Q. I need to make a major change to the schema of my Active Directory (AD). If it goes wrong, can I perform an authoritative restore to reset?

A. An authoritative restore can't undo schema changes to AD. To undo a schema change, you need to perform a forest recovery, which is a major process.

Before making your schema changes, ensure you have a backup of at least one domain controller (DC) from each domain in the forest. Make sure this DC is writable, and ideally, it shouldn't be a Global Catalog (GC). If possible, backup the Relative Identifier (RID) Flexible Single-Master Operation (FSMO) from each domain and the forest schema/domain naming master FSMO to avoid having to seize the role with enterprise credentials.

If you need to roll back the schema change, shut down all the DCs in the forest, restore the backed up DC from before the schema change, make the restored DC a GC, and then rebuild all the other DCs for all the domains in the forest. When performing the restoration, you need to start with the forest root domain first and work your way down the forest hierarchy.

This process is why it's far better to take a copy of your live schema, restore it to development, and test any schema changes thoroughly prior to live implementation.

Microsoft's site has a document that provides a lot of information on forest recovery.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.