Active Directory Authoritative & Non-Authoritative Restoration

Steps to non-authoritatively restore a domain controller

• Perform the bare-metal restoration of the domain controller.
• Once the restoration is complete, manually boot the domain controller to complete the non-authoritative restoration.

Steps to authoritatively restore a domain controller

• Perform the bare-metal restoration of the domain controller.
• Once the restoration is complete, manually boot the domain controller in Directory Services Restore Mode by repeatedly pressing the F8 key immediately after BIOS POST screen. In the text menu that appears, use the up/down arrow keys to select Directory Services Restore Mode or DS Restore Mode. Login with the DSRM account and password.
• Open command prompt and type ntdsutil
• Type activate instance ntds
• Type authoritative restore
• Determine the Distinguished Name(DN) of the domain/subtree of objects /object that you wish to authoritatively restore.

  Syntax: CN=value,OU=value,DC=value,DC=value.

• To authoritatively restore an entire domain, enter

  restore subtree <distinguished name of the domain>

• To authoritatively restore a subtree of objects, enter

  restore subtree <distinguished name of the subtree>

• To authoritatively restore a single object, enter

  restore object <distinguished name of the object>

• Click Yes in the message box to confirm.
• Reboot the domain in the normal mode for the restoration to complete.