[This is preliminary documentation and subject to change.]
If the link-tracking data that is stored on the domain controller is lost, the domain as a whole should be able to recover. That is, even if the domain controller was backed up to tape, there will likely be some information that was added to the domain controller since the last backup.
In addition to loss of data on the domain controller, recovery is also necessary when the domain controller is unavailable to receive move information messages at the time of the move. An example of this would be when a link source is moved while the domain controller is offline.
The solution to both these recovery problems is to have move-source machines store persistently the information that they upload to the domain controller. This solution maintains security since the machine account on the move-source machines can be trusted to provide valid tracking information. Included in the tracking information uploaded to the domain controller is a sequence number. The domain controller maintains this number on a per-machine basis. During system initialization, workstations query the domain controller for the last message sequence number received from the workstation. If the workstation has a higher sequence number, it uploads all the messages necessary to get the domain controller updated.
The domain controller processes these messages as if they were actually sent as part of a move. However, if these messages arrive out of sequence, the domain controller saves them until they can be processed.
For example, assume a link source is moved from machine M1 to M2 and then to M3, but the domain controller was unavailable during these moves. Then, assume that the move information is later uploaded to the domain controller from M2 (the source of the second move) and then M1 (the source of the first move). When the domain controller receives the information from M2 it won't be valid, since the domain controller then expects the link source to be on M1, not M2. So the domain controller holds the message from M2. When the domain controller receives the message from M1, it is processed, and then the message from M2 is processed.