Microsoft KB Archive/296257

From BetaArchive Wiki
Knowledge Base


The Microsoft position regarding products that directly access the Active Directory database

Article ID: 296257

Article Last Modified on 12/3/2007


APPLIES TO

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server


This article was previously published under Q296257

SUMMARY

This article contains information about the Microsoft position concerning products from independent software vendors (ISVs) that directly access the Active Directory Extensible Storage Engine (ESE) database. ISVs may use this method to try to perform online restoration of objects (such as user objects) in the Microsoft Active Directory directory service.

Selective online restoration is the process of returning one or more specified objects to their state as of a specific time in the past without having to put Active Directory in an off-line restore mode. Products that write directly to the Active Directory ESE database while Active Directory is running in online mode bypass the designed and tested behavior of the system. This practice may result in irreparable damage or loss of data that is stored in Active Directory, including critical system data. Customers who experience problems with Active Directory after using these products may only be able to return their system to a consistent state by restoring the whole forest from a backup by using a procedure such as Forest Recovery.

MORE INFORMATION

The Active Directory service in Microsoft Windows 2000 does not include a mechanism for performing online restoration of data. Some ISV products perform online restoration operations by attaching threads to the LSASS system process and calling unpublished system interfaces to write data directly into the Active Directory ESE database.

Active Directory requires that data that is written to the ESE database conforms precisely to various data-integrity rules to preserve relationships with other pieces of data in the database. These rules are enforced by the code that makes up Active Directory. ISV products that write directly to the ESE database do not allow Active Directory code to enforce these rules, and those products may not properly perform updates to the ESE database in ways that are necessary to preserve data integrity. If you use such products, you may experience irreparable damage in your Active Directory deployment. To return your system to a consistent state, you may have to perform a complete restore of your forest from a backup through a procedure such as Forest Recovery. Microsoft Product Support is available to help you with recovery of failed domain controllers, domains, or forests.

The Forest Recovery procedure requires one domain controller in each domain be restored from a known good backup, and every other domain controller in the forest must be reinstalled and repromoted to the domain controller role. For more information about Forest Recovery, download the Best Practices: Active Directory Forest Recovery white paper from the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE



In the Microsoft Windows Server 2003 release of Active Directory, Microsoft has provided programmatic interfaces for online object restoration that can be leveraged by ISVs to provide online restore capabilities. These interfaces are part of the core Active Directory code, and they were specifically designed to apply the necessary checks to maintain the integrity and consistency of data in Active Directory when you are performing online restores. However, ISV products that do not use this API and that instead write directly to the Active Directory ESE database in Windows Server 2003 are still subject to the concerns that are described in this article.

For more information about how to restore objects that have been deleted from Active Directory, click the following article numbers to view the articles in the Microsoft Knowledge Base:

241594 How to perform an authoritative restore to a domain controller in Windows 2000


216243 The effects on trusts and computer accounts when you authoritatively restore Active Directory


Keywords: kbenv kbinfo KB296257



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/296257&oldid=162059
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki