Restoring the Entire Forest

In rare cases you may have deleted or damaged a critical section of Active Directory that is shared by the entire forest. Changes that affect the entire forest include elevating the Forest Functional Level or an running an application that changes the schema (such as installing Exchange Server).

Restoring the entire forest in a large organization can be difficult. The best approach is to take preventative steps. See the Algin White Paper Active Directory Recovery Planning in Small and Large Organizations.

To restore the whole forest you need to first boot all of the domain controllers (DCs) into Directory Services Restore Mode (DSRM). Do this before you begin the restore process. (Or temporarily disconnect the networks cables from the domain controllers.) Otherwise when you restore a DC one of the bad DCs will immediately attempt to replicate the bad changes to the newly restored DC and “infect” it.

To avoid “infection” of the restored DCs, use the following procedure:

1. Install UMove on each DC.
2. Boot all of the DCs into Directory Services Restore Mode (DSRM). Or ensure that they are disconnected from the network.
3. Verify that no domain controllers are serving Active Directory.
4. On each DC do a simple restore to reload AD. Start first with the Primary Domain Controller (PDC) at the root of the forest. Next reload the Global Catalog (GC) server(s).
5. While each DC reboots you can reconnect it to the network.
6. Clean up and uninstall UMove.

Alternate procedure: Authoritative Restore

Microsoft provides the option of recovering Active Directory using Authoritative Restore. Use of Authoritative Restore is not recommended. Authoritative Restore requires that you have expert knowledge of NTDSUTIL and the Active Directory tree structure in order to repair duplicate objects and group membership back-links.

For more information see Microsoft Knowledge Base articles KB241594 and KB216243, and the Microsoft white paper Forest Recovery.