My company recently needed to perform an authoritative restore because someone inadvertently deleted an organizational unit (OU). A Directory Service (DS) restore was faster than manually recreating the OU because the OU contained more than 80 user accounts.
A concern when performing a DS restore, other than taking a production domain controller (DC) offline, is global group handling. Deleting a user account also deletes the global group memberships. When you then try to restore a user account--or, in our case, an OU that contains user accounts--the global group memberships are missing.
If we hadn't performed an authoritative restore, we would have needed to know all the global groups that the 80 user accounts belonged to, restored all the groups, ensured that the groups replicated domainwide, then restored the user accounts. Alternatively, we could have performed a full Active Directory (AD) restore--but we would have lost any AD changes that occurred after our last full backup, and the restore would have caused bandwidth loss because the entire AD system would have replicated to all 30 of our remote sites.
We decided to slow intersite replication on one of our remote sites and use that site to restore the OU and user accounts. We selected a site with few clients and with clients that don't require domainwide AD changes to be instantaneous. We then slowed intersite replication on that site from every 15 minutes to every 2 days. We were then able to access the AD system on the remote site and determine to which groups the 80 user accounts belonged. We manually readded the users to the global groups to which they belonged. The whole process took less than an hour. The globally unique identifiers (GUIDs) remained intact, so the AD objects we restored had the same permissions they had before the object deletion.
