In a catastrophic event where all domain controllers in the solution are lost, and the only backup of the Active Directory directory service data is in the backup images, the restore process must restore each failed server in turn. This process must be performed with recent backups for all domain controllers in the solution. It will recover the Microsoft Windows Server 2003 server operating system configuration; Active Directory, including database and registry settings; and the File Replication Service.

The restoration of a domain controller can be performed in one of two ways: with a non-authoritative or an authoritative restore.

Non-authoritative is the default Active Directory restoration method and is the one that the Windows Server 2003 Backup tool will perform. Basically it restores the target server to the exact state captured in the backup image. In particular, it will make no changes to internal version numbers that are used by Active Directory to track all changes to the database and to support replication. What this means is that any objects that exist in the Active Directory infrastructure with more recent version numbers will eventually update the restored server.

For more information about this tool, see the Backup Technical Reference.

An authoritative restore offers the ability to increment the version number of the attributes of all objects in the entire directory. This makes the associated data authoritative in the Active Directory infrastructure - replication will in general update any other existing domain controllers from the restored computer's database. Note that the only tool that supports authoritative restoration is the Ntdsutil tool; neither the Windows Server 2003 Backup tool nor third-party tools will perform this type of restore.

This capability was created to assist in the restoration of the database to a known good copy. In other words, it allows an administrator to compensate for human error such as accidental deletion of objects among other potential events.

Note:
Because the only case in which you would restore a domain controller from the backup image is when all domain controllers have been lost, authoritative restores should not be needed to recover from domain controller failure.

Active Directory Diagnostic Tool (Ntdsutil.exe): Ntdsutil.exe is a command-line tool that provides management facilities and database maintenance in Active Directory. This tool is intended to be used by experienced administrators. By default, Ntdsutil is installed in the Winnt\System32 folder.

For general information on using NTDSUTIL for an authoritative restore, see the Backup Technical Reference.