Escolar Documentos
Profissional Documentos
Cultura Documentos
by Daniel Petri - January 8, 2009 Printer Friendly Version Active Directory is a hierarchical database that holds information about the networks resources such as computers, servers, users, groups and more. The main purpose of Active Directory is to provide central authentication and authorization services. Normal administrative tasks when working with Active Directory include creating, managing, moving, editing and sometimes deleting various objects such as user accounts, computer accounts, groups, contacts and other objects. The Active Directory database is stored on Domain Controllers (or DCs), in a file called NTDS.DIT (that's not everything, but it'll do for a short intro)
LANsurveyor: Map Your Network in Minutes! Relax while LANsurveyor automatically maps your network. LANsurveyor automatically discovers your LAN or WAN and produces comprehensive, easy-toview network diagrams that can be exported into Microsoft Office Visio. You Have Got To Try This! Get the Download Here... While deleting an object in Active Directory is usually something an administrator would think twice before doing, sometimes mistakes do happen, and then the administrator ends up with one (or more) deleted items that he or she cannot restore anymore. I bet I'm not telling you stuff you don't know, otherwise you wouldn't be here, would you? As a skilled IT professional, one should always make sure he or she has a working backup of the current AD database. In Windows 2000 Server and Windows Server 2003 this can be easily accomplished by running NTBACKUP and performing a System State backup. However, let's assume that, for this example, no such backup exists, or, if it does, certain issues are preventing us from using it to restore our deleted objects.
this environment cannot simply remove an object, because doing so would remove the unit of replication itself. The marker used to designate that an AD object scheduled to be destroyed is called "tombstone". A tombstone is an object whose IsDeleted property has be set to True, and it indicates that the object has been deleted but not removed from the directory, much like a deleted file is removed from the file allocation table but the data is not actually removed from the drive. The directory service moves tombstoned objects to the Deleted Objects container, where they remain until the garbage collection process removes the objects. The garbage collection process by default runs every 12 hours on a DC. The length of time tombstoned objects remain in the directory service before being deleted is either 60 days for Windows 2000/2003 Active Directory, or 180 days for Windows Server 2003 SP1 Active Directory (by default). The tombstone lifetime must be significantly longer than the garbage collection frequency to ensure that deletion of objects is replicated to other DCs. Considering all the above, a delete operation is essentially a special modify operation that:
1. Sets the IsDeleted value to True. 2. Sets the internal WhenDeleted column to the IsDeleted metadata's TimeChanged time
stamp. 3. Sets the Windows NT security descriptor to a special value. 4. Changes the relative distinguished name (RDN) to a value that is otherwise impossible, (that is, one that cannot be set by an LDAP program). 5. Strips all attributes not needed at this point by Active Directory. Key attributes such as the following are hard-coded to survive deletion: o Object-GUID o Object-SID o Object-Dist-Name o USN Note: You can make changes to the Active Directory that allow the survival of more attributes in case of an object deletion. This was covered in our article entitled - Protect Objects in Windows Server 2003 Active Directory from Accidental Deletion. You must understand the difference between restoring an object that has long been deleted from the database, and no longer is present in it, not even as a tombstoned object, and restoring a tombstoned object. Restoring tombstoned objects from the Active Directory database is often known as "reanimation", and this is what this article is about. Because tombstoning an object strips it from many attributes, you must know that if you do elect to reanimate a deleted user or group, you will still have to recover the group memberships and any other linked attributes of which you might be in need. Also, without going too deep into this issue, know that you cannot reanimate objects that were deleted from the Configuration NC (or Partition). I will try to cover these issues in a future article.
Note: One of the Active Directory features that were introduced in Windows Server 2003 with Service Pack 1 was the Directory Service Backup Reminders. With this reminder, a new event message, event ID 2089, provides the backup status of each directory partition that a domain controller stores, including application directory partitions and Active Directory Application Mode (ADAM) partitions. If halfway through the tombstone lifetime a partition has not been backed up, this event is logged in the Directory Service event log and continues daily until the partition is backed up.
Browsing the tombstones Domain Controller targeting Can be used with alternative credentials (convenient if you do not logon to your desktop as Domain Admin, which you should never do anyway) User/Computer/OU/Container reanimation Preview of tombstone attributes
Enumerating tombstones
Download ADRestore.net For more information on Guy's tool, please see Guy's blog entry announcing ADRestore.net
would search for all objects with "daniel" as part of its name.
The -r switch forces the program to prompt the user for each restoration. Otherwise, all the objects found matching said criteria will be automatically restored. The default (no criteria supplied) is that all tombstoned objects will be enumerated and restored. Note that deleted items may no longer be members of specific organizational units or OUs. Restoring these objects from deleted status will not automatically restore them to their respective OUs; this will need to be done manually. Download ADRestore How to restore deleted user accounts and their group memberships in Active Directory - 840001