cancel
Showing results for 
Search instead for 
Did you mean: 

BE2012 - Active Directory Authoritative Restore

jpk
Level 4

Hello all,

I'm attempting to restore an OU back to one of my DC's using BE2012.  I've started my DC in directory restore mode so it should be ready to accept the changes.  I created the restore job, selected the OU and the objects contained within it and all seems to go well.  However, my job completes successfully with 0 bytes and 1 folder restored.  When I restart the DC, the recovered OU is not there.

My backup job is configured as follows:

System State -> Selected OU
Restore to original location
Restore over existing files
Restore with NTFS permissions
Mark this server as the primary arbitrator...
Yes, recreate deleted objects that cannot be restored from the ADO container
I changed the credentials so that BE is logging into the server using a local admin account on the server due to it being in restore mode

Am I missing something here?  Is there any good documentation on how to perform a GRT restore of AD?

Thanks in advance,

Josh

1 ACCEPTED SOLUTION

Accepted Solutions

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

Your research above is based on pure Microsoft Theory which requires a complete restore of Active Directory to one of your DCs

Microsoft thoery however does not take into account that Backup Exec has a Granular Restore (GRT) capability to bring back individual objects with a new time stamp (which in effect forces that object to replicate back out to other controllers.)

As such you should probably do some searches (or read the BE admin guide) for either

Backup Exec AD GRT Restore

or

Backup Exec AD Granular Recovery

 

As you should not reboot your DC into a special mode to use GRT I am wondering if it is this step that is then causing you to not see a restore result.

View solution in original post

5 REPLIES 5

VJware
Level 6
Employee Accredited Certified

Have a look at this KB - http://www.symantec.com/business/support/index?page=content&id=TECH86323

Specifically from this section onwards -

" For Authoritative Restore continue to follow Step 12 onwards. "

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

Slight concern. Authoritative Resore is usully applied when you are restoring the whole of AD/The System State to the server. If you are selecting an OU does that mean you are attempting a Granular Restore of only part of AD?

If yes then you should not need to boot the DC up into a special mode to do the restore (assuming you backup up with GRT enable and have theADRA license)

If no and you really are trying to perform an authoritative restore then I blieve you have to make use of NTDSUTIL after the restore operation.

 

jpk
Level 4

First off, thank you both for taking the time to respond.

Something (or someone) happened to our AD environment where 2 OU's and several group objects were deleted out of AD.  I'm attempting to recover those objects. 

It is my understanding that in order to get those objects to replicate back to the other DC's, I need to authoritatively restore those objects back to one of my DC's and mark those subtrees as current (using NTDSUTIL, as VJWare pointed out). 

The non-authoritative would be if one of my DC's puked and I wanted to get the A.D. back to where it held most of the data.  From there, the other DC's would update it to current.  Please correct me if that's wrong.  If I were to simply do a non-authoritative, the restored objects would be out of date and the current DC's would overwrite them with what's contained in their sysvol.  That is, unless Backup Exec is going in and manipulating the A.D. as if it's creating the objects as BRAND NEW using the OLD data.

Even if I'm doing this wrong and was unintentionally causing myself more problems, the bigger issue is that BE doesn't appear to restore any data to the server.  It successfully completes the job but says it restored 0 bytes, 0 files, 1 folder.  So right now I don't have much confidence that I would be able to accomplish this if I were to need to do this during a complete disaster!

When I go into NTDSUTIL and try to make the subtree an authoritative object, it says it cannot find it.  That's why I'm assuming the restore isn't actually doing anything.

Sadly, I've opened a case with Symantec on this and have made no progress whatsoever.  The call-back that was promised to occur within the next 40 minutes, never happened.  I specifically came to the forum first because of my extreme distaste for dealing with tech support!!

----------------------------------------------
You had me questioning myself so I did some quick looking online and i found several articles saying the following:

Non-Authoritative Restoration

Used most commonly in cases when a DC needs to be restored due to hardware or software related reasons. This is the default directory services restore mode selection. In this mode, the operating system restores the domain controller’s contents from the backup. After this, the domain controller then receives all directory changes that have been made since the backup from the other domain controllers in the network through replication.

Authoritative Restoration

An authoritative restore is most commonly used in cases in which a change was made within the directory that must be reversed, such as deleting an organizational unit (OU) by mistake. This process restores the DC from the backup and then replicates to and overwrites all other domain controllers in the network to match the restored DC. The especially valuable thing about this is that you can choose to only make certain objects within the directory authoritative. For example, if you delete an OU by mistake you can choose to make it authoritative. This will replicate the deleted OU back to all of the other DC’s in the network and then use all of the other information from these other DC’s to update the newly restored server back up to date.

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

Your research above is based on pure Microsoft Theory which requires a complete restore of Active Directory to one of your DCs

Microsoft thoery however does not take into account that Backup Exec has a Granular Restore (GRT) capability to bring back individual objects with a new time stamp (which in effect forces that object to replicate back out to other controllers.)

As such you should probably do some searches (or read the BE admin guide) for either

Backup Exec AD GRT Restore

or

Backup Exec AD Granular Recovery

 

As you should not reboot your DC into a special mode to use GRT I am wondering if it is this step that is then causing you to not see a restore result.

jpk
Level 4

Your sticking to your guns paid off.  I went back and did a non-authoritative restore to the DC and it was successful.  I swear I did this before but I was certainly concentrating on restoring the other way.  It appears the objects are back in in their original state... Thank you.

This is exactly why I posted the question to the community.  Symantec should make their tech support free and charge for access to the community forums.