Question about group membership after authoritative restore
Hi all, Hoping someone can help me understand what is going on. I have 3 domains in a forest lets call them A.com, Child.A.com and B.com. I just restored a user account using the restore object command in NTDSutil on a domain controller in the A.com domain. This domain controller is running Windows 2008 and is also a Global Catalog server. The other domain controller in A.com is running Windows 2003. The forest functional level is Windows 2003 and the other domain controllers in Child.A.com and B.com are running Windows 2008. Now the user I restored was a member of some groups in each domain. Specifically this user was a member of groups in its local domain (A.com) as well as a member of a universal group in Child.A.com and a universal group in B.com. Now reading through technet, I understand that if you restore a Global Catalog with 2003 Forest Functional level, group membership for the object should automatically be restored as well as universal group membership throughout the forest. Correct? When I look at the restore user account on the 2008 DC in A.com, I see in the Member Of tab all the groups that user belonged to. However, if I look at the Universal groups in the other 2 domains, the user does not show. I've checked the ADSI properties of the group in each domain, and do not see the restored user listed. Also odd, if I check the ADSI properties of the user on the 2003 domain controller in A.com, the only groups listed for the user are the groups in A.com. Like I said though, from the 2008 DC which was the restored DC, all the groups from all domains show up. So I am wondering what is going on? It seems like I am still a member of the universal groups in the other domains, because I attempted to create a share and grant only access to that universal group and I was able to use the restored account to access it. Also, all of these DCs are in a single site. Any ideas what behavior I am witnessing?
November 11th, 2010 10:22am

Hi, The group membership attribute is different from most other attributes in Active Directory. Group membership is a linked attribute; therefore, two objects are involved whenever group membership is changed. These are the “member of” attribute of the user object and the “member” attribute of the group object. Each of these attributes point to the group membership list, which is maintained as a multivalued attribute in a different area of the database. Whenever a group membership is modified, Active Directory updates the links and backlinks to the necessary objects in the background. Due to the nature of group memberships and the way that Active Directory replicates data, it is possible to lose group membership information as the result of the authoritative restore process. This can occur depending upon which object (the user or the group) is replicated first after the authoritative restore takes place. If the user object that has been authoritatively restored replicates first then the multi-valued group membership list will be modified, all necessary links and backlinks will be modified correctly, and both objects will be in the correct consistent state. If the group object that has been authoritatively restored is replicated before the user object, then the destination domain controller will silently drop the addition of the user object from the group membership list. The destination domain controller does this because, as far as it is concerned, the user object referenced in the group membership list has been deleted previously, and it has not yet received replication of the un-deleted object. Due to the way that Active Directory replication works, there is no way to define which objects should replicate first in the authoritative restore scenario. If you are affected by this behavior, it is best to perform two separate authoritative restore operations. First, perform an authoritative restore procedure, restoring the required user accounts. After this has completed, reboot the domain controller and allow it time to replicate the user accounts that have been authoritatively restored. Next, perform another authoritative restore exercise, this time for the groups that you want to put back into Active Directory. After the process has completed, reboot. After reboot, the domain controller will replicate the group(s) that has (have) been authoritatively restored. As the user accounts are now present in Active Directory, these will not be silently dropped from the membership list of the group, leaving both the users and groups consistent inside Active Directory. For more information, please also refer to the following Microsoft KB article: Authoritative restore of groups can result in inconsistent membership information across domain controllers http://support.microsoft.com/kb/280079 Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2010 4:56am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics