, click Server Manager. In the
console tree, double-click Configuration, and then click
Services. In the details pane, right-click Active
Directory Domain Services and then click Stop.
- When you are restoring a domain controller by using backup and
restore programs, such as Windows Server Backup or those from other
providers, the default mode for the restore is nonauthoritative.
This means that the restored server is brought up to date with its
replicas through the normal replication mechanism. For example, if
a domain controller is restored from a backup tape that is two
weeks old, when you restart it, the normal replication mechanism
brings it up to date with respect to its replication partners.
- You might need to perform an authoritative restore if an
administrator inadvertently deletes an organizational unit
containing a large number of users. If you restore the server from
tape, the normal replication process would not restore the
inadvertently deleted organizational unit. Authoritative restore
allows you to mark the organizational unit as authoritative and
force the replication process to restore it to all of the other
domain controllers in the domain.
Examples
To list the directory partitions on a domain controller and their cross-references, type:
authoritative restore: list nc crs