There are two modes of restoring Active Directory in Windows 2008:
1- Non-Authoritative Restoration
2- Authoritative Restoration
Non-Authoritative Restore – This is the most common method for restoring Active Directory. When we use this method to restore Active Directory, all the settings on the server is restored and later after the restoration, latest Active Directory updates are replicated from the other domain controllers.
On Windows Server 2008, we can use Windows Server Backup utility or Directory Service Restore Mode or WEBADMIN to do a Non-Authoritative restore on a domain controller, but through Windows Server Backup is the easiest way.
Authoritative Restore – This method of restoration is used when we want to restore a single object or even the entire Active Directory object. During this restore, the data which need to be restored is marked as current and it prevents the replication from overwriting the data. Authoritative restore increases the Update Sequence number (USN) by 10,000 or more to let all other DC’s know to use this object in replication.
Authoritative Restore is used with a Normal Restore (Non-Authoritative Restore) and after that NTDSUTIL is used to perform the further process.
Case Scenarios:
For Non-Authoritative Restore: When a domain controller is dead due to Hardware or OS failure and we need to restore that from the backup, then we will us Non-Authoritative Restore because it will restore the Active Directory back to the state where backup was last taken and after the restoration, latest updates will be replicated from the fellow domain controllers.
For Authoritative Restore: If due to some reason, any object such as an OU (Organizational Unit) is accidently deleted from the Active Directory and we need to restore those object back, then we cannot simply use Non-Authoritative Restore to restore the object. Because when the OU has been deleted from the Active Directory, then due to on-going replication process between Domain controllers, the change will be replicated to all the Active Directory servers in the domain. When Non-Authoritative restore will only be done, then still we will not get back the deleted OU because the restored domain controller will be replicated from the fellow domain controllers and as we know that fellow domain controllers has been already replicated after the OU deletion. So, in this case, we will do a Non-Authoritative Restore followed by NTDSUTIL, which marks the deleted object in the backup as current. Means every data will be replicated from the fellow domain controller after the restore, except for the data which we marked as current through NTDSUTIL i.e. OU.
In this article, I only focused on the prime difference between the Authoritative and Non-Authoritative Restore, but in the coming blogs, I will try to explain the whole process of Active Directory restoration.
NetworkXpert Blog 