Replicating Active Directory Data to All the Domain Controllers in a Domain

Perform an authoritative restore of the Active Directory and replicate all the restored data to the remaining domain controllers in the domain.

Before you begin

Complete the following tasks:

  1. Rebuilding the Windows operating system
  2. Recovering Windows File System Data

About this task

The system performs a non-authoritative restore of the Active Directory by default, ensuring that any Active Directory data that has changed since the last backup is not replicated to other domain controllers. However, you can force an authoritative restore of the Active Directory and replicate all the restored data to all the remaining domain controllers in the domain by running the ntdsutil.

After a non-authoritative restore, Active Directory replication ensures that the restored domain controller receives a current replica of the Active Directory. During this process, any new objects that have been created since the backup are replicated to the restored domain controller.

The Active Directory uses a Tombstone mechanism to delete objects from its directory on Windows 2000 and Server 2003 clients. When an Active Directory object is deleted from a domain controller, it is initially marked as tombstoned and is not fully removed from the directory. During Active Directory replication, the tombstone attribute is replicated to the other domain controllers, temporarily deleting the object from all the domain controllers. Once the tombstone lifetime is reached, the object is permanently removed from the directory. The Active Directory Tombstone has a default lifetime setting of 60 days.

When performing restore operations, you must consider the Active Directory tombstone lifetime. Restoring from a backup that was secured more than a lifetime before the restore may result in Active Directory inconsistencies. The restored domain controller may have objects that are not replicated on the other domain controllers. These objects will not be deleted automatically, as the corresponding tombstones on the other servers have already been deleted. Therefore, when you restore from a backup that is older than the tombstone lifetime, you may have to manually delete each unreplicated object on the restored computer in order to resolve inconsistencies.

We recommend that you review all Microsoft instructions and methods before replicating the data to all domain controllers.

On Windows Server 2003 clients, if you are performing an Authoritative restore of the SYSVOL without performing the full system restore, you must run the ntdsutil. When you run this utility, the policies and scripts will be accessible from Active Directory Users and Computers.

Procedure

Follow the steps given below to run the ntdsutil :

On Windows Server 2003

  1. Perform the Authoritative full system restore of a domain controller.
  2. Restart the computer in the Directory Services mode.
  3. From the Command Prompt, type ntdsutil.
  1. At the ntdsutil prompt, type Authoritative Restore.
  2. At the Authoritative Restore prompt, type Restore Database.
  3. Click Yes to confirm this operation.
  4. Type quit to exit the Authoritative Restore prompt.
  5. Type exit to end the ntdsutil session.
  6. Type exit to exit the command prompt.
  7. Restart the computer in normal mode and wait for replication to complete.

On Windows Server 2008 or Windows Server 2012 R2

  1. Perform the Authoritative full system restore of a domain controller.
  2. Restart the computer in the Directory Services mode.
  3. From the Command Prompt, type ntdsutil.
  4. At the ntdsutil prompt, type Activate instance NTDS.
  5. At the ntdsutil prompt, type Authoritative Restore.
  6. At the Authoritative Restore prompt, type Restore Subtree DistinguishedName.

    where DistinguishedName is the name of the subtree that is to be marked authoritative.

    For example: Restore subtree DC=DomainName,DC=COM will restore domainname.com.

  7. Click Yes to continue.

    The restore process will complete and a message confirming the creation of one text and 2 LDAP Data Interchange Format (LDIF) files will be displayed.

  8. Restart the computer in normal mode and allow time for replication to complete.
  9. To run an LDIF file to recover back-links, type the following command at the command prompt.

    ldifde -i -k -f FileName (where the FileName is the name of the LDIF file)

  10. Repeat step 5 and 6 for each additional domain.

Related Concepts

Full System Recovery - Windows File System Agent