What is the difference between an Authoritative and Non-Authoritative restore of an active directory?

Article:TECH124230  |  Created: 2004-01-17  |  Updated: 2014-01-08  |  Article URL http://www.symantec.com/docs/TECH124230
Article Type
Technical Solution



What is the difference between an Authoritative and Non-Authoritative restore of an active directory?


In environments with multiple domain controllers (DC's) providing fault tolerance, there are two ways to restore the active directory.

Note: To restore the active directory, the System State for Windows 2000 Servers and Shadow Copy Components for Windows 2003 Servers must be backed up in addition to System Partition <root> hosting the operating system. The system directories on the servers such as C:\winnt or C:\Windows must also be backed up regularly.

The default method of restoring an active directory is Non-Authoritative. This method will restore an active directory to the server in question and will then receive all of the recent updates from its replication partners in the domain. For example, a server that has a System State backup from two days ago goes down. A restore of the two-day old active directory would be performed and it would then be updated from the other domain controllers when the next replication takes place. No other steps would be required.

The second method of restoring an active directory is Authoritative restore. This method restores the DC directory to the state that it was in when the backup was made, then overwrites all the other DC's to match the restored DC, thereby removing any changes made since backup. Authoritative restores do not have to be made of the entire directory, to restore only parts of the directory. When only parts of the active directory are restored, say an organizational unit, this information is pushed out to the remaining DC's and they are overwritten. However, the rest of the directory's information is then replicated to the restored DC's directory and it is updated.

An example of when an Authoritative restore would be used is when an organizational unit is deleted but everything else in the active directory is working as required. A good backup of an active directory is available and it is decided to just restore this organizational unit authoritatively. This will ensure that it will not be deleted again as it will overwrite all other DC's and let the rest of the restored DC's directory be updated from its replication partners.

If the environment only has a single domain controller, then there is never a reason to perform an authoritative restore as there are no replication partners.


Legacy ID


Article URL http://www.symantec.com/docs/TECH124230

Terms of use for this information are found in Legal Notices