Jump to content

Authoritative AD restore

Recommended Posts

RS for SBS Premium, 7.0.301, Update


I need to restore AD on this SBS2003 R2 SP2 machine to a previous backup.


This is the only DC in the domain. Therefore according to the message in the FRS log (NTFRS ID 13555), that means I need to restore AD "and choose the Advanced option [in NTBACKUP] which marks the sysvols as primary". In other words, an authoritative restore.


I don't see an option for that in the RS UI, in the Help file, or on the KB.


I took a deep breath and did the restore anyway. I ran the restore in Normal Mode, selecting the option to "Rollback the registry and System State..." After the restore, I rebooted Normal mode, let RS Helper run, then booted into DS Restore Mode and let RS Helper run. In both cases, RS Helper reported a successful restore.


However, while I believe the restore pre-dated the problem, the problem remains. So my sequence, or making it an authoritative restore, is/are what I'm missing.


So I have 2 questions for this critical but [color:red]horrendously[/color] underdocumented procedure:


1. Was my sequence correct--run Restore in Normal Mode, reboot to Normal Mode and let RS Helper run, then reboot to DS Restore Mode and let RS Helper Run, then reboot Normal Mode?


2. How do I make the AD restore Authoritative with RS? Do I use NTDSUTIL after the fact as described in http://support.microsoft.com/kb/241594?

Link to comment
Share on other sites

You have done the restore using the correct steps available in Retrospect and it sounds like the helper service finished that restore process as it was designed.


You may need to use the MS processes to do the additional steps required for your environment.

Link to comment
Share on other sites

Thanks for your reply, Robin.


Instructions for an AD authoritative restore vary by backup software vendor. I shouldn't be reading speculation that I "may need to use the MS processes".


EMC should be able to furnish a step-by-step procedure that is at least as well-documented as Microsoft's for NTBACKUP. Or any other backup vendor's documentation, for that matter.


Please reply with tested, step-by-step documentation for performing an authoritative AD restore.



Link to comment
Share on other sites

Thinking about this a bit more...are you certain my sequence was correct?


Windows is pretty picky about System State and AD restores. All the data has to be backed up and restored at the same instant. Since I booted Normal mode first, and RS Helper ran, it would then have restored all of System State EXCEPT AD. As soon as it was done, some elements of the non-AD System State would change.


When I later booted DS Restore mode and RS Helper restored AD, the previously restored portions of System State could not possibly match AD's state during backup.


So I'm wondering if my first move after restoring should be booting DS Restore mode, and have ALL of the System State restored by RS Helper simultaneously.


I'm also wondering if RS itself will run in DS Restore mode. IIRC, doing the Restore in DS Restore mode is how NTBACKUP works.


Again, please reply with accurate, tested, step-by-step instructions for authoritatively restoring AD with RS 7 on a single-DC, WS2003 domain.

Edited by Guest
Link to comment
Share on other sites

Retrospect Support: Bump.



You may be misinformed. These forums are user-to-user support. See the Forum Guidelines:

Retrospect Forum Rules


Here is how to contact support:

Contact Retrospect Support


As for your problem, we use Retrospect to back up our Unix installation, and we used standard Unix tools for the various databases (Open Directory, Cyrus mail, etc.) to checkpoint them and then back up those files using Retrospect. You may need to do the same. It sounds like you are expecting a cookbook procedure, which really isn't possible considering the various differences between installations. Any entry-level admin who can read a manual ought to be able to figure out what you are trying to do.



Link to comment
Share on other sites

I can read a manual. And I have.




RS support should be able to point me to a KB article or other resource describing autoritative AD restore.


Microsoft has documented it. And they'd answer online in their support boards. Or if they didn't an MVP would.


Symantec has documented it. And they'd answer it online in their support boards. Or if they didn't a TA would.


And then there's EMC and their support boards. "Well, maybe you should try this..."


Followed by a user contribution: "EMC isn't obligated to tell you anything", and, "But you can open a paid support incident", and, "We'll tease you with ONE world-class Knowledge Base article that purports to tell you how to do this, but in the end, we're not really gonna tell you."


I'd be THRILLED to accept user support from a user who knows how to do it. But my searches here come up with QUESTIONS about this from users, but NO ANSWERS.


The second link is really ironic...it contains a link to "our world-class knowledge base".


Go ahead: Search on exact phrase "Active Directory". It leads you to this promising title, "How to restore Active Directory with Retrospect". But the link is about how to restore the Registry, and the only reference to restoring AD is the last sentence, telling me I have to restore the Registry if I want to restore AD. I already know more about AD restore with RS than that article tells me!


Retrospect CLAIMS to support backup and restore of AD but does not back up those claims with documentation as to how to do it.


I will likely invest the time and money in an EMC support incident, as it is becoming clear I have no choice. EMC has me right where they want me: They've backed up my data (at least they say they have...that remains to be seen), but if I want to restore it, I can either guess the answer (and so far I haven't), or they will hold the answer hostage for the price of a support incident. Good thing it's not urgent; I have to do this, but AD is working in the interim. So I have time on my side.


Time that would be adequate for a good, well-run, vendor-sponsored support board to solve my problem.

Link to comment
Share on other sites

I agree with you that there support team is not that good.


I have done AD restore this way from scratch:


1. reinstall OS with latest SP og patches

2. do a normal restore

3. reboot and choose AD restore mode when pressing F8


then the Retrospect helper service will restore the AD database successfully.




Link to comment
Share on other sites

The directions from Robert are exactly what is documented and what is available in Retrospect. No additional restore features exist to change how AD is restored.


How Retrospect works for restores is also documented in the User's Guide. Retrospect has no special features for authoritative restore. We have not documented authoritative restore because we don't have added steps for that process.

Link to comment
Share on other sites

@Robert: Finally...a credible, useful response!


I'll be using the same OS installation on the same machine, just restoring System State. But I get the principle. Thanks Robert!


@Robin: Robert's response is different from yours. What you told me was that what I did, as described in my original post, was correct. And it was not; I later speculated about that but received no response until now.


But WHERE is AD restore documented in the User's Guide? It has a picture of the dialog box but mentions nothing about booting to DS Restore Mode immediately after the restore. Since the "Retrospect Helper" post-restore process is unique to Retrospect, don't you think that ought to be mentionned SOMEWHERE???


I don't believe I will need an Authoritative Restore because this is the only DC in the domain. My speculation was that since the restore I did was not effective, that perhaps that was what I needed. It may yet turn out to be, but I don't think so.


Regardless...other backup vendors fully document authoritative restores, even though their product is not responsible for making the restore authoritative. The sequence IS important and ONLY the backup vendor can tell us what that sequence is.


Retrospect has THE BEST catalog database, but its documentation is very poor, especially considering the mission-critical functionality the software provides. And we both know this is not the first time that's been observed here.


If you believe your documentation is adequate, you would do well to compare it to your competitors' documentation.


Because your customers certainly are.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...