Restore of an object or subtree

I've been asked several times how to get an object or subtree of objects back if an accidental deletion happened and you have one DC that still have the objects. In other words mark these objects as authoritative so they replicate back to the DCs that have them deleted. This is usual in a lag site scenario, or if you are lucky to find a DC that haven't already delete the object(s).

So here is a step-by-step on Windows 2008, note that this is not applicable for versions lower than 2008.


1. Stop relication on a DC that have the object(s) with repadmin. I usually stop both inbound and outbound to be safe:
- Repadmin /options +disable_inbound_repl
- Repadmin /options +disable_outbound_repl

2. Stop AD Service. This will also stop the following services:
- File Replication
- Kerberos Key Distribution Center
- Intersite Messaging
- DNS Server
- DFS Replication

3. Set instance:
- Ntdsutil
- Activate instance NTDS

4. Authoritative Restore (while in ntdsutil):
- Authoritative restore
- Restore subtree ou=dr-test,dc=qadvice,dc=prv

Example screenshot:
authoritative restore: restore subtree ou=dr-test,dc=qadvice,dc=prv
Opening DIT database... Done.

The current time is 11-20-09 12:35.45.
Most recent database update occured at 11-20-09 12:32.09.
Increasing attribute version numbers by 100000.
Counting records that need updating...
Records found: 0000001001
Done.

Found 1001 records to update.
Updating records...
Records remaining: 0000000000
Done.

Successfully updated 1001 records.
The following text file with a list of authoritatively restored objects has been created in the current working directory:
ar_20091120-123545_objects.txt
None of the specified objects have back-links in this domain. No link restore file has been created.
Authoritative Restore completed successfully.

5. Start AD and related services (if they don't start automatically)

6. Enable replication on the DC:
- Repadmin /options -disable_inbound_repl
- Repadmin /options -disable_outbound_repl