Before we get too far in to configuring Active Directory, we should sort out the backups so that we can restore the environment in the event of corruption, compromise or even our own mis-configuration. You have a choice of backup software so I will not go through how to configure this. It’s important that you back up at least one Domain Controller though. The software you chose to use MUST support a system state backup.
Whatever solution you choose to back up Active Directory, you should regularly try restoring this in a lab environment. Active Directory has two restore modes. You can perform a non authoritative restore or an authoritative one.
An authoritative restore will mark all of the objects as “the master version” by increasing the USN numbers by 100000. This means that any changes completed since the version that was restored should be replicated and overwritten with the restored version.
A non authoritative restore will restore the domain controller then initialize replication from the existing domain controllers of all changes that it does not have copies of.
In order to perform a restore of either kind you will need your DSRM (Directory Services Restore Mode) password. This is a password you set when creating your domain controllers. Because of the importance of this password, we should always be aware if it has been changed, hence setting up the alert in the previous post.