Windows 2008 DSRM

Here are the recovery scenario's

If you need to do a full database recovery then you need to boot into DSRM,
restore Active Directory, do an authoritative restore and reboot

If you need to recover and object on a dc, then from a dc with the object
still available (Lag site is one option). Stop Directory Services, perform
the authoritative restore and restart Directory Services. No reboot
required

A very detailed article in the link below:
http://technet.microsoft.com/en-us/l...14(WS.10).aspx


Thx
Laura, Meinolf, Dmitri and Guido

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"sawyer" <> wrote in message
news:12E6B88B-E290-4A63-9D3B-...
> Thank you
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:uc$...
>> Hold on, I'm waiting on confirmation from some sources and will give you
>> the feedback when I get it.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "sawyer" <> wrote in message
>> news:118AD2F4-83FA-4B0C-9674-...
>>> Im actually doing the authoritative restore using wbadmin and restoring
>>> from a local backup on a separate disk in the server, so the restore is
>>> not from tape (not sure if that makes a difference or not?) Its still
>>> not clear to me why I am having to reboot the server into DSRM to
>>> perform the authoritative restore? again according to the documentation
>>> I shouldn't have to do this, all I should have to do is stop AD DS and
>>> then perform the authoritative restore. I can understand having to do a
>>> reboot once the restore is done, but I shouldt have to reboot to get
>>> into DSRM in the first place.
>>>
>>> Am I missing something here? I have read the reply's to my post and you
>>> guys know your stuff, but I don't think my question has been answered?
>>>
>>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>>> news:...
>>>> The reason you go into DSRM is to stop AD, which you can now do via a
>>>> service within in 2008 and beyond.
>>>>
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>
>>>> http://www.pbbergs.com
>>>>
>>>> Please no e-mails, any questions should be posted in the NewsGroup This
>>>> posting is provided "AS IS" with no warranties, and confers no rights.
>>>>
>>>> "sawyer" <> wrote in message
>>>> news:uy%...
>>>>>I can understand rebooting after the authoritative restore is done, but
>>>>>my question was regarding having to reboot the DC into DSRM in order to
>>>>>perform the authoritative restore. According to the documentation I
>>>>>shouldn't have to do this, all I should have to do is stop AD DS and
>>>>>then perform the authoritative restore. Again from my experience I
>>>>>always have to restart the DC in DSRM first
>>>>>
>>>>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>>>>> news:...
>>>>>> I have actually spoken to a developer on this and you should be doing
>>>>>> a reboot after a authoritative restore. The o/s isn't sure on what
>>>>>> has changed within the DIT during the restore, including cached
>>>>>> information within LSASS. The only for sure way to ensure things to
>>>>>> work properly is a reboot.
>>>>>>
>>>>>> --
>>>>>> Paul Bergson
>>>>>> MVP - Directory Services
>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>>
>>>>>> http://www.pbbergs.com
>>>>>>
>>>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>>>> This
>>>>>> posting is provided "AS IS" with no warranties, and confers no
>>>>>> rights.
>>>>>>
>>>>>> "sawyer" <> wrote in message
>>>>>> news:F2CD0CA1-BC8A-4E1B-97B3-...
>>>>>>> Hello
>>>>>>>
>>>>>>> I am reading
>>>>>>> http://technet.microsoft.com/en-us/l...14(WS.10).aspx the
>>>>>>> article states that I don't have to restart the DC in DSRM in order
>>>>>>> to perform an authoritative restore of an AD object. From my
>>>>>>> experience with restoring deleted objects from AD, and when the DC
>>>>>>> is running Windows 2008, I have always had to restart the DC in DSRM
>>>>>>> mode, perform an nonauthoritative then perform an authoritative
>>>>>>> restore, in order to restore the deleted object, but according to
>>>>>>> article I don't have to do this, all I have to do is stop AD DS.
>>>>>>> What could I be doing wrong?
>>>>>>>
>>>>>>>
>>>>>>> "Mark an object or objects as authoritative
>>>>>>> You can stop AD DS if you need to mark an object or objects as
>>>>>>> authoritative. Marking an object as authoritative is one step in the
>>>>>>> process for performing an authoritative restore. You typically need
>>>>>>> to perform an authoritative restore to recover an object that you
>>>>>>> have accidentally deleted. In previous versions of Windows Server,
>>>>>>> you had to start the domain controller in DSRM and then perform a
>>>>>>> nonauthoritative restore before you could mark an object as
>>>>>>> authoritative. On a domain controller that runs Windows Server 2008,
>>>>>>> you can stop AD DS to mark the object as authoritative instead of
>>>>>>> starting the domain controller in DSRM"
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>

that's never worked for me, I always end up having to restart the DC in DSRM
and then do the authoritative restore

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:...
> Here are the recovery scenario's
>
> If you need to do a full database recovery then you need to boot into
> DSRM, restore Active Directory, do an authoritative restore and reboot
>
> If you need to recover and object on a dc, then from a dc with the object
> still available (Lag site is one option). Stop Directory Services,
> perform the authoritative restore and restart Directory Services. No
> reboot required
>
> A very detailed article in the link below:
> http://technet.microsoft.com/en-us/l...14(WS.10).aspx
>
>
> Thx
> Laura, Meinolf, Dmitri and Guido
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "sawyer" <> wrote in message
> news:12E6B88B-E290-4A63-9D3B-...
>> Thank you
>>
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:uc$...
>>> Hold on, I'm waiting on confirmation from some sources and will give you
>>> the feedback when I get it.
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup This
>>> posting is provided "AS IS" with no warranties, and confers no rights.
>>>
>>> "sawyer" <> wrote in message
>>> news:118AD2F4-83FA-4B0C-9674-...
>>>> Im actually doing the authoritative restore using wbadmin and restoring
>>>> from a local backup on a separate disk in the server, so the restore is
>>>> not from tape (not sure if that makes a difference or not?) Its still
>>>> not clear to me why I am having to reboot the server into DSRM to
>>>> perform the authoritative restore? again according to the documentation
>>>> I shouldn't have to do this, all I should have to do is stop AD DS and
>>>> then perform the authoritative restore. I can understand having to do a
>>>> reboot once the restore is done, but I shouldt have to reboot to get
>>>> into DSRM in the first place.
>>>>
>>>> Am I missing something here? I have read the reply's to my post and you
>>>> guys know your stuff, but I don't think my question has been answered?
>>>>
>>>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>>>> news:...
>>>>> The reason you go into DSRM is to stop AD, which you can now do via a
>>>>> service within in 2008 and beyond.
>>>>>
>>>>> --
>>>>> Paul Bergson
>>>>> MVP - Directory Services
>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>
>>>>> http://www.pbbergs.com
>>>>>
>>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>>> This
>>>>> posting is provided "AS IS" with no warranties, and confers no rights.
>>>>>
>>>>> "sawyer" <> wrote in message
>>>>> news:uy%...
>>>>>>I can understand rebooting after the authoritative restore is done,
>>>>>>but my question was regarding having to reboot the DC into DSRM in
>>>>>>order to perform the authoritative restore. According to the
>>>>>>documentation I shouldn't have to do this, all I should have to do is
>>>>>>stop AD DS and then perform the authoritative restore. Again from my
>>>>>>experience I always have to restart the DC in DSRM first
>>>>>>
>>>>>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>>>>>> news:...
>>>>>>> I have actually spoken to a developer on this and you should be
>>>>>>> doing a reboot after a authoritative restore. The o/s isn't sure on
>>>>>>> what has changed within the DIT during the restore, including cached
>>>>>>> information within LSASS. The only for sure way to ensure things to
>>>>>>> work properly is a reboot.
>>>>>>>
>>>>>>> --
>>>>>>> Paul Bergson
>>>>>>> MVP - Directory Services
>>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>>>
>>>>>>> http://www.pbbergs.com
>>>>>>>
>>>>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>>>>> This
>>>>>>> posting is provided "AS IS" with no warranties, and confers no
>>>>>>> rights.
>>>>>>>
>>>>>>> "sawyer" <> wrote in message
>>>>>>> news:F2CD0CA1-BC8A-4E1B-97B3-...
>>>>>>>> Hello
>>>>>>>>
>>>>>>>> I am reading
>>>>>>>> http://technet.microsoft.com/en-us/l...14(WS.10).aspx the
>>>>>>>> article states that I don't have to restart the DC in DSRM in order
>>>>>>>> to perform an authoritative restore of an AD object. From my
>>>>>>>> experience with restoring deleted objects from AD, and when the DC
>>>>>>>> is running Windows 2008, I have always had to restart the DC in
>>>>>>>> DSRM mode, perform an nonauthoritative then perform an
>>>>>>>> authoritative restore, in order to restore the deleted object, but
>>>>>>>> according to article I don't have to do this, all I have to do is
>>>>>>>> stop AD DS. What could I be doing wrong?
>>>>>>>>
>>>>>>>>
>>>>>>>> "Mark an object or objects as authoritative
>>>>>>>> You can stop AD DS if you need to mark an object or objects as
>>>>>>>> authoritative. Marking an object as authoritative is one step in
>>>>>>>> the process for performing an authoritative restore. You typically
>>>>>>>> need to perform an authoritative restore to recover an object that
>>>>>>>> you have accidentally deleted. In previous versions of Windows
>>>>>>>> Server, you had to start the domain controller in DSRM and then
>>>>>>>> perform a nonauthoritative restore before you could mark an object
>>>>>>>> as authoritative. On a domain controller that runs Windows Server
>>>>>>>> 2008, you can stop AD DS to mark the object as authoritative
>>>>>>>> instead of starting the domain controller in DSRM"
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>
>>>
>
>

Hello Sawyer,

Which is exact what you have to do for a full database restore according
to the article.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> that's never worked for me, I always end up having to restart the DC
> in DSRM and then do the authoritative restore
>
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:...
>
>> Here are the recovery scenario's
>>
>> If you need to do a full database recovery then you need to boot into
>> DSRM, restore Active Directory, do an authoritative restore and
>> reboot
>>
>> If you need to recover and object on a dc, then from a dc with the
>> object still available (Lag site is one option). Stop Directory
>> Services, perform the authoritative restore and restart Directory
>> Services. No reboot required
>>
>> A very detailed article in the link below:
>> http://technet.microsoft.com/en-us/l...14(WS.10).aspx
>> Thx
>> Laura, Meinolf, Dmitri and Guido
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "sawyer" <> wrote in message
>> news:12E6B88B-E290-4A63-9D3B-...
>>
>>> Thank you
>>>
>>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>>> news:uc$...
>>>
>>>> Hold on, I'm waiting on confirmation from some sources and will
>>>> give you the feedback when I get it.
>>>>
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>> http://www.pbbergs.com
>>>>
>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>> "sawyer" <> wrote in message
>>>> news:118AD2F4-83FA-4B0C-9674-...
>>>>
>>>>> Im actually doing the authoritative restore using wbadmin and
>>>>> restoring from a local backup on a separate disk in the server, so
>>>>> the restore is not from tape (not sure if that makes a difference
>>>>> or not?) Its still not clear to me why I am having to reboot the
>>>>> server into DSRM to perform the authoritative restore? again
>>>>> according to the documentation I shouldn't have to do this, all I
>>>>> should have to do is stop AD DS and then perform the authoritative
>>>>> restore. I can understand having to do a reboot once the restore
>>>>> is done, but I shouldt have to reboot to get into DSRM in the
>>>>> first place.
>>>>>
>>>>> Am I missing something here? I have read the reply's to my post
>>>>> and you guys know your stuff, but I don't think my question has
>>>>> been answered?
>>>>>
>>>>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>>>>> news:...
>>>>>
>>>>>> The reason you go into DSRM is to stop AD, which you can now do
>>>>>> via a service within in 2008 and beyond.
>>>>>>
>>>>>> --
>>>>>> Paul Bergson
>>>>>> MVP - Directory Services
>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>> http://www.pbbergs.com
>>>>>>
>>>>>> Please no e-mails, any questions should be posted in the
>>>>>> NewsGroup
>>>>>> This
>>>>>> posting is provided "AS IS" with no warranties, and confers no
>>>>>> rights.
>>>>>> "sawyer" <> wrote in message
>>>>>> news:uy%...
>>>>>>
>>>>>>> I can understand rebooting after the authoritative restore is
>>>>>>> done, but my question was regarding having to reboot the DC into
>>>>>>> DSRM in order to perform the authoritative restore. According to
>>>>>>> the documentation I shouldn't have to do this, all I should
>>>>>>> have to do is stop AD DS and then perform the authoritative
>>>>>>> restore. Again from my experience I always have to restart the
>>>>>>> DC in DSRM first
>>>>>>>
>>>>>>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in
>>>>>>> message news:...
>>>>>>>
>>>>>>>> I have actually spoken to a developer on this and you should be
>>>>>>>> doing a reboot after a authoritative restore. The o/s isn't
>>>>>>>> sure on what has changed within the DIT during the restore,
>>>>>>>> including cached information within LSASS. The only for sure
>>>>>>>> way to ensure things to work properly is a reboot.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Paul Bergson
>>>>>>>> MVP - Directory Services
>>>>>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>>>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>>>>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>>>>>> http://www.pbbergs.com
>>>>>>>>
>>>>>>>> Please no e-mails, any questions should be posted in the
>>>>>>>> NewsGroup
>>>>>>>> This
>>>>>>>> posting is provided "AS IS" with no warranties, and confers no
>>>>>>>> rights.
>>>>>>>> "sawyer" <> wrote in message
>>>>>>>> news:F2CD0CA1-BC8A-4E1B-97B3-...
>>>>>>>>
>>>>>>>>> Hello
>>>>>>>>>
>>>>>>>>> I am reading
>>>>>>>>> http://technet.microsoft.com/en-us/l...714(WS.10).asp
>>>>>>>>> x the article states that I don't have to restart the DC in
>>>>>>>>> DSRM in order to perform an authoritative restore of an AD
>>>>>>>>> object. From my experience with restoring deleted objects from
>>>>>>>>> AD, and when the DC is running Windows 2008, I have always had
>>>>>>>>> to restart the DC in DSRM mode, perform an nonauthoritative
>>>>>>>>> then perform an authoritative restore, in order to restore the
>>>>>>>>> deleted object, but according to article I don't have to do
>>>>>>>>> this, all I have to do is stop AD DS. What could I be doing
>>>>>>>>> wrong?
>>>>>>>>>
>>>>>>>>> "Mark an object or objects as authoritative
>>>>>>>>> You can stop AD DS if you need to mark an object or objects as
>>>>>>>>> authoritative. Marking an object as authoritative is one step
>>>>>>>>> in
>>>>>>>>> the process for performing an authoritative restore. You
>>>>>>>>> typically
>>>>>>>>> need to perform an authoritative restore to recover an object
>>>>>>>>> that
>>>>>>>>> you have accidentally deleted. In previous versions of Windows
>>>>>>>>> Server, you had to start the domain controller in DSRM and
>>>>>>>>> then
>>>>>>>>> perform a nonauthoritative restore before you could mark an
>>>>>>>>> object
>>>>>>>>> as authoritative. On a domain controller that runs Windows
>>>>>>>>> Server
>>>>>>>>> 2008, you can stop AD DS to mark the object as authoritative
>>>>>>>>> instead of starting the domain controller in DSRM"