Performing an authoritative restore for Active Directory deleted objects or containers

Jul 4th, 2009

Just thought I should list the step by step process for performing authoritative restore in active directory for windows server 2003. But first, just a brief summary of the difference between an authoritative and a non authoritative restore.

 A non Authoritative restore is hardware failures or other software issues that results in the complete restoration of the directory services from backup.

An Authoritative restore is used when a change or deletion of an object is made in Active Directory and the action/change have to be reverse. An example can be a user mistakenly deletes an OU or a user object, then decided to reverse the action by restoring the OU or user object that has been deleted.

Steps on performing an authoritattive restore. In this scenerio, I deleted an OU and a user and then restore both through authoritative restore process. Read more…

How to remove child domain and other naming context from forest root domain

Jul 4th, 2009

In previous post I outline some guidelines on how to remove demoted domain controller from domain using ntdsutil.exe. In this post, I will give guides on removing a naming context, be it a child domain or a DNS zone from Active Directory usning ntdsutil.exe.

First. make sure that no domain controller or replica objects exists in your forest for the domain in question. If they do, use previous steps [link here] to remove the objects before proceeding to delete the domain from the forest. Read more…

Remove a demoted or failed DC from Active Directory using Ntdsutil.exe

Jun 26th, 2009

If you ever have been in a situation where your domain controller crashes or failed and there is no way you intend to bring it back to production then you must remove the failed domain controller objects from Active Directory. In a regular procedure, to remove Domain controller from domain, you will run dcpromo to demote, but in this case, the domain controller is no more, so you have to use the ntdsutil tool to remove the objects from active directory. Also, you will need ntdsutil to remove domain controller from domain in a situation where you have tried to use dcpromo to demote but it failed, then you decided to use dcpromo /forceremoval. The force removal process does not totally clean the DC objects, so you will need to use ntdsutil to complete the process. Read more…

Access-based Enumeration (ABE)and DFS:How to hide folders from unauthorized users

Apr 13th, 2009

Access-based enumeration (ABE) allow users to view/list only files and folders that they hace access to. This feature hides other files and folders from prying eyes. It was introduced with windows server 2003. It is not enabled by default. I have put together some detail instructions on how to configure ABE. Read more…


How to configure Inter or Intra-Site Topology Generator (ISTG) in Active Directory

Mar 23rd, 2009

The Knowledge Consistency Checker (KCC) is an active directory process that runs on domain controllers and automatically identifies or calculates the most efficient replication topology for the network using data provided by the network in active directory sites and services. To improve replication traffic in most networks, the ISTG might be enabled so that KCC can logically generate (Create) connection objects based on the physical network layer. This is good because KCC will only create connection objects in active directory if it is required for a particular site.
ISTG Reference numbers:
0:To  Enable ISTG
1:To disable automatic intrasite topology generation
16:To disable automatic intersite topology generation
17:To disable both intrasite and inter-site topology generation Read more…