Professional Documents
Culture Documents
Recovering Deleted Items in Active Directory
Recovering Deleted Items in Active Directory
Recovering Deleted Items in Active Directory
by Daniel Petri - January 8, 2009 Active Directory is a hierarchical database that holds information about the networks resources such as computers, servers, users, groups and more. The main purpose of Active Directory is to provide central authentication and authorization services. Normal administrative tasks when working with Active Directory include creating, managing, moving, editing and sometimes deleting various objects such as user accounts, computer accounts, groups, contacts and other objects. The Active Directory database is stored on Domain Controllers (or DCs), in a file called NTDS.DIT (that's not everything, but it'll do for a short intro)
Windows 2008 Active Directory 70-640 Training! Have you seen the Microsoft Active Directory 70-640 Training video by Train Signal? I highly recommend this course, as you will learn much more than you will from any book. It includes new iPod/MP3 versions of the course (when you are on the go) and Transcender practice tests to help you prepare for certification. The instructors, Ed and Coach, do an amazing job not only preparing you to get Microsoft Certified but also showing you what tasks you need to perform on real Windows 2008 Servers, in the real world! -Daniel Petri, Petri IT Knowledge Base Watch Free Demo Video Here While deleting an object in Active Directory is usually something an administrator would think twice before doing, sometimes mistakes do happen, and then the administrator ends up with one (or more) deleted items that he or she cannot restore anymore. I bet I'm not telling you stuff you don't know, otherwise you wouldn't be here, would you? As a skilled IT professional, one should always make sure he or she has a working backup of the current AD database. In Windows 2000 Server and Windows Server 2003 this can be easily accomplished by running NTBACKUP and performing a System State
backup. However, let's assume that, for this example, no such backup exists, or, if it does, certain issues are preventing us from using it to restore our deleted objects.
You must understand the difference between restoring an object that has long been deleted from the database, and no longer is present in it, not even as a tombstoned object, and restoring a tombstoned object. Restoring tombstoned objects from the Active Directory database is often known as "reanimation", and this is what this article is about. Because tombstoning an object strips it from many attributes, you must know that if you do elect to reanimate a deleted user or group, you will still have to recover the group memberships and any other linked attributes of which you might be in need. Also, without going too deep into this issue, know that you cannot reanimate objects that were deleted from the Configuration NC (or Partition). I will try to cover these issues in a future article. Note: One of the Active Directory features that were introduced in Windows Server 2003 with Service Pack 1 was the Directory Service Backup Reminders. With this reminder, a new event message, event ID 2089, provides the backup status of each directory partition that a domain controller stores, including application directory partitions and Active Directory Application Mode (ADAM) partitions. If halfway through the tombstone lifetime a partition has not been backed up, this event is logged in the Directory Service event log and continues daily until the partition is backed up.
Mode", the reanimation mechanism is the only way to recover deleted objects without taking a DC offline. There are several issues and steps that you need to perform, all are covered in my "Restore Windows Server 2003 Active Directory" article
Browsing the tombstones Domain Controller targeting Can be used with alternative credentials (convenient if you do not logon to your desktop as Domain Admin, which you should never do anyway) User/Computer/OU/Container reanimation Preview of tombstone attributes
Enumerating tombstones
Download ADRestore.net For more information on Guy's tool, please see Guy's blog entry announcing ADRestore.net
would search for all objects with "daniel" as part of its name. The -r switch forces the program to prompt the user for each restoration. Otherwise, all the objects found matching said criteria will be automatically restored. The default (no criteria supplied) is that all tombstoned objects will be enumerated and restored. Note that deleted items may no longer be members of specific organizational units or OUs. Restoring these objects from deleted status will not automatically restore them to their respective OUs; this will need to be done manually. Download ADRestore How to restore deleted user accounts and their group memberships in Active Directory 840001
administrators recover deleted objects using the Tombstone Reanimation feature of Windows Server 2003. This Microsoft recovery interface allows administrators to restore accidentally deleted objects online, without rebooting a domain controller. Quest Object Restore for Active Directory enhances this ability by providing a graphical interface, similar to the Windows Recycle Bin, for viewing and restoring Active Directory objects. Restoring single, deleted objects in Active Directory can be a manual and timeconsuming process requiring system downtime. Object Restore for Active Directory is a free, graphical utility that allows you to instantly recover deleted objects in a Windows Server 2003 environment without rebooting a Domain Controller. The freeware utility allows viewing Tombstoned objects in Active Directory and reanimating deleted items using Microsofts new Tombstone Reanimation interfaces for Windows Server 2003. When you download the Freeware, a 6-month key is built in. You will be prompted to reregister on our site at the end of each 6-month period. In order to download their product you will need to go through a very nagging and unfriendly registration screen. Proceed from here: Quest: Object Restore for Active Directory Note that Quest has a great variety of tools for Active Directory management and recovery, however since they are not freeware I will not give them a free advertising ride