AD perform Active Directory restore

There are two types of Active Directory restore, an authoritative and non-authoritative.  An authoritative restore is where the restored database is marked as authoritative for the domain, by  increasing the Unique Sequence Number (USN) of all attributes on the restored object. In a non-authoritative restore, all the objects are restored but not marked as authoritative which means if another domain controller has a new version it will over write the restored objects.

To perform an restore

  • Boot into Directory Services Repair mode by typing in bcdedit /set safeboot dsrepair and restart.
  • Open an elevated command prompt
  • Identify the version of backup you want to restore with:
    Wbadmin get versions -backuptarget:<backupdrive> -machine:<DCName>
  • After identifying which version, type in
    Wbadmin start systemstaterecovery -version:<versionID> -backuptarget:<backupdrive>


To mark an object / subtree or database as authritative

Once the database has been restored, to mark required objects as authoritative

  • Type ntdsutil.exe
  • Type activate instance ntds
  • Type authoritative restore
  • Type restore subtree <ObjectDN>  – To restore a OU
  • Type restore object <ObjectDN>    -To restore a single object


Once finished change the bcdedit sequence with bcdedit /deletevalue

Leave a Reply