Authoritative restore procedures

Windows/Active Directory

Authoritative restore procedures

muhanrush 2012. 8. 12. 15:54

AD에 등록된 Object가 제거되는 경우 Windows Server Backup 본을 이용해서 복구하는 방법을 정리하였습니다.

향후 Exchange 등을 사용하고 있는 고객사에서 AD에 등록된 계정 정보가 대량으로 제거되는 경우에 아래 방법을 이용하여 복구할 수가 있습니다.

아래와 같은 복구 방식을 AD에서는 Authoritative Restore(정식 복원)이라고 합니다.

à 과거의 백업 본으로 돌린다는 의미로 이해하시면 되겠습니다.

Authoritative restore procedures

http://technet.microsoft.com/en-us/library/cc816878%28v=WS.10%29.aspx

Procedures for this task restore deleted objects and back-links for the restored objects in the domain of the deletions. If you are restoring security principals that might belong to groups in more than one domain or if you are restoring other objects that have back-links to objects in another domain, additional steps are required.

Task requirements

The following tools are required to perform the procedures for this task:

· Repadmin.exe

· Remote Desktop Connection (optional)

· Bcdedit.exe (optional)

· Ntdsutil.exe

To complete this task, perform procedures according to the conditions in your environment:

· Procedures for restoring after deletions have replicated

· Procedures for restoring before deletions have replicated

· Procedures for recovering group memberships (and any other back-link attributes) in other domains

Procedures for restoring after deletions have replicated

If you are performing authoritative restore on a domain controller that has already received replication of the deletions, perform the following procedures on the recovery domain controller:

1. If you do not have a current backup of the recovery domain controller, Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin). You can use this backup if your recovery is not successful and then try again.

2. Restart the Domain Controller in Directory Services Restore Mode Locally

Or

Restart the Domain Controller in Directory Services Restore Mode Remotely

Restore from backup requires restarting the domain controller in DSRM. Taking the domain controller offline by stopping AD DS is not sufficient to run Ntdsutil procedures to restore from backup.

3. Restore AD DS from Backup (Nonauthoritative Restore)

Use this procedure to return the domain controller to its state at the time of the backup so that any groups that are being restored—or whose members are being restored—are present in the directory with their predeletion membership intact. When Ntdsutil.exe generates the .ldf file during authoritative restore, it searches for member attributes that refer to objects that are contained in the text file, which contains the objects that are marked for authoritative restore.

To ensure that replication does not occur, do not restart the domain controller after the restore procedure.

4. Mark an Object or Objects as Authoritative

Mark the object or objects that you want to restore so that replication does not overwrite them when you restart the domain controller.

5. Restart the domain controller normally.

6. Synchronize Replication with All Partners

For the newly restored object to become available and be instantiated in its restored form on all domain controllers, successful outbound replication must occur from the domain controller that originates the restored changes to its partners.

Make sure that all domain controllers in the domain and all global catalog servers in the forest have received the restored objects.

7. Run an LDIF File to Recover Back-Links in this domain. This procedure updates the group memberships of a restored security principal object or container of objects in the recovery domain. Perform this procedure for each individual object or container that you marked as authoritative.

8. If the .ldf file shows back-links for objects in other domains, perform the procedures in Procedures for recovering group memberships (and any other back-link attributes) in other domains.

[문제 상황]

- 2008 R2 DC를 2대 운영 중

- DC에 특정 계정이 지워졌고, 이미 DC 간에 Replication이 이뤄진 상태

- 고객은 지워진 Object를 복구하고 해당 Object의 Password를 기존대로 유지하기를 원함

[진행 사항]

http://technet.microsoft.com/en-us/library/cc816878%28v=WS.10%29.aspx

- 위와 같은 경우 백업본이 있다는 가정 하에 Authoritative Restore를 수행하여 Object를 복구

- 테스트를 위해서 DC에 있는 특정 계정(Test)을 제거합니다.

- 복구는 아래 Step 과 같이 진행합니다.

1. Restart the Domain Controller in Directory Services Restore Mode Locally

- 한 대의 DC를 DSRM 으로 Restart 합니다.

- DSRM은 아래와 같이 두 가지 방법으로 진행할 수가 있습니다.

To restart a domain controller in DSRM locally by using the Windows GUI

1. On the Start menu, point to Administrative Tools, and then click System Configuration.

2. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and then click OK.

3. In the System Configuration dialog box, click Restart. The domain controller restarts in DSRM.

4. Perform procedures in DSRM.

5. When you have finished performing procedures in DSRM, restart the domain controller normally:

1. On the Start menu, point to Administrative Tools, and then click System Configuration.

2. On the General tab, in Startup selection, click Normal startup, and then click OK.

The domain controller restarts normally.

To restart a domain controller in DSRM locally by using the command line

1. Click Start, click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, and then click OK.

2. At the command prompt, type the following command, and then press ENTER:

o bcdedit /set safeboot dsrepair

3. At the command prompt, type the following command, and then press ENTER:

o shutdown -t 0 -r

4. When you are still in DSRM and you are ready to restart in normal mode, open a command prompt and type the following, and then press ENTER:

o bcdedit /deletevalue safeboot

5. At the command prompt, type the following command, and then press ENTER:

o shutdown -t 0 -r

2. Restore AD DS from Backup (Nonauthoritative Restore)

- 리부팅 후에 백업 본으로 복구를 시작합니다.

- Start -> Administrative Tools -> Windows Server Backup -> "Actions" Pane -> Recover