Print Friendly and PDF

Active Directory Disaster Recovery

There are two methods of restoring Active Directory a non-authoritative restore and an authoritative restore. The non-authoritative restore is the default method and is performed using the backup tool used to create a backup file. The non-authoritative restore returns the domain controller to the state when the backup was taken. Then through normal replication the restored domain controller receives any changes that have occurred since the time of backup.

The authoritative restore is used to restore deleted objects and a non-authoritative restore must be completed and followed by a non-authoritative restore. The authoritative restore is made with the tool Ntdsutil.exe. To perform an authoritative restore restart the domain controller in Directory Service Restore Mode.

Active Directory Recycle Bin

The Active Directory Recycle Bin is a feature that allows an administrator to restore an active directory object that has been deleted. When you delete a security object from Active Directory, the objects Security ID gets removed. All users rights and permissions are associated with the users SID number and not their account name. This is where the AD Recycle Bin can help.

The Active Directory Recycle Bin allows you to preserve and restore accidentally deleted Active Directory objects without the need of using a backup. The Active Directory Recycle Bin works for both the Active Directory Domain Services and the Active Directory Lightweight Directory Services

By enabling the Active Directory Recycle Bin, any deleted Active Directory objects are preserved and Active Directory objects can be restored,to the same condition that they were in immediately before deletion, meaning that all group memberships and access rights that the object had before deletion will remain intact.

To enable the Active Directory Recycle Bin, you must do the following (you must be a member of the Schema Admins group): Run the adprep /forestprep command to prepare the forest on the server that holds the schema master to update the schema. Run the adprep /domainprep /gpprep command to prepare the domain on the server that holds the infrastructure operations master role.

If a read-only domain controller is present in your environment, you must also run the adprep /rodcprep command. Make sure that all domain controllers in your Active Directory forest are running Windows Server 2012 or Windows Server 2008 R2. Make sure that the forest functional level is set to Windows Server 2012 or Windows Server 2008 R2.