How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I roll back an entire network of DS 6.x replicas to a previous backup?

Last updated Jan 11, 2023

The purpose of this article is to provide guidance on rolling back an entire network of DS replication servers to a previous backup. This approach can be used if you want to be rid of undesirable changes that have occurred and are now being replicated across all servers.

1 reader recommends this article

This article does not apply to DS 7 and later, because DS 7 introduces improvements to simplify replication and backup/restore. If you need to revert accidental deletions of data in DS 7 and later, you should refer to the appropriate documentation:


Accidental deletions of data in DS can be reverted in two ways:

  • The first way, described in How do I configure DS 6.x to ensure accidentally deleted or changed data can be restored when replication is enabled?, configures the replication changelog to record additional information about each change. This allows changes to be reverted at a very fine-grained level and with very little impact on the servers in the replication topology. However, reverting each change requires several manual steps.
  • The second way, described in this article, uses the backup and restore tools. This is comparatively coarse as you can only restore up until a given backup and it does require that every replicating server is reinitialized.

Rolling back an entire network of DS replicas

To roll back an entire network of DS replicas to a previous backup, you must restore the same backup to every replica and use pre-external-initialization and post-external-initialization as follows:

  1. Enter the following command on one of the servers to prepare the domain on all servers for being externally initialized: You must specify the baseDN of the data you are going to be changing, for example, dc=example,dc=com. $ ./dsreplication pre-external-initialization --hostname --port 4444 --baseDN dc=example,dc=com --adminUID admin --adminPassword password --trustAll --no-prompt
  2. Enter the following command to restore the backup to each server (this command performs an online restore, so you do not need to stop the server first): $ ds/bin/restore --hostname --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --backupID [backupid] --backupDirectory /path/to/ds/bak $ ds2/bin/restore --hostname --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --backupID [backupid] --backupDirectory /path/to/ds/bak [...]
  3. Enter the following command on one of the servers to set the new generation ID for the entire domain. Ensure to use the same baseDN as the first step: $ ./dsreplication post-external-initialization --hostname --port 4444 --baseDN dc=example,dc=com --adminUID admin --adminPassword password --trustAll --no-prompt

The above steps alter the generation ID of the replicated domain. "Old" changes will not get replayed because they were targeting the data using the previous generation ID. The final step calculates a new generation ID for the domain and broadcasts it to all the servers, which allows them to replicate again.

Replication will now proceed as normal, but from the restored point in time.

See Also

How do I restore old backup data to a DS 6.x replication topology?

How do I design and implement my backup and restore strategies for DS (All versions)?

FAQ: Backup and restore in DS 6.x

FAQ: General DS

Backing Up Directory Data

Restoring Directory Data From Backup



Related Training

ForgeRock Directory Services Core Concepts (DS-400)

Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.