The Microsoft position regarding products that directly access the Active Directory database (296257)

SUMMARY

This article contains information about the Microsoft position concerning products from independent software vendors (ISVs) that directly access the Active Directory Extensible Storage Engine (ESE) database. ISVs may use this method to try to perform online restoration of objects (such as user objects) in the Microsoft Active Directory directory service.

Selective online restoration is the process of returning one or more specified objects to their state as of a specific time in the past without having to put Active Directory in an off-line restore mode. Products that write directly to the Active Directory ESE database while Active Directory is running in online mode bypass the designed and tested behavior of the system. This practice may result in irreparable damage or loss of data that is stored in Active Directory, including critical system data. Customers who experience problems with Active Directory after using these products may only be able to return their system to a consistent state by restoring the whole forest from a backup by using a procedure such as Forest Recovery.

MORE INFORMATION

The Active Directory service in Microsoft Windows 2000 does not include a mechanism for performing online restoration of data. Some ISV products perform online restoration operations by attaching threads to the LSASS system process and calling unpublished system interfaces to write data directly into the Active Directory ESE database.

Active Directory requires that data that is written to the ESE database conforms precisely to various data-integrity rules to preserve relationships with other pieces of data in the database. These rules are enforced by the code that makes up Active Directory. ISV products that write directly to the ESE database do not allow Active Directory code to enforce these rules, and those products may not properly perform updates to the ESE database in ways that are necessary to preserve data integrity. If you use such products, you may experience irreparable damage in your Active Directory deployment. To return your system to a consistent state, you may have to perform a complete restore of your forest from a backup through a procedure such as Forest Recovery. Microsoft Product Support is available to help you with recovery of failed domain controllers, domains, or forests.

The Forest Recovery procedure requires one domain controller in each domain be restored from a known good backup, and every other domain controller in the forest must be reinstalled and repromoted to the domain controller role. For more information about Forest Recovery, download the Best Practices: Active Directory Forest Recovery white paper from the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE

In the Microsoft Windows Server 2003 release of Active Directory, Microsoft has provided programmatic interfaces for online object restoration that can be leveraged by ISVs to provide online restore capabilities. These interfaces are part of the core Active Directory code, and they were specifically designed to apply the necessary checks to maintain the integrity and consistency of data in Active Directory when you are performing online restores. However, ISV products that do not use this API and that instead write directly to the Active Directory ESE database in Windows Server 2003 are still subject to the concerns that are described in this article.

For more information about how to restore objects that have been deleted from Active Directory, click the following article numbers to view the articles in the Microsoft Knowledge Base:

241594 How to perform an authoritative restore to a domain controller in Windows 2000

216243 The effects on trusts and computer accounts when you authoritatively restore Active Directory