How to Perform Windows 2012 Authoritative Restore

This procedure is for performing an Authoritative Restore with multiple Domain Controllers. In a single Domain Controller environment you do not need to perform this procedure

There are 2 type of restore modes for Microsoft Windows Domain Controllers.

  • Authoritative
  • Non-Authoritative

An Authoritative restore means you set 1 Domain Controller as the master replica for all other Domain Controllers. This Domain Controller will not try to replicate from another Domain Controller.

A Non-Authoritative restore means that this Domain Controller will attempt to replicate from any other Domain Controller.

In this article we are going to simulate bringing up 2 Domain Controllers in an isolated Disaster Recovery Site.

1. Boot the first and second Domain Controllers into Directory Services Restore Mode by pressing F8 during bootup.

Windows 2012 Authoritative Restore
2. You will need to log into both Domain Controllers with the Directory Services Restore password you set during the Windows OS install. Use the username .Administrator

Windows 2012 Authoritative Restore
3. In the first Domain Controller, open up Regedt32 and browse to the following location:

HKLM SYSTEM Current ControlSet Services NTDSParameters

4. Here we will add the following Dword (32-bit) value: Repl Perform Initial Synchronizations (Leave this value on 0)

This key will allow the DNS zone to load without having to wait for replication partners

Windows 2012 Authoritative Restore
5. Browse to this location: HKLM SYSTEM CurrentControlSet Services NtFrs Parameters Backup/Restore Process at Startup

Change the value for BurFlags to d4 (This sets this Domain Controller to be Authoritative)

Windows 2012 Authoritative Restore
6. Reboot Domain Controller 1.

7. Domain Controller 2 should be logged in with Directory Services Restore Mode still.

8. Within Domain Controller 2 repeat step 5 above however instead of setting the BurFlags to d4 we are going to set it to d2 (d2 will make this Domain Controller Non-Authoritative and force it to sync to an Authoritative Domain Controller)

9. Once Domain Controller 1 is booted you can then reboot Domain Controller 2

10. Domain Controller 1 will not bring up Active Directory until it has successfully synced with at least 1 other Domain Controller. In this case it will sync with Domain Controller 2.

11. Open a CLI window and make sure the SYSVOL folder is being shared. You can do this by typing: net share.

12. Open Active Directory Users and Computers and make sure you can see the domain.

All the tutorials included on this site are performed in a lab environment to simulate a real world production scenario. As everything is done to provide the most accurate steps to date, we take no responsibility if you implement any of these steps in a production environment.


  1. After you set the parameters for an authoritative restore and things replicate successfully. Do you need to go back and undo the parameters?

    Example would be setting a burflags to d2 and the other to d4. Do these need to be reverted afterwards? How do you determine what DC is authoritative in the event you want to decommission that server later on?

  2. Thank you so much!
    How can I get the AD services to come up with only ONE DC? Do I set it to Authoritative mode?
    I am cloning a DC and putting this clone into an isolated lab environment.

    • Hi Charlie, you’ll need a second 1 to come up as well. Unless your production environment was built with only 1 DC ?

Leave a Reply

Your email address will not be published.



This site uses Akismet to reduce spam. Learn how your comment data is processed.