How to Perform a Nonauthoritative Restore of Active Directory
Restore AD after a domain controller software or hardware failure
A nonauthoritative restore of Active Directory (AD) is the default restore mode for Windows Backup and most third-party backup utilities.
This article applies to Windows Server 2016, Windows Server 2019, and Windows Server 2022
When might a nonauthoritative AD restore be performed?
It is commonly used in cases where there has been a hardware or software failure on the server, or where Active Directory must be restored and then updated by authoritative versions of the AD database running on other domain controllers (DCs) in the forest. Any needed updates to AD on the restored DC are automatically replicated once the restore operation has completed.
Perform a nonauthoritative restore
Log in to the DC that you want to restore with a domain administrator account:
- Open a command prompt using the blue PowerShell icon on the desktop taskbar, or from the Start screen.
- In the PowerShell console window, type bcdedit /set safeboot dsrepair and press Enter.
bcdedit /set safeboot dsrepair- Reboot the server and it will start in Directory Services Restore Mode (DSRM). You can do this quickly from the command prompt by typing shutdown -t 0 –r and pressing Enter.
shutdown -t 0 –rWait a few minutes for the DC to reboot. You can log on locally or remotely, but remember that you will need to supply the DSRM password you set when promoting the server to a DC. The username for DSRM is administrator. If the server is booted in safe mode, ‘safe mode’ will be displayed on the desktop.
- Open a command prompt again using the blue PowerShell icon on the desktop taskbar, or from the Start screen.
- In the PowerShell console, type wbadmin getversions to show the available backups. The latest backup will be shown last in the list. Make a note of the version identifier for the backup you want to use for recovery, as it will be needed in the next step.
wbadmin getversions- Now type wbadmin start systemstaterecovery –version:12/23/2013-10:40 and press Enter, replacing the date and time with the version identifier for the backup that you want to restore.
wbadmin start systemstaterecovery –version:12/23/2013-10:40- Answer Yes when prompted to confirm the restore operation.
- You will be prompted to confirm again, answer Yes.
Wait for the recovery process to finish, it may take some time. You’ll be able to see the progress in the PowerShell console.
- Reboot the system when prompted.
- Log back on using the DSRM password and you’ll see a command prompt dialog confirming that the system state recovery operation completed successfully. Press Enter to continue.
- Open a command prompt again using the blue PowerShell icon on the desktop taskbar, or from the Start screen.
- Type bcdedit /deletevalue safeboot and press Enter to remove the DSRM setting from the boot.ini file.
bcdedit /deletevalue safeboot- Type shutdown –t 0 –r and press Enter to restart the system and boot back to an operational domain controller.
shutdown –t 0 –rFAQs
What are the main differences between nonauthoritative restore Active Directory and authoritative restore?
A nonauthoritative restore Active Directory process allows changes made after the backup to be replicated back to the restored DC, while an authoritative restore forces other DCs to accept the restored data as authoritative, overwriting any newer changes.
Can I perform a nonauthoritative restore Active Directory on multiple domain controllers simultaneously?
It’s not recommended to perform nonauthoritative restore Active Directory on multiple DCs at once, as this could lead to replication conflicts and potential data inconsistencies. Restore one DC at a time to maintain stability.
What happens to Group Policy Objects during a nonauthoritative restore Active Directory process?
During a nonauthoritative restore Active Directory operation, GPOs are restored to their backup state and then automatically updated through replication from other DCs to ensure consistency across the domain.
How long should I wait after a nonauthoritative restore Active Directory before making major AD changes?
After completing a nonauthoritative restore Active Directory, it’s recommended to wait for full replication to occur and verify the DC’s health before making any significant changes, typically 24-48 hours depending on your environment’s size.
What backup frequency is recommended to ensure successful nonauthoritative restore Active Directory operations?
For optimal nonauthoritative restore Active Directory capabilities, implement daily system state backups and maintain at least two weeks of backup history, with additional backups before major AD changes.
Russell Smith, the Editorial Director at Petri IT Knowledgebase, has over two decades of hands-on experience in IT, in both small business settings and government IT infrastructure projects. Russell started writing for Windows IT Pro Magazine in t...
