扩展的schema无法通过权威恢复修复

有个关于schema的问题,有一个高人跟我讲过,扩展的schema是无法通过权威恢复修复.不知道对不对,能否详细解释一下.schema的属性和类别是不是存储在NTDS.DIT里?如果是我在做恢复的时候,应该是可以恢复的呀!!谢谢!!!
回答：根据您的描述，我对这个问题的理解是：您想知道扩展后的ｓｃｈｅｍａ是否可以恢复。
你的理解是正确的。授权性恢复是无法恢复ｓｃｈｅｍａ的。关于这点，你可以参考以下的文章241594 How to perform an authoritative restore to a domain controller in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;241594

如果扩展架构schema，而之后不想使用了，我们可以禁止该架构schema，但是不能删除，也无法通过活动目录的恢复来返回到之前的版本。
授权性恢复是无法像恢复其它的活动目录数据那样恢复schema的，如果需要恢复schema,我们需要在所有的DC上做非授权性恢复即可。
一旦Schema被扩展，经过活动目录复制后，所有DCd的Schema都会收到相同的copy.

李佳 微软全球技术支持中心

How to perform an authoritative restore to a domain controller in Windows 2000

View products that this article applies to.

Article ID	:	241594
Last Review	:	October 30, 2006
Revision	:	6.2

This article was previously published under Q241594

On This Page


SUMMARY



Performing an authoritative restore



Restoring a subtree



REFERENCES

.toc{display: none;}

SUMMARY

This article discusses how to perform an authoritative restore of the Active Directory directory service to a Windows 2000-based domain controller.

During a typical file restore operation, Microsoft Windows Backup operates in nonauthoritative restore mode. In this mode, Windows Backup restores all files, including Active Directory objects, with their original Update Sequence Number (USN) or numbers. The Active Directory replication system uses the USN to detect and replicate changes to Active Directory to all the domain controllers on the network. All data that is restored nonauthoritatively appears to the Active Directory replication system as old data. Old data is never replicated to any other domain controllers. The Active Directory replication system updates the restored data with newer data from other domain controllers. Performing an authoritative restore resolves this issue.

Note Use an authoritative restore with extreme caution because of the effect it may have on Active Directory. An authoritative restore must be performed immediately after the computer has been restored from a previous backup, before restarting the domain controller in normal mode. An authoritative restore replicates all objects that are marked authoritative to every domain controller hosting the naming contexts that the objects are in. To perform an authoritative restore on the computer, you must use the Ntdsutil.exe tool to make the necessary USN changes to the Active Directory database.

There are certain parts of Active Directory that cannot or should not be restored in an authoritative manner:

•	You cannot authoritatively restore the schema.
•	The configuration naming context is also very sensitive, because changes will affect the whole forest. For example, it does not make sense to restore connection objects. Connection objects should be recreated by the Knowledge Consistency Checker (KCC) or manually. Restoring server and NTDS settings objects makes sense when no destructive troubleshooting was done before. If you are unsure, contact Microsoft Product Support Services for help: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)
•	In the domain context, do not restore any objects that deal with relative identifier (RID) pools. This includes the subobject "Rid Set" of domain controller computer accounts and the RidManager$ object in the SYSTEM container.
•	Another issue is that many distinguished name-type links may break when you restore. This may affect objects that are used by the File Replication Service (FRS). These exist underneath CN=File Replication Service,CN=System,DC=yourdomain and CN=NTFRS Subscriptions,CN=DC computer account.
•	Attempts to authoritatively restore a complete naming context will always include objects that can disrupt the proper functionality of crucial parts of Active Directory. You should always try to authoritatively restore a minimal set of objects.
•	Finally, similar issues might exist for objects created by other applications. These go beyond the scope of this article.

A system state restore replaces all new, deleted, or modified objects on the domain controller that is being restored.

A system state restore of a naming context that contains two or more replicas is an authoritative merge. In an authoritative merge, all objects that are deleted or modified are rolled back to when the backup was made. Objects that were created after the backup are replicated from naming context replicas. An authoritative merge represents a merge of the state that existed when the backup was made with new objects that were created after the backup.

When you nonauthoritatively restore a naming context that contains a single replica, you actually perform an authoritative restore.

Note After you perform an authoritative restore, you may delete user accounts and their group memberships in Active Directory. To resolve this problem, add the restored users back to their groups. For more information about how to add the restored users back to their groups, click the following article number to view the article in the Microsoft Knowledge Base:
840001 (http://support.microsoft.com/kb/840001/) How to restore deleted user accounts and their group memberships in Active Directory


Back to the top

Performing an authoritative restore

After the data has been restored, use Ntdsutil.exe to perform the authoritative restore. To do this, follow these steps:

1.	At a command prompt, type ntdsutil, and then press ENTER.
2.	Type authoritative restore, and then press ENTER.
3.	Type restore database, press ENTER, click OK, and then click Yes.

Back to the top

Restoring a subtree

Frequently, you may not want to restore the whole database because of the replication impact this would have on your domain or forest. To authoritatively restore a subtree within a forest, follow these steps:

1.	Restart the domain controller.
2.	When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER.
3.	Restore the data from backup media for an authoritative restore. To do this, follow these steps: a. In Directory Services Restore mode, click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup to start the Windows 2000 Server Backup utility. b. Click Restore Wizard, and then click Next. c. Select the appropriate backup location, and then make sure that at least the System disk and System State containers are selected. d. Click Advanced, and then make sure that you restore junction points. If you do not use the Advanced menu, the restore process will not be successful. e. In the Restore Files to list, click Original Location. f. Click OK, and then complete the restore process. A visual progress indicator is displayed. g. When you are prompted to restart the computer, do not restart.
4.	At a command prompt, type ntdsutil, and then press ENTER.
5.	Type authoritative restore, and then press ENTER.
6.	Type the following command, and then press ENTER: restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx Note In this command, OU_Name is the name of the organizational unit that you want to restore, Domain_Name is the domain name that the OU resides in, and xxx is the top-level domain name of the domain controller, such as "com," "org," or "net."
7.	Type quit, press ENTER, type quit, and then press ENTER.
8.	Type exit, and then press ENTER.
9.	Restart the domain controller.

Back to the top

REFERENCES

For more information about restoring the system state to a domain controller from a previous backup, click the following article number to view the article in the Microsoft Knowledge Base:
240363 (http://support.microsoft.com/kb/240363/) How to use the Backup program to back up and restore the system state in Windows 2000 For more information about the effects of performing an authoritative restore, click the following article numbers to view the articles in the Microsoft Knowledge Base:
216243 (http://support.microsoft.com/kb/216243/) The effects on trusts and computer accounts when you authoritatively restore Active Directory
248132 (http://support.microsoft.com/kb/248132/) How to recover a deleted domain controller computer account in Windows 2000
840001 (http://support.microsoft.com/kb/840001/) How to restore deleted user accounts and their group memberships in Active Directory



Back to the top

APPLIES TO

•	Microsoft Windows 2000 Server
•	Microsoft Windows 2000 Advanced Server

Back to the top

Keywords:

kbhowtomaster kbnetwork KB241594