This post is in response to the following question on the NetPro forum:
If I have a lag site, how can I restore an object or the whole site back to the "main site"?
There are two basic object recovery strategies: authoritative restore and tombstone reanimation. Authoritative restore has better tools support (NTDSUTIL), and is probably the choice if you have to restore more than a couple of objects. Tombstone reanimation is not well-supported tool-wise, but can recover deleted objects even if you've can't restore your backup (or if the deletion has replicated to your lag site.)
Authoritative Restore
For more information and a step-by-step description, of the authoritative restore see Authoritative Restore of Active Directory Objects and NetPro's Definitive Guide to Active Directory Disaster Recovery that Guido Grillenmeier and I wrote. For more details on recovering user and group memberships, see the article I wrote for TechNet magazine: Disaster Recovery: Active Directory Users and Groups.
Lag sites don't alter the authoritative restore process; in fact, they really only save you the work involved in running backups and restores. A DC in a lag site looks like a DC that has been non-authoritatively restored, i.e., it looks like you've just restored a backup tape on the DC as of the last time of replication. So the basic steps are the same:
- Disable replication to the lag site DC, for instance by disabling the replication schedule or disconnecting the DC from the network. This will help ensure you don't lose your "good" data replica.
- Authoritatively restore the desired objects on the lag site DC. This involves rebooting the lag site DC into DSRM, and running NTDSUTIL.
- Re-enable replication to allow the authoritatively restored objects to replicate to the other DCs.
- Recover any link references to the object. For instance, if the object was a user, you need to reestablish its group memberships. The exact steps depend on the version of AD you are running, whether or not you have Link Value Replication (LVR) enabled, and whether the object is referenced by forward link attributes (e.g. the member attribute) in other domains.
The articles I mentioned provided the detailed steps.
Tombstone Reanimation
If you are recovering deleted objects (vs. restoring objects to a previous state), you can recover the object's tombstone, and then repopulate the object's missing attributes using the lag site DC as a data source. For a more detailed description of the process, see my article in TechNet magazine: Reanimating Active Directory Tombstone Objects.
The steps are:
- Disable replication to the lag site (so you don't lose your good replica).
- Dump the attributes of the object on the lag site DC using something like LDIFDE.
- Reenable replication to the lag site.
- Reanimate the deleted object on a production DC.
- Restore the missing attributes using the LDIF data you dumped on step 2.
- Recover forward-link references to the object, e.g group memberships. The problem is essentially the same as with authoritative restore. You can get most of them by inspecting the memberOf (for instance) attribute of the user object on the lag site DC.