Ntdsutil will start the attempt to mark the object as authoritative. The output message will indicate the status of the operation. The most common cause of failure is an incorrectly specified distinguished name, or a backup for which the DN does not exist (which would occur if you tried to restore a deleted user that was created after the backup).
So, if I take the above example, authoritative restore of OU using Ntdsutil results in a failure as I'm attempting to restore deleted OU that was created after the backup.
How will this scenario be resolved without having to add 100 user accounts again?
September 7th, 2006, 01:48 PM
If the OU was created after your backup then your fecked...you will have to recreate the OU with the users. Its not so tedious though with dsadd.
September 8th, 2006, 06:58 AM
r3b00+, Thankyou for your reply.
Tombstones are remains of objects that have been previously deleted. (When an object is deleted, it is not actually removed from the Active Directory database. It is instead marked for deletion at a later date. This then gets replicated to other domain controllers. When the time expires for the object (tombstoneLifetime), the object is deleted.)
I was wondering if somehow we can benefit from the concept of TombStoneLifetime for my example. Since the OU is not actually removed from the AD database and instead marked for deleteion at a later date, as per the above, is it not possible to recover the OU in my example?
September 8th, 2006, 02:06 PM
You just alerted me to a very useful tool, ive attached the zip file containing the program. Simply a matter of running the program from a command prompt then hitting y or n depending on whether you want that deleted object restored. Also, all tombstones that have been restored are automatically disabled, so remember to enable.
You might want to have a look at this