Microsoft KB Archive/886689

= The Ntdsutil authoritative restore operation is not successful if the distinguished name path contains extended characters in Windows Server 2003 and in Windows 2000 =

Article ID: 886689

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-





SYMPTOMS
When you use the Ntdsutil.exe command-line utility to perform an authoritative restore on a distinguished name (also known as DN) path, the operation is not successful. This problem occurs if the distinguished name path contains one or more extended characters. Ntdsutil cannot locate that path in the database of the Active Directory directory service. Therefore, the version numbers are not incremented on the appropriate objects by Ntdsutil. This problem occurs when you use Ntdsutil in Microsoft Windows Server 2003 or in Microsoft Windows 2000.

Moreover, regardless of whether the correct syntax is used to authoritatively restore distinguished name paths that contain extended characters, the Ntdsutil output echoes different characters in the distinguished name path in the message that it returns. For example, if you try to perform an authoritative restore against a distinguished name path that contains the letter &quot;u&quot; with an umlaut, Ntdsutil may return a message where the &quot;u&quot; with an umlaut is shown as an &quot;e&quot; with an acute accent. The following sample output from Ntdsutil illustrates the problem.

Note In this sample output, the extended characters are described in italic following the extended characters, instead of shown as they appear in the output.

C:\>ntdsutil.exe

ntdsutil.exe: authoritative restore

authoritative restore: restore object OU=testContu,DC=contoso,DC=com (where the &quot;u&quot; in &quot;Contu&quot; contains an umlaut)

Opening DIT database... Done.

The current time is MM-DD-YY HH:MM.SS.

Most recent database update occurred at MM-DD-YY HH:MM.SS.

Increasing attribute version numbers by 100000.

Counting records that need updating...

Records found: 0000000000

Could not find the object with the given DN: failed on component

&quot;OU=testConte (where the trailing &quot;e&quot; in &quot;testConte&quot; contains an acute accent)

Authoritative Restore failed.

ntdsutil.exe: quit

In this sample output, the administrator requested that Ntdsutil perform an authoritative restore on the distinguished name path “OU=testContu,DC=contoso,DC=com,” where the &quot;u&quot; in &quot;Contu&quot; contains an umlaut. However, Ntdsutil tried to authoritatively restore a different distinguished name path, &quot;OU=testConte,DC=contoso,DC=com,” where the trailing &quot;e&quot; in &quot;testConte&quot; contains an acute accent.



CAUSE
This problem may occur if the Ntdsutil Authoritative Restore command does not correctly convert extended characters in distinguished name paths to the equivalent Unicode characters. In these cases, Ntdsutil tries to authoritatively restore a distinguished name path that is different from the one that you typed. Typically, this alternative path does not exist. Therefore, the authoritative restore operation fails.

The incorrect conversion of extended characters in Ntdsutil applies not only to diacritical marks (accent marks) but also to whole character sets in the Greek, Korean, Cyrillian, and Asian writing systems.



WORKAROUND
To work around this problem, wrap distinguished name paths that contain extended characters and spaces with backslash-double-quotation-mark escape sequences. For example, the following output shows the Ntdsutil Authoritative Restore command and the messages that the operation returns:

C:\>ntdsutil &quot;aut res&quot; &quot;res obj \&quot;OU=testCont ,DC=Contoso,DC=com\&quot;&quot; &quot;q&quot; &quot;q&quot;

authoritative restore: res obj &quot;CN=testCont ,DC=nttest,DC=Contoso,DC=com&quot; Opening DIT database... Done.

The current time is MM-DD-YY HH:MM.SS.

Most recent database update occurred at MM-DD-YY HH:MM.SS

Increasing attribute version numbers by 100000.

Counting records that need updating...

Records found: 0000000001

Done.

Found 1 records to update.

Updating records...

Records remaining: 0000000000

Done.

Successfully updated 1 records.

Authoritative Restore completed successfully.

authoritative restore: q

ntdsutil: q

Notes
 * Ntdsutil will not correctly echo the extended characters in the distinguished name path that you are trying to authoritatively restore, even when the Authoritative Restore command contains the escape sequences. However, the authoritative restore operation will succeed.
 * The problem that this article describes only occurs when you manually type each command at the Ntdsutil command prompt. If you batch Ntdsutil command-line arguments together as a single command string, the authoritative restore operation will work without an escape sequence because Ntdsutil uses a different, Unicode-aware parser.
 * In Windows 2000, Ntdsutil does not have the restore object command. To restore both the container and the leaf objects, use the restore subtree command.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the &quot;Applies to&quot; section.

