扩展的schema无法通过权威恢复修复
2008-09-01 10:49
357 查看
有个关于schema的问题,有一个高人跟我讲过,扩展的schema是无法通过权威恢复修复.不知道对不对,能否详细解释一下.schema的属性和类别是不是存储在NTDS.DIT里?如果是我在做恢复的时候,应该是可以恢复的呀!!谢谢!!!
回答:根据您的描述,我对这个问题的理解是:您想知道扩展后的schema是否可以恢复。
你的理解是正确的。授权性恢复是无法恢复schema的。关于这点,你可以参考以下的文章241594 How to perform an authoritative restore to a domain controller in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;241594
如果扩展架构schema,而之后不想使用了,我们可以禁止该架构schema,但是不能删除,也无法通过活动目录的恢复来返回到之前的版本。
授权性恢复是无法像恢复其它的活动目录数据那样恢复schema的,如果需要恢复schema,我们需要在所有的DC上做非授权性恢复即可。
一旦Schema被扩展,经过活动目录复制后,所有DCd的Schema都会收到相同的copy.
李佳 微软全球技术支持中心
This article was previously published under Q241594
On This Page
SUMMARY
Performing an authoritative restore
Restoring a subtree
REFERENCES
.toc{display: none;}
During a typical file restore operation, Microsoft Windows Backup operates in nonauthoritative restore mode. In this mode, Windows Backup restores all files, including Active Directory objects, with their original Update Sequence Number (USN) or numbers. The Active Directory replication system uses the USN to detect and replicate changes to Active Directory to all the domain controllers on the network. All data that is restored nonauthoritatively appears to the Active Directory replication system as old data. Old data is never replicated to any other domain controllers. The Active Directory replication system updates the restored data with newer data from other domain controllers. Performing an authoritative restore resolves this issue.
Note Use an authoritative restore with extreme caution because of the effect it may have on Active Directory. An authoritative restore must be performed immediately after the computer has been restored from a previous backup, before restarting the domain controller in normal mode. An authoritative restore replicates all objects that are marked authoritative to every domain controller hosting the naming contexts that the objects are in. To perform an authoritative restore on the computer, you must use the Ntdsutil.exe tool to make the necessary USN changes to the Active Directory database.
There are certain parts of Active Directory that cannot or should not be restored in an authoritative manner:
A system state restore replaces all new, deleted, or modified objects on the domain controller that is being restored.
A system state restore of a naming context that contains two or more replicas is an authoritative merge. In an authoritative merge, all objects that are deleted or modified are rolled back to when the backup was made. Objects that were created after the backup are replicated from naming context replicas. An authoritative merge represents a merge of the state that existed when the backup was made with new objects that were created after the backup.
When you nonauthoritatively restore a naming context that contains a single replica, you actually perform an authoritative restore.
Note After you perform an authoritative restore, you may delete user accounts and their group memberships in Active Directory. To resolve this problem, add the restored users back to their groups. For more information about how to add the restored users back to their groups, click the following article number to view the article in the Microsoft Knowledge Base:
840001 (http://support.microsoft.com/kb/840001/) How to restore deleted user accounts and their group memberships in Active Directory
Back to the top
Back to the top
Back to the top
240363 (http://support.microsoft.com/kb/240363/) How to use the Backup program to back up and restore the system state in Windows 2000 For more information about the effects of performing an authoritative restore, click the following article numbers to view the articles in the Microsoft Knowledge Base:
216243 (http://support.microsoft.com/kb/216243/) The effects on trusts and computer accounts when you authoritatively restore Active Directory
248132 (http://support.microsoft.com/kb/248132/) How to recover a deleted domain controller computer account in Windows 2000
840001 (http://support.microsoft.com/kb/840001/) How to restore deleted user accounts and their group memberships in Active Directory
Back to the top
APPLIES TO
Back to the top
回答:根据您的描述,我对这个问题的理解是:您想知道扩展后的schema是否可以恢复。
你的理解是正确的。授权性恢复是无法恢复schema的。关于这点,你可以参考以下的文章241594 How to perform an authoritative restore to a domain controller in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;241594
如果扩展架构schema,而之后不想使用了,我们可以禁止该架构schema,但是不能删除,也无法通过活动目录的恢复来返回到之前的版本。
授权性恢复是无法像恢复其它的活动目录数据那样恢复schema的,如果需要恢复schema,我们需要在所有的DC上做非授权性恢复即可。
一旦Schema被扩展,经过活动目录复制后,所有DCd的Schema都会收到相同的copy.
李佳 微软全球技术支持中心
How to perform an authoritative restore to a domain controller in Windows 2000
View products that this article applies to.Article ID | : | 241594 |
Last Review | : | October 30, 2006 |
Revision | : | 6.2 |
On This Page
SUMMARY
Performing an authoritative restore
Restoring a subtree
REFERENCES
.toc{display: none;}
SUMMARY
This article discusses how to perform an authoritative restore of the Active Directory directory service to a Windows 2000-based domain controller.During a typical file restore operation, Microsoft Windows Backup operates in nonauthoritative restore mode. In this mode, Windows Backup restores all files, including Active Directory objects, with their original Update Sequence Number (USN) or numbers. The Active Directory replication system uses the USN to detect and replicate changes to Active Directory to all the domain controllers on the network. All data that is restored nonauthoritatively appears to the Active Directory replication system as old data. Old data is never replicated to any other domain controllers. The Active Directory replication system updates the restored data with newer data from other domain controllers. Performing an authoritative restore resolves this issue.
Note Use an authoritative restore with extreme caution because of the effect it may have on Active Directory. An authoritative restore must be performed immediately after the computer has been restored from a previous backup, before restarting the domain controller in normal mode. An authoritative restore replicates all objects that are marked authoritative to every domain controller hosting the naming contexts that the objects are in. To perform an authoritative restore on the computer, you must use the Ntdsutil.exe tool to make the necessary USN changes to the Active Directory database.
There are certain parts of Active Directory that cannot or should not be restored in an authoritative manner:
• | You cannot authoritatively restore the schema. |
• | The configuration naming context is also very sensitive, because changes will affect the whole forest. For example, it does not make sense to restore connection objects. Connection objects should be recreated by the Knowledge Consistency Checker (KCC) or manually. Restoring server and NTDS settings objects makes sense when no destructive troubleshooting was done before. If you are unsure, contact Microsoft Product Support Services for help: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS (http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms) |
• | In the domain context, do not restore any objects that deal with relative identifier (RID) pools. This includes the subobject "Rid Set" of domain controller computer accounts and the RidManager$ object in the SYSTEM container. |
• | Another issue is that many distinguished name-type links may break when you restore. This may affect objects that are used by the File Replication Service (FRS). These exist underneath CN=File Replication Service,CN=System,DC=yourdomain and CN=NTFRS Subscriptions,CN=DC computer account. |
• | Attempts to authoritatively restore a complete naming context will always include objects that can disrupt the proper functionality of crucial parts of Active Directory. You should always try to authoritatively restore a minimal set of objects. |
• | Finally, similar issues might exist for objects created by other applications. These go beyond the scope of this article. |
A system state restore of a naming context that contains two or more replicas is an authoritative merge. In an authoritative merge, all objects that are deleted or modified are rolled back to when the backup was made. Objects that were created after the backup are replicated from naming context replicas. An authoritative merge represents a merge of the state that existed when the backup was made with new objects that were created after the backup.
When you nonauthoritatively restore a naming context that contains a single replica, you actually perform an authoritative restore.
Note After you perform an authoritative restore, you may delete user accounts and their group memberships in Active Directory. To resolve this problem, add the restored users back to their groups. For more information about how to add the restored users back to their groups, click the following article number to view the article in the Microsoft Knowledge Base:
840001 (http://support.microsoft.com/kb/840001/) How to restore deleted user accounts and their group memberships in Active Directory
Back to the top
Performing an authoritative restore
After the data has been restored, use Ntdsutil.exe to perform the authoritative restore. To do this, follow these steps:1. | At a command prompt, type ntdsutil, and then press ENTER. |
2. | Type authoritative restore, and then press ENTER. |
3. | Type restore database, press ENTER, click OK, and then click Yes. |
Back to the top
Restoring a subtree
Frequently, you may not want to restore the whole database because of the replication impact this would have on your domain or forest. To authoritatively restore a subtree within a forest, follow these steps:1. | Restart the domain controller. | ||||||||||||||
2. | When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER. | ||||||||||||||
3. | Restore the data from backup media for an authoritative restore. To do this, follow these steps:
| ||||||||||||||
4. | At a command prompt, type ntdsutil, and then press ENTER. | ||||||||||||||
5. | Type authoritative restore, and then press ENTER. | ||||||||||||||
6. | Type the following command, and then press ENTER: restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx Note In this command, OU_Name is the name of the organizational unit that you want to restore, Domain_Name is the domain name that the OU resides in, and xxx is the top-level domain name of the domain controller, such as "com," "org," or "net." | ||||||||||||||
7. | Type quit, press ENTER, type quit, and then press ENTER. | ||||||||||||||
8. | Type exit, and then press ENTER. | ||||||||||||||
9. | Restart the domain controller. |
Back to the top
REFERENCES
For more information about restoring the system state to a domain controller from a previous backup, click the following article number to view the article in the Microsoft Knowledge Base:240363 (http://support.microsoft.com/kb/240363/) How to use the Backup program to back up and restore the system state in Windows 2000 For more information about the effects of performing an authoritative restore, click the following article numbers to view the articles in the Microsoft Knowledge Base:
216243 (http://support.microsoft.com/kb/216243/) The effects on trusts and computer accounts when you authoritatively restore Active Directory
248132 (http://support.microsoft.com/kb/248132/) How to recover a deleted domain controller computer account in Windows 2000
840001 (http://support.microsoft.com/kb/840001/) How to restore deleted user accounts and their group memberships in Active Directory
Back to the top
APPLIES TO
• | Microsoft Windows 2000 Server |
• | Microsoft Windows 2000 Advanced Server |
Back to the top
Keywords: | kbhowtomaster kbnetwork KB241594 |
相关文章推荐
- 解决ora-01652无法通过128(在temp表空间中)扩展temp段的过程
- ora-01652无法通过128(在表空间temp中)扩展temp段
- 如何恢复无法修复的Visual Studio 的破损文件
- 硬盘无法识别,无法通过自检(分区表出错)---在LINUX下修复成功
- ORA-01652无法通过256(在表空间temp中)扩展temp段
- 无法通过 128 (在表空间 TEMP 中) 扩展 temp 段
- ora-01652:无法通过128(在表空间space中)扩展temp段
- oracle临时表空间 ORA-01652:无法通过16(在表空间XXX中)扩展 temp 字段
- FP 某段SQL语句执行时间超过1个小时,并报错:ORA-01652: 无法通过 128 (在表空间 TEMPSTG 中) 扩展
- 【Cocos2d-X(1.x 2.x) 修复篇】iOS6 中 libcurl.a 无法通过armv7s编译以及iOS6中无法正常游戏横屏的解决方法
- ORA-01653: 表 database.tablename 无法通过 8192 (在表空间 USERS 中) 扩展
- oracle 表 SYS.AUD$ 无法通过 1024 (在表空间 SYSTEM 中) 扩展
- ORA-01652: 无法通过128(在表空间NEW_TEMP中)扩展 temp 段
- ORA-01653: 表 USR_GD.T_PREDICT_SCORE_RESULT_FDY 无法通过 128 (在表空间 USERS 中) 扩展
- 无法通过8192在表空间中扩展
- ora-01652无法通过128(在表空间temp中)扩展temp段
- 如何恢复无法修复的Visual Studio 的破损文件
- ORA-01652: 无法通过 128 (在表空间 TEMP 中) 扩展 temp 段
- ORA-01653: 表 ACHILLES.K_HCG_MSDS_44 无法通过 128 (在表空间 ACHILLES 中) 扩展
- Oracle 无法通过 128 (在表空间 TEMP 中) 扩展 temp 段