Active Directory Repair and Recovery

During the use of Windows 2000, we will encounter AD due to accidental damage, then what method do we use to recover? Let's discuss Active Directory repair and recovery.

a, Ntdsutil used to fix the Active Directory

given according to error information system, or the application of the system log, you suspect the cause of the error is Active Directory domain controller, The first thing that might come up at this time is to use Ntdsutil to fix it. However, I suggest that it is best to use him as the last and most useful solution. If you have a backup of your system, it's best to use a backup to restore your system. Always use backup recovery as your preferred solution.

use the repair function of the directory assistance database does not always achieve the desired results. For example, if the database file is corrupted, there is no way to restore all objects and their properties even if you use Ntdsutil. In fact, in some cases using the repair tool will cause more data loss, so before you try to use this repair tool, be careful to isolate this service from the network to avoid affecting other domain controllers. Active Directory replication. Connect to the network after you confirm that the repaired server is working properly. FIG

ntdsutil repair using a AD database shown.
(1) open the command prompt window, enter the following command: after Ntdsutil
(2) appears the Ntdsutil, enter the following command: repair

II. restore active Directory

when all other efforts failed, you may find that recovery from a backup of AD in a Win2000 DC (domain controller) is the most effective. While it's not difficult to restore Active Directory from a backup to a domain controller, you need to carefully consider your network architecture and logical relationships before you do any recovery. You should consider the following questions:

whether the local Active Directory database corruption, and if the other copy of the domain controllers also damaged.

a domain controller is restored from your backup, if you want to overwrite the Active Directory database of the domain controller other information. If you want to overwrite, all previously modified information will be lost (such as modified accounts and attributes, etc.). Original information (: accounts and attributes such as)

or you are going to repair the Active Directory replication to other domain controllers from.

because of the above problem is choosing what kind of recovery mode. There are two in the Active Directory recovery mode: unauthorized (No authoritative) and authorization (authoritative)

unauthorized (No authoritative) mode: Most of the recovery operations are in this mode. To restore Active Directory, this domain controller replicates information from other domain controllers, relying on a parameter called the Version Number (USN). Active Directory is in the same domain. It is updated by this parameter. Whoever has a high version number will find who to copy.

Authorization (authoritative) mode: When other domain controllers contain invalid information, or we have specific requirements in order to make a domain controller replicate prevail, this time can be authorized to resume replication mode. In this case, you can manually specify the entire Active Directory database you want to recover. Specifies that the locally restored database is authorized (that is, when copying with other domain controllers, the version number of the local recovery). At this point, the version number of Active Directory is modified, so that its version number is higher than the version number of the Active Directory database of other domain controllers, so that the content of the local database is mainly copied.

If you are using Windows 2000 native backup tool (Ntbackup.exe), in order to successfully restore the system state (including Active Directory), it must have the following characteristics:

< Li>The name of the server must be the same.

1. The drive of the "\\%systemroot%" folder must have the same characters as the backup server's drive characters.
   
2. The directory of the "\\%systemroot%" folder must be the same as the directory where the backup server is located. (for example, both in the "c:\\winnt" directory).
   
   
   

   Third, the use of non-authorized recovery mode Active Directory
   
   to use unlicensed mode, directory services must be stopped and we should follow these steps:
   
   

   1. Press F8 when Windows 2000 starts, select "Directory Service Recovery Mode", then select Start, then Windows 2000 enters safe mode.
      
   2. Log in as a system administrator or backup operator.
      
   3. Run the backup tool, select "Restore Wizard" from the "Welcome Menu", select "Restore Project", and then select "System Status". The system state includes key components of the registry, Active Directory, and other systems.
      
   4. After completing the recovery operation, you can restart this domain controller. After
      
      
      

      restart this domain controller will participate in Active Directory replication will receive the latest updates directly from the other domain controllers.
      
      

      The use of licensing models to restore Active Directory
      
      by authorized recovery mode, you can restore all of the domain controller to the state before a certain time. For example, when an administrator deletes an organizational unit (OU) by mistake, the organizational unit contains very important user account information. So what do we do, at this point we can recover the lost information by using the authorized mode, so that we can achieve two purposes: one is to restore the local Active Directory information; the other is to restore other domain controllers due to replication Active Directory with lost information.
      
      licensing model is to modify the version number of Active Directory objects, under normal circumstances, the licensing model will add a million over the original version on the basis, in order to achieve higher than all other version of the Active Directory database Then, the lower version of the database will be copied with the high version of the database as the standard to achieve the purpose of authorized recovery, of course, the added value can be customized.
      
      To use licensing model, you must use the Ntdsutil tool:
      
      

      1. At the command prompt, enter "cmd", and then enter: Ntdsutil
         
      2. In the Ntdsutil At the prompt, type: authoritative restore.
         This command means that the authorization recovery mode will be entered. At the Authorized Recovery Mode prompt, type: restore database
         
      3. When prompted to confirm the authorization recovery operation, answer: yes, then enter: Quit. You can close this window by pressing Enter twice.
         
         
         

         After Active Directory recovery is complete, the system will automatically pop up a message box if you want to restart the server, be sure to select "NO", must pay attention to this point.
         
         Finally, we need to know each subsequent licensing model recovery, also with Sysvol folder has been restored, so to ensure a consistent Sysvol and Active Directory.
         
         

         Here are some command authorization mode:
         authoritative restore: lists the licensing model list of commands.
         Restore database: Authorize mode to restore the entire database
         Restore database verinc %: Increase version number
         etc., detailed commands can view Win2000 help files. FIG
         
         the interface is an authorization mode: