Partial Active Directory Restores and Repair

Created by Manfred Grisebach, March 2002


This document covers two scenarios. The first is when a DC that carried the Flexible Single Master operation (FSMO) roles went down and needs to be seized by the remaining DC’s because it will be too long before a restore can be accomplished. The second is a partial authoritative restore of the Active Directory database that may have been inadvertently deleted and now no longer exists on any DC.


Seizing Flexible Single Master operation (FSMO) roles

When a DC is built we distribute the FSMO roles across DC’s. The 5 FSMO roles include:

  • Domain naming master
  • Infrastructure master
  • PDC emulator
  • Relative ID (RID) master
  • And Schema master (see NOTE below instructions to seize this)


These roles do not automatically revert to the remaining DC’s. This must be manually accomplished *if* deemed necessary. This should not be done lightly unless it is known in advance that it will be a long time before the dead DC can be restored. In the case of the Schema master Microsoft documentation advises that it never happen unless the dead DC is not coming back, but it can be done. For information about what services will not be offered please refer to Microsoft documentation.


If it is determined that FSMO roles need to be seized the tool to accomplish this on a remaining DC is run as follows:

  1. Log onto DC as an Enterprise Administrator account
  2. Open a command prompt.
  3. Type NTDSUTIL.
  4. At the ntdsutil prompt, type: roles
  5. At the FSMO maintenance prompt, type: connections
  6. At the server connections prompt, type: connect to server (where you enter the current server name of where you are logged on).
  7. At the server connections prompt, type: quit
  8. At the FSMO maintenance prompt, type: seize <operations master>. For example: seize domain naming master
  9. At the popup window, click Yes to verify the seizure.
  10. At the FSMO maintenance prompt, type: quit
  11. At the ntdsutil prompt, type: quit


NOTE: All roles can be seized at one time and each time ntdsutil comes back listing all 5 roles and who owns them.

NOTE: To seize the schema master role being Enterprise Administrator is *not* enough. You must also become schema administrator.

Partial Authoritative Restore of Active Directory Data

An example of when one may wish to do this is when part of a production Active Directory database has been accidentally deleted or modified to the point that recreating the data is either impractical or not possible.


In general terms the procedure means restoring a System State file from before the critical data was deleted/corrupted, reboot into SAFE mode, mark the data to be restored as authoritative (to replace anything newer) and reboot again.


The detailed procedure for accomplishing this restore is as follows:

  1. Restore the System State file from the last good known backups. (this will not actually become “live” until after a reboot)
  2. Restart the domain controller and press F8 at the “Starting Windows …” prompt to display the Windows 2000 Advanced Option Menu.
  3. Select Directory Services Restore Mode, and then press enter. To start the boot process again, press Enter.
  4. Log on by using the Administrator account with the password defined for the Local Administrator account in the offline SAM.
  5. From the Start menu, point to Programs and Accessories, and then click Command Prompt.
  6. At the command prompt, type ntdsutil and then press Enter.
  7. At the NTDSUTIL prompt, type authoritative restore.

  8. At the authoritative restore prompt, type restore subtree OU=Academic Support,DC=ads,DC=uwaterloo,DC=ca (***Where you substitute the correct subtree structure in for the example given) An example is showing in the graphic.
  9. You should see the message "Authoritative Restore completed successfully."
  10. To exit the authoritative restore prompt, type quit. To exit the Ntdsutil prompt, type quit. To exit the command prompt, type exit.