Partial Active Directory Restores and Repair
Created by Manfred Grisebach, March 2002
This document covers two scenarios. The first is when a DC
that carried the Flexible Single Master operation (FSMO) roles went down and
needs to be seized by the remaining DC’s because it will be too long before a
restore can be accomplished. The second is a partial authoritative restore of
the Active Directory database that may have been inadvertently deleted and now
no longer exists on any DC.
Seizing Flexible Single Master operation (FSMO)
When a DC is built we distribute the FSMO roles across DC’s.
The 5 FSMO roles include:
ID (RID) master
Schema master (see NOTE below instructions to seize this)
These roles do not automatically revert to the remaining
DC’s. This must be manually accomplished *if* deemed necessary. This should not
be done lightly unless it is known in advance that it will be a long time
before the dead DC can be restored. In the case of the Schema master Microsoft
documentation advises that it never happen unless the dead DC is not coming
back, but it can be done. For information about what services will not be
offered please refer to Microsoft documentation.
If it is determined that FSMO roles need to be seized the
tool to accomplish this on a remaining DC is run as follows:
- Log onto DC as an
Enterprise Administrator account
- Open a command
- Type NTDSUTIL.
- At the ntdsutil prompt, type: roles
- At the FSMO
maintenance prompt, type: connections
- At the server connections prompt, type: connect to server
syslab15.testads.uwaterloo.ca (where you enter the current server name of where you are logged
- At the server connections prompt, type: quit
- At the FSMO
maintenance prompt, type: seize <operations master>. For
example: seize domain naming master
- At the popup window,
click Yes to verify the seizure.
- At the FSMO
maintenance prompt, type: quit
- At the ntdsutil prompt, type: quit
NOTE: All roles can be
seized at one time and each time ntdsutil comes back
listing all 5 roles and who owns them.
NOTE: To seize the schema
master role being Enterprise Administrator is *not* enough. You must also
become schema administrator.
Partial Authoritative Restore of Active Directory Data
An example of when one may wish to do this is when part of a
production Active Directory database has been accidentally deleted or modified
to the point that recreating the data is either impractical or not possible.
In general terms the procedure means restoring a System
State file from before the critical data was deleted/corrupted, reboot into
SAFE mode, mark the data to be restored as authoritative (to replace anything
newer) and reboot again.
The detailed procedure for accomplishing this restore is as
- Restore the System
State file from the last good
known backups. (this will not actually become “live” until after a reboot)
- Restart the domain controller and press F8 at
the “Starting Windows …” prompt to display the Windows 2000
Advanced Option Menu.
- Select Directory Services Restore Mode, and
then press enter. To start the boot process again, press Enter.
- Log on by using the Administrator account with the
password defined for the Local Administrator account in the offline SAM.
- From the Start menu, point to Programs and
Accessories, and then click Command Prompt.
- At the command prompt, type ntdsutil
and then press Enter.
- At the NTDSUTIL prompt, type authoritative restore.
At the authoritative restore prompt, type restore subtree OU=Academic Support,DC=ads,DC=uwaterloo,DC=ca (***Where you substitute the
correct subtree structure in for the example
given) An example is showing in the graphic.
- You should see the message "Authoritative
Restore completed successfully."
- To exit the authoritative restore prompt, type quit. To exit the Ntdsutil prompt, type quit. To exit the command prompt, type exit.