active directory recovering

Upload: jonatasa

Post on 06-Apr-2018

214 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/3/2019 Active Directory Recovering

    1/5

    The Essentials Series: Tackling Active

    Directorys Four Biggest Challenges

    Quickly Recovering

    Deleted Active DirectoryObjects

    by Greg Shields

    sponsored by

  • 8/3/2019 Active Directory Recovering

    2/5

    i

    Qu ickly Recovering Deleted Active Directory Objects ............................................................................. 1The Native Solution ............................................................................................................................................ 1

    The Need for Better Tools ................................................................................................................................ 2

  • 8/3/2019 Active Directory Recovering

    3/5

    ii

    Copyright Statement

    2009 Realtime Publishers. All rights reserved. This site contains materials that havebeen created, developed, or commissioned by, and published with the permission of,Realtime Publishers (the Materials) and this site and any such Materials are protectedby international copyright and trademark laws.

    THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND,EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,TITLE AND NON-INFRINGEMENT. The Materials are subject to change without noticeand do not represent a commitment on the part of Realtime Publishers or its web sitesponsors. In no event shall Realtime Publishers or its web site sponsors be held liable fortechnical or editorial errors or omissions contained in the Materials, including withoutlimitation, for any direct, indirect, incidental, special, exemplary or consequentialdamages whatsoever resulting from the use of any information contained in the Materials.

    The Materials (including but not limited to the text, images, audio, and/or video) may notbe copied, reproduced, republished, uploaded, posted, transmitted, or distributed in anyway, in whole or in part, except that one copy may be downloaded for your personal, non-commercial use on a single computer. In connection with such use, you may not modifyor obscure any copyright or other proprietary notice.

    The Materials may contain trademarks, services marks and logos that are the property ofthird parties. You are not permitted to use these trademarks, services marks or logoswithout prior written consent of such third parties.

    Realtime Publishers and the Realtime Publishers logo are registered in the US Patent &Trademark Office. All other product or service names are the property of their respectiveowners.

    If you have any questions about these terms, or if you would like information aboutlicensing materials from Realtime Publishers, please contact us via e-mail [email protected].

    mailto:[email protected]:[email protected]
  • 8/3/2019 Active Directory Recovering

    4/5

    1

    QuicklyRecoveringDeletedActiveDirectoryObjectsIts happened to your domain before. You walk back in after a long lunch or notice

    something peculiar as youre packing up for a long weekend. Users are calling in to

    complain that they cant access their resources. Theyre seeing errors all across the board

    when attempting to accomplish anything on their desktops. Its like someone

    hasdeletedtheir accounts. Or, even worse, someone has deleted an entire Organizational

    Unit (OU) full of them. At this point, you find yourself setting down your leftovers or your

    coat, realizing that youre about to be at work quite a bit later than you expected this

    evening.

    For a platform as powerful and pervasive as Active Directory (AD), its a wonder how easy

    it remains to accidentally destroy huge sections of it. Whether youre a lowlevel Help deskadministrator or an allpowerful Domain Admin, most IT professionals have enough rights

    to create this kind of havoc. Deleting a user account or an OU full of them is a particularly

    big problem. A problem that even today doesnt have a good resolution using native

    Windows tools alone.

    TheNativeSolutionIf this has happened to you, heres a glimpse of the process youre forced to undertake:

    Step1: Locate a Domain Controller that is also a Global Catalog (GC) and disconnect

    this server from the network. Step2: Reboot the server into Directory Services Restore Mode and login using that

    servers unique DSRM password. On servers previous to Windows Server 2008, this

    can be done by repeatedly pressing the F8 key during the boot cycle to bring

    forward the boot menu. The process changes in Windows Server 2008, requiring

    you to run the MSCONFIG utility before rebooting. Once launched, navigate to the

    Boottab and under the BootOptions selection box, choose to reboot into Safeboot|

    ActiveDirectoryrepair.

    Step3: Restore the AD databasealso known as a System State Restoreto theDomain Controller from a recent backup before the deletion event. This non

    authoritative restore will not actually restore any deleted objects. It only enables oldobjects that have been deleted to be selectively (authoritatively) restored in the next

    step.

    Step4: Perform an authoritative restore on the object or objects that have beendeleted. This involves launching the NTDSUTIL tool with the command ntdsutil

    authoritativerestore. Then, restore the specific object with the command restore

    subtree. The value for will be the distinguished name (DN) of

    the object or container that was deleted.

  • 8/3/2019 Active Directory Recovering

    5/5

    2

    Step5: Reconnect the Domain Controller to the network and reboot it back intonormal mode. Ensure that the restored object or objects replicate correctly to all

    Domain Controllers in the domain.

    Step6: As the Domain Controller reboots, it will create a series of .LDF files. Thesefiles include the necessary backlink information, which can be used to restore the

    groups of which the deleted object was a member. Restore those backlinks for eachldifdeikfobject using the command . The file name structure of these

    .LDF files will resemble ar_-_links_.ldf.

    This process appears relatively trivial until you realize one piece of missing information. To

    properly restore a deleted object in Step 4, you must know the DN of that object. Thus, in

    order to know its DN, you must first know which objects were deleted. If an entire OU of

    objects was deleted, youll need to know each of the objects to individually restore. For a

    large swath of deleted objects, this process can be complex to the point of absurdity.

    EvenWindowsServer2008R2sRecycleBinIsInsufficientAt first blush, Windows Server 2008 R2s new Recycle Bin feature mightseem like a good solution. The new AD Recycle Bin provides a mechanism to

    bring back objects that have been deleted from your AD. However, its

    important to know that ADs Recycle Bin isnt like the one you see on your

    desktop. Enabling its functionality requires upgrading your entire AD forest

    to the Windows Server 2008 R2 forest functional level. This means that each

    and every Domain Controller must also be at Windows Server 2008 R2, a

    process that can take a long time to complete. Even more challenging,

    actually using the AD Recycle Bin requires the use of scripting to restore an

    object. So, the lessexperienced admins who are more likely to cause a

    deletion problem are less likely to be able to fix it.

    TheNeedforBetterToolsOrganizations that base their computing infrastructure on AD cannot afford the lengthy and

    errorridden process of manually restoring objects after an accidental mouse click. Yet this

    manual process is the only way to solve the problem with Windows native tools. With the

    right thirdparty tools in place, finding and restoring deleted AD objects can be as easy as

    the few mouse clicks that deleted them in the first place. These tools take and catalog

    regular snapshots of AD structure and objects, allowing administrators to look backwards

    in time. They provide a way to compare previous with current snapshots to quickly find

    and automatically restore lost objects.

    Yet the problem doesnt stop there. Bestinclass thirdparty tools provide muchneeded

    further protections. They enable the additional capability to quickly restore your entire AD

    domain or forest in the case of corruption or malicious activity. Having this emergency

    restore capability in your back pocket is critical because every deleted object is equal to a

    workers lost productivity, and every downed domain means an entire business going

    down. As such, implementing the right tools for comprehensive deletion protection is

    critical to turning major problems into minor restores.