Here's what Microsoft helped me do (step by step).
Boot into Directory services restore mode. (see here for how: https://blogs.technet.microsoft.com/activedirectoryua/2008/11/20/how-to-start-in-directory-service-restore-mode-dsrm-in-windows-server-2008-and-windows-server-2008-r2/)
Log in
Open an elevated command prompt
type "wbadmin get versions"
This will give you all the backups that you can restore from.
Pay attention to the version identifier as this will define what backup you're working with.
type "wbadmin start systemstaterecovery -version:10/01/2016-04:30" where 10/01/2016-04:30 will vary based on the actual version that you are restoring from that you found when you ran "wbadmin get versions"
Choose yes twice.
Now, you'll need to wait 45 to 90 minutes while the system preps itself. Ugh.
Next, you'll restore organization units (OUs) as a whole to the version the the OUs were at the time of the backup. So for example, if I have an OU named accounting and I'm doing a restore on October 3, 2016 where the backup I'm restoring from is October 1, 2016 - all changes from 10/1/16 to 10/3/16 will be lost.
This gets less intuitive here. After the system has loaded the backup, the system will ask you to reboot the server. Don't do it.
Instead, launch a command prompt, type ntdsutil, and then press Enter.
1
. Type activate
instance ntds and press Enter.
2.
Type authoritative restore and press Enter.
3.
At this point, determine whether you're restoring an OU or an object. The
previous table showed the syntax to restore either an OU or an object. Type the
restore command and press Enter.
For example, to restore a user object, use the following
format:
•
restore object dn
•
restore object "cn=Sally,ou=sales,dc=pearson,dc=pub"
Or, to restore an OU, use the following format:
•
restore subtree dn
•
restore subtree "ou=sales,dc=pearson,dc=pub"
NOTE
This increments the update sequence number (USN) so that all
other DCs consider it the most recent change.
4.
Type quit and press Enter twice to exit ntdsutil.
5.
Restart the DC normally.
As an example. if you were restoring an OU called distribution groups which sits under an OU called MyBusiness, you'd type:
restore subtree "OU=distribution groups,OU=MyBusiness,DC=contoso,DC=local"
if you're not familiar with LDAP syntax (which I'm not), some googling and trial and error will help you find what you need. If you type in the wrong values, the process willl just fail.
This is what a successful restore looks like. Look at "successfully updated records"
What's weird for me in the two times I've tried this is that I rebooted once, and my 2008 R2 server had no internet connectivity and no restored AD items on first reboot. I had reboot again to get my items and to get internet connectivity. So weird.
