There are two types of Active Directory restore, an authoritative and non-authoritative. An authoritative restore is where the restored database is marked as authoritative for the domain, by increasing the Unique Sequence Number (USN) of all attributes on the restored object. In a non-authoritative restore, all the objects are restored but not marked as authoritative which means if another domain controller has a new version it will over write the restored objects.
To perform an restore
- Boot into Directory Services Repair mode by typing in bcdedit /set safeboot dsrepair and restart.
- Open an elevated command prompt
- Identify the version of backup you want to restore with:
Wbadmin get versions -backuptarget:<backupdrive> -machine:<DCName>
- After identifying which version, type in
Wbadmin start systemstaterecovery -version:<versionID> -backuptarget:<backupdrive>
-machine:<DCName>
To mark an object / subtree or database as authritative
Once the database has been restored, to mark required objects as authoritative
- Type ntdsutil.exe
- Type activate instance ntds
- Type authoritative restore
- Type restore subtree <ObjectDN> – To restore a OU
- Type restore object <ObjectDN> -To restore a single object
Once finished change the bcdedit sequence with bcdedit /deletevalue
safeboot