I've been asked to write a Disaster recovery doc for our company. I'm
trying to delete a single user account and do an authoritative restore
of that account.
(in a test environment of course)
Before I deleted the test account I used adsiedit to verify the path to
the account. Cn=test user, ou=it,dc=mycorp,dc=com

>From Directory restore mode, I can start the Authoritative restore but
it always fails with:
Could not find object with the failed DN: failed on component "cn=test
user".
Authoritative restore failed
Error 800ffff parsing input - illegal syntax?
I've reviewed and it says I must
use quotes - either way it fails.
I've even tried the workaround described in here:
Suggestions?
Environment: Windows 2003 R2
Thanks in advance
Mike

Just to make sure, you did a system state restore that includes that
user, right?

Is there an attribute (group membership?) that you need such that you
can't just undelete the user?

Thanks,

Brian Desmond

brian (AT) briandesmond (DOT) com

c - 312.731.3132

From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Mike Hogenauer
Sent: Thursday, August 03, 2006 11:57 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: [ActiveDir] Authoritative Restore problems

I've been asked to write a Disaster recovery doc for our company. I'm
trying to delete a single user account and do an authoritative restore
of that account.

(in a test environment of course)

Before I deleted the test account I used adsiedit to verify the path to
the account. Cn=test user, ou=it,dc=mycorp,dc=com

>From Directory restore mode, I can start the Authoritative restore but
it always fails with:

Could not find object with the failed DN: failed on component "cn=test
user".

Authoritative restore failed

Error 800ffff parsing input - illegal syntax?

I've reviewed and it says I must
use quotes - either way it fails.

I've even tried the workaround described in here:

Suggestions?

Environment: Windows 2003 R2

Thanks in advance

Mike

Mike, can you be a little more specific about the steps that you took to
do your restore? This should work fine using the ntdsutil ->
authoritative restore -restore object "Cn=test user,
ou=it,dc=mycorp,dc=com" command. provided you previously took
a backup, rebooted to DSRM mode and have restored the AD DB
(SystemState) to the DC - the Auth Restore needs to happen right after
the restore of the SystemState, prior to the reboot of the DC.

Check out the whitepaper I wrote with Gil
(). Pages 11 to 13
walk you through how to do an Auth. Restore of objects, and since you
have R2 (includes SP1), you can go right to page 21 to see how to
recover potentially missing links of your recovered object (such as
group membership etc.). Hope you don't have a multi-domain environment
and are heavily relying on cross populating domain local groups in all
the domains in your forest - this adds extra headaches for the recovery
of the links (also described in the whitepaper).

/Guido

From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Mike Hogenauer
Sent: Friday, August 04, 2006 6:57 AM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: [ActiveDir] Authoritative Restore problems

I've been asked to write a Disaster recovery doc for our company. I'm
trying to delete a single user account and do an authoritative restore
of that account.

(in a test environment of course)

Before I deleted the test account I used adsiedit to verify the path to
the account. Cn=test user, ou=it,dc=mycorp,dc=com

>From Directory restore mode, I can start the Authoritative restore but
it always fails with:

Could not find object with the failed DN: failed on component "cn=test
user".

Authoritative restore failed

Error 800ffff parsing input - illegal syntax?

I've reviewed and it says I must
use quotes - either way it fails.

I've even tried the workaround described in here:

Suggestions?

Environment: Windows 2003 R2

Thanks in advance

Mike

Guido

Yes, I took a backup of the system state, rebooted into DSRM -ran
ntbackup and restored the system state, went to NTDSUTIL and then tried
my "Auth Res" and it still failed. Which is why I'm confused.

I actually have read the article you wrote in your hyperlink, and I know
you read these post so I was actually hoping to get your opinion.

I will try again - and let you know what happens.

Thanks,

Mike

From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Grillenmeier,
Guido
Sent: Thursday, August 03, 2006 11:14 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Authoritative Restore problems

Mike, can you be a little more specific about the steps that you took to
do your restore? This should work fine using the ntdsutil ->
authoritative restore -restore object "Cn=test user,
ou=it,dc=mycorp,dc=com" command. provided you previously took
a backup, rebooted to DSRM mode and have restored the AD DB
(SystemState) to the DC - the Auth Restore needs to happen right after
the restore of the SystemState, prior to the reboot of the DC.

Check out the whitepaper I wrote with Gil
(). Pages 11 to 13
walk you through how to do an Auth. Restore of objects, and since you
have R2 (includes SP1), you can go right to page 21 to see how to
recover potentially missing links of your recovered object (such as
group membership etc.). Hope you don't have a multi-domain environment
and are heavily relying on cross populating domain local groups in all
the domains in your forest - this adds extra headaches for the recovery
of the links (also described in the whitepaper).

/Guido

From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Mike Hogenauer
Sent: Friday, August 04, 2006 6:57 AM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: [ActiveDir] Authoritative Restore problems

I've been asked to write a Disaster recovery doc for our company. I'm
trying to delete a single user account and do an authoritative restore
of that account.

(in a test environment of course)

Before I deleted the test account I used adsiedit to verify the path to
the account. Cn=test user, ou=it,dc=mycorp,dc=com

>From Directory restore mode, I can start the Authoritative restore but
it always fails with:

Could not find object with the failed DN: failed on component "cn=test
user".

Authoritative restore failed

Error 800ffff parsing input - illegal syntax?

I've reviewed and it says I must
use quotes - either way it fails.

I've even tried the workaround described in here:

Suggestions?

Environment: Windows 2003 R2

Thanks in advance

Mike

Make absolutely sure that you type the DN correctly - I just noticed you
have a SPACE between "user," and "ou=it" - if you entered the DN this
way, it wouldn't work

P.S.: won't read the posts for the next two weeks since I'm taking off
for vacation tomorrow.

/Guido

From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Mike Hogenauer
Sent: Friday, August 04, 2006 4:26 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Authoritative Restore problems

Guido

Yes, I took a backup of the system state, rebooted into DSRM -ran
ntbackup and restored the system state, went to NTDSUTIL and then tried
my "Auth Res" and it still failed. Which is why I'm confused.

I actually have read the article you wrote in your hyperlink, and I know
you read these post so I was actually hoping to get your opinion.

I will try again - and let you know what happens.

Thanks,

Mike

From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Grillenmeier,
Guido
Sent: Thursday, August 03, 2006 11:14 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Authoritative Restore problems

Mike, can you be a little more specific about the steps that you took to
do your restore? This should work fine using the ntdsutil ->
authoritative restore -restore object "Cn=test user,
ou=it,dc=mycorp,dc=com" command. provided you previously took
a backup, rebooted to DSRM mode and have restored the AD DB
(SystemState) to the DC - the Auth Restore needs to happen right after
the restore of the SystemState, prior to the reboot of the DC.

Check out the whitepaper I wrote with Gil
(). Pages 11 to 13
walk you through how to do an Auth. Restore of objects, and since you
have R2 (includes SP1), you can go right to page 21 to see how to
recover potentially missing links of your recovered object (such as
group membership etc.). Hope you don't have a multi-domain environment
and are heavily relying on cross populating domain local groups in all
the domains in your forest - this adds extra headaches for the recovery
of the links (also described in the whitepaper).

/Guido

From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Mike Hogenauer
Sent: Friday, August 04, 2006 6:57 AM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: [ActiveDir] Authoritative Restore problems

I've been asked to write a Disaster recovery doc for our company. I'm
trying to delete a single user account and do an authoritative restore
of that account.

(in a test environment of course)

Before I deleted the test account I used adsiedit to verify the path to
the account. Cn=test user, ou=it,dc=mycorp,dc=com

>From Directory restore mode, I can start the Authoritative restore but
it always fails with:

Could not find object with the failed DN: failed on component "cn=test
user".

Authoritative restore failed

Error 800ffff parsing input - illegal syntax?

I've reviewed and it says I must
use quotes - either way it fails.

I've even tried the workaround described in here:

Suggestions?

Environment: Windows 2003 R2

Thanks in advance

Mike

Hopefully you read this before Vacation!

I got it working thanks for your help I was my fault, I was doing to
many test at once on VM machines. I started over from scratch and it
worked perfect.

Thanks!

Mike

From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Grillenmeier,
Guido
Sent: Friday, August 04, 2006 1:03 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Authoritative Restore problems

Make absolutely sure that you type the DN correctly - I just noticed you
have a SPACE between "user," and "ou=it" - if you entered the DN this
way, it wouldn't work

P.S.: won't read the posts for the next two weeks since I'm taking off
for vacation tomorrow.

/Guido

From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Mike Hogenauer
Sent: Friday, August 04, 2006 4:26 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Authoritative Restore problems

Guido

Yes, I took a backup of the system state, rebooted into DSRM -ran
ntbackup and restored the system state, went to NTDSUTIL and then tried
my "Auth Res" and it still failed. Which is why I'm confused.

I actually have read the article you wrote in your hyperlink, and I know
you read these post so I was actually hoping to get your opinion.

I will try again - and let you know what happens.

Thanks,

Mike

From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Grillenmeier,
Guido
Sent: Thursday, August 03, 2006 11:14 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Authoritative Restore problems

Mike, can you be a little more specific about the steps that you took to
do your restore? This should work fine using the ntdsutil ->
authoritative restore -restore object "Cn=test user,
ou=it,dc=mycorp,dc=com" command. provided you previously took
a backup, rebooted to DSRM mode and have restored the AD DB
(SystemState) to the DC - the Auth Restore needs to happen right after
the restore of the SystemState, prior to the reboot of the DC.

Check out the whitepaper I wrote with Gil
(). Pages 11 to 13
walk you through how to do an Auth. Restore of objects, and since you
have R2 (includes SP1), you can go right to page 21 to see how to
recover potentially missing links of your recovered object (such as
group membership etc.). Hope you don't have a multi-domain environment
and are heavily relying on cross populating domain local groups in all
the domains in your forest - this adds extra headaches for the recovery
of the links (also described in the whitepaper).

/Guido

From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Mike Hogenauer
Sent: Friday, August 04, 2006 6:57 AM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: [ActiveDir] Authoritative Restore problems

I've been asked to write a Disaster recovery doc for our company. I'm
trying to delete a single user account and do an authoritative restore
of that account.

(in a test environment of course)

Before I deleted the test account I used adsiedit to verify the path to
the account. Cn=test user, ou=it,dc=mycorp,dc=com

>From Directory restore mode, I can start the Authoritative restore but
it always fails with:

Could not find object with the failed DN: failed on component "cn=test
user".

Authoritative restore failed

Error 800ffff parsing input - illegal syntax?

I've reviewed and it says I must
use quotes - either way it fails.

I've even tried the workaround described in here:

Suggestions?

Environment: Windows 2003 R2

Thanks in advance

Mike