Securing Windows 2000 Active Directory (Part 4) – Restoration

In this article I will focus on how important restoring the active directory is compared to running it securely.  Having an un-restorable backup is disastrous especially if your AD has been corrupted by an attacker or a new AD targeting virus.  There is no point in baking up and having thousands of dollars invested in a backup strategy if you can not restore.

The most important part of your backup strategy should have a restore focus, and should start with what you can restore rather than baking up.  Indecently it is good practice to work backwards starting at the point where you have a working environment and then trying to replicate it on another environment.  You will then quickly distinguish what you need to reinstate, and by using this approach you will comprehend what you need to backup.

For those of you that have missed any of the first three articles in this Active Directory series may click on the following links: Part 1, Part 2, Part 3. 

Restoring the Active Directory

There are two methods for restoring the Active Directory.

  1. Replication restores.  Reinstalling the failed Windows 2000 domain controller, allowing the other domain controllers to populate the Active Directory through the normal replication process.  This is not a good restore strategy as the whole site could go down.
  2. Restoring Active Directory from the backup media. Using the backed up system state. This restores AD to the state that it was in at the time of the last backup.

Replication Restore.

Scenario:  You have an Active directory system running with more than three domain controllers.  One of the domain controllers experiences problems and is not performing as it should and later that day terminates service.  The other domain controllers are still in tact and are functioning normally.

1.   Reformat the faulty domain controller and reinstall Windows 2000 onto it.  Let remaining Windows 2000 domain controllers populate the database on the newly reinstalled server through replication.

2.   After adding the new windows 2000 AD server to the domain click on start then Programs, Administrative Tools then Active Directory Sites And Services on an existing domain controller. Delete any references to the broken domain controller.

Figure 1a: The diagram above represents where the changes should be made.

The backup restore.

If you backup frequently you are less likely to loose data.   Restoring data form a bakup should be done on a regular scheduled basis and depending on the sensitivity of the data you should restore it very often. When restoring from the backup the Active Directory will be reinstated to the state it was in at the time of the last backup.

There are two modes when restoring the AD system state data from a backup tape

1.   authoritative restore
2.   nonauthoritative restore.

The default restore is nonauthoritative, other domain controllers may possibly overwrite portions of the restored data with newer data.  Authoritative restores, is hierarchal over data stored on all other domain controllers. Primary restores are used when you restore Active Directory information onto a standalone domain controller or on the first of several domain controllers.

Operating system restore.

When restoring a crashed operating system ensure that you mimic the previous system as closely as possible.  Use the same name IP address and partitions as previously used and ensure that the system and boot partitions are on the same drives and partitions as previously installed.

Primary restore.

This restore type should only be used to rebuild the domain from backup when all domain controllers have been lost. A primary restore should be initiated on the first domain controller and non-authoritative restore for all the other domain controllers.

Nonauthoritative restore

In a nonauthoritative restore data that is restored includes Active Directory objects with original update sequence numbers. Caution is awarded to this as any data that is restored nonauthoritatively will appear to the Active Directory replication system as though it is aged, the data will not get replicated to other domain controllers. The restored data is at risk of getting overwritten by newer data on domain controllers that have not yet been restored to. 

  1. Nonauthoritative restores require directory services database to be offline.
  2. The Active Directory must be placed into Directory Services Restore Mode by rebooting the server and pressing F8 at the OS selection screen, then select diagnostic and recovery options and then select the Directory Services Restore.
  3. Log in with local administrator privileges locally.
  4. Start restoring the Active Directory by clicking Start then Run and type in “ntbackup” at the prompt. The win 2000 backup program should load.
  5. Select Tools then Restore Wizard and then start the restore.

Note: Windows 2000 disallows a system state restore where the data is older than the default tombstone lifetime (default 60 days).  After the restore bounce the server to allow normal replication to commence. A consistency check may be done to verify the integrity of the Active Directory and to reindex the files. Restoring the active directory consists of restoring the database up to the when the last successful backup was taken and then its time to replicate the directory to the newly restored DSA replicates post-backup updates from other DSAs in the domain/enterprise.

Authoritative restore

Authoritative restores should be used to restore an entire active directory or a specific portion of the active directory. Before the Domain controller is restarted run the Ntdsutil utility after you have restored the System State data when using an authoritive restore on the respective domain controller. Ntdsutil marks the Active Directory objects for an authoritative restore, ensuring that any replicated data restored will be properly replicated or distributed throughout your company’s domain controllers. Restoring the System State data, without designating an alternate location for the restore of the data, will erase the System State data that is most currently on the domain controller that you are restoring to. When restoring the System State on a domain controller start the computer in directory services restore mode. Doing so will enable the restore of the SYSVOL directory and the Active Directory.

1.   Commence to Directory Services and choose Restore Mode.
2.   Login with local administrator privileges.

3.   Now click Start then click Run and type ntdsutil then press ok


In this article I have highlighted the fact that restoring an active directory should be treated as very important.  Many organizations know the importance of being able to restore the data that has been backed up but yet they do not practice this ritual enough.  It is strongly recommended that the more sensitive the backed up data the higher the frequency of restore.  Using this strategy it can be insured that when disaster strikes you are ready to get the organization up to a functional state, ensuring windows security and data integrity.

For those of you that have missed any of the first three articles in this Active Directory series may click on the following links: Part 1, Part 2, Part 3.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top