In order to prevent data in Active Directory and in the solution databases from becoming out of synch, administrators must use only the Microsoft Provisioning System (MPS) to make changes to the system.

In the event that entries are erroneously or accidentally removed from the Active Directory store, those entries must only be restored using MPS or from an Active Directory backup; otherwise, the provisioning system subsequently will not recognize the new globally unique identifier (GUID) as belonging to the deleted entry.

Entries lost from the Active Directory store must be restored from an Active Directory backup, using an authoritative restore. The authoritative restore feature allows you to select specific objects or subtrees of objects from the archived Active Directory store and restore them to a domain controller. Note that doing so causes Active Directory replication to replicate this restored state (the system state) of objects, overwriting the copies currently held on additional domain controllers within the domain.

An authoritative restore is most commonly used to restore corrupt or deleted objects from the directory, for example, a deleted user account. An authoritative restore should not be used to restore an entire domain controller.

An authoritative restore of a subtree or leaf object restores that subtree or leaf and marks it as authoritative for the directory. This means that the restored object will be replicated out to other domain controllers and will be the data that is maintained moving forward. In cases where the object was deleted, it will be revived; in other cases, the object will be returned to a previous state.

It is important to ensure successful recovery of the information being restored. Group membership is particularly sensitive and can be greatly affected by the procedures that are followed during an authoritative restore.

You begin by restoring from backup media, just as in a non-authoritative restore, and then perform additional steps to complete an authoritative restore.

The section entitled "Task: Perform an authoritative restore of one or more directory objects" in Managing the Windows Server Platform: Active Directory Directory Service Product Operations Guide provides detailed steps for an authoritative restore.

AdRestore is a simple command-line utility that enumerates the deleted objects in a domain and gives you the option of restoring each one.

• To download AdRestore, see AdRestore v1.1.
  
• To get more information about using AdRestore, see How to restore deleted user accounts and their group memberships in Active Directory.