In this case, the primary domain controller has failed, and you need to restore Active Directory before allowing replication from the secondary domain controller to resynchronize the directory up to the point of failure.

Note that this is different from the case where a single object or collection of objects is lost in an otherwise healthy directory, in which case you would use an authoritative restore to resynchronize only those lost objects.

Prevention

The only type of backup available and supported for Active Directory is normal, because Active Directory is backed up as part of system state. A normal backup creates a backup of the entire system state while the domain controller is online.

For every Active Directory domain, you can define a backup set composed of the physical domain controllers that would be required to successfully restore the domain. The collection of domain backup sets ensures that a forest restore operation can be performed.

At a minimum, the backup set consists of two or more domain controllers for each domain and at least one domain controller that is a member of an application partition replica set.

The backup set must contain a system state, a system disk backup for each computer in the set, and a global catalog.

If you are using Active Directory-integrated DNS, it would useful to back up at least one DNS server.

Recovery

A non-authoritative restore allows the entire directory to be restored on a domain controller, without reintroducing or changing objects that have been modified since the backup. The most common use of a non-authoritative restore is to bring an entire domain controller back, often after catastrophic or debilitating hardware failures. It is uncommon for data corruption to drive a non-authoritative restore, unless the corruption is local and the database cannot be successfully loaded.

A non-authoritative restore is the default method for restoring Active Directory. To perform a non-authoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup media, replication partners use the standard replication protocols to update both the Active Directory and associated information on the restored domain controller.

If you cannot restart a domain controller in Directory Services Restore Mode, you can restore it through reinstallation of the operating system, and subsequently restore Active Directory from backup.

In order for the restore operation to succeed, Microsoft Windows Server 2003 must be reinstalled to the same drive letter as previously and with at least the same amount of physical drive space. After you reinstall Windows Server 2003, perform a non-authoritative restore of the system state and the system disk.

For more information, see Process: Non-authoritative Restore of Active Directory.