Because Active Directory uses multimaster replication to synchronize all the DC
databases throughout an Active Directory domain, performing a normal restore is not
sufficient when objects such as user accounts, groups, or organizational units get
accidentally deleted or incorrectly modified. All objects in Active Directory are assigned
Update Sequence Numbers (USNs) that determine which objects are the most up to date
when replication occurs between DCs. After you perform a normal, or nonauthoritative,
with older USNs will become deleted again when the DC is restarted in normal mode and
replication takes place. To ensure that the restored Active Directory objects do not get
deleted again via replication, you must use the ntdsutil.exe command-line tool to mark
the restored Active Directory objects as authoritative while the computer is still in
Directory Services Restore Mode. Run this tool before the server restart.
When an object is marked for authoritative restore its update sequence number is changed so that it is higher than any other update sequence number in the Active Directory replication system.
This will ensure that any replicated or distributed data that you restore is properly
replicated or distributed throughout your organization.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment