• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 391
  • Last Modified:

Restore delete objects in AD 2008

prior to AD2008 restoring a deleted AD object requires going through AD Authoritative restore using NTDSUtil which was too much hustle.
I believ Microsoft has improved this type of AD individual restore in AD 2008.

Can someone explain how this is done in AD2008, and how the improvment is ?

thanks
0
jskfan
Asked:
jskfan
  • 7
  • 7
  • 3
  • +2
6 Solutions
 
pritamduttCommented:
Please find a Active Directory Recycle Bin Step-by-Step Guide here.

Hope this helps!
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hi,

unfortunately, there is no better native restore of deleted object. In previous Windows Server versions (2000, 2003, 2008), you have only non-authoritative na authoritative restore. The last one is used for deleted object(s). If you want to restore them, you need to do "hard" work.

All you need to do that is in this MS article at
http://technet.microsoft.com/en-us/library/cc779573%28WS.10%29.aspx

When Winodws Server 2008 R2 was released, Microsoft introduced new feature "AD Recycle Bin". But it can be only used when your Forest Functional Level is set up to Windows Server 2008 R2 mode. By default this feature is not enabled, you need to run a proper command in Active Directory PowerShell module to activate this feature. After that, you can simply restore deleted object using also Windows Server native PowerShell.

Now, Microsoft is workoing on successor of Windows Server 2008 R2. It is Windows Server 8 Active Directory Administrative Center (which firstly was also introduced in 2008 R2) has many improvements. One of them is simple "AD Recycle Bin" function to enable that feature and restore delteted object. It's only in developer's previiew edition but it's wort checking its feature now. Please visit Mike's blog and read an article about ADAC and its new features at
http://adisfun.blogspot.com/2011/09/windows-server-8-active-directory_14.html

For now, if your Forest Fuctional Level is set up below 2008 R2 you have to use standard "authoritative restore" method or buy 3rd party tool which allows doing that directly

Regards,
Krzysztof
0
 
SandeshdubeyCommented:
For Windows Server 2008 R2, it is recommended to use Active Directory Recycle Bin feature. It’s more efficient method and can do complete restore of the previous deleted objects.
Reference link:http://dani3lr.wordpress.com/2009/06/22/restore-deleted-objects-in-active-directory-database-using-tombstone-reanimation-ldp-exe/

For windows 2008 refer below link:
http://sandeshdubey.wordpress.com/2011/10/09/authoritative-non-authoritative-restore-in-windows2008/

Windows Server 2003 introduces the ability to restore deleted ("tombstoned") objects. This simple command-line utility enumerates the deleted objects in a domain and gives you the option of restoring each one. Source code is based on sample code in the Microsoft Platform SDK. This MS KB article describes the use of AdRestore.You can also download the GUI version.
http://technet.microsoft.com/en-us/sysinternals/bb963906
http://blogs.technet.com/b/asiasupp/archive/2006/12/14/using-adrestore-tool-to-restore-deleted-objects.aspx
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
yo_beeDirector of ITCommented:
How many objects are you looking to undelete?
You can use LDP.exe to undelete objects if they have been deleted within the last 60 days.

http://technet.microsoft.com/en-us/library/dd379509(WS.10).aspx#BKMK_2
Follow the section of LDP.  

0
 
jskfanAuthor Commented:
yo_bee

in which case we'll use LDP.exe and in which we need to use NTDSUTIL [Authoritative Restore].

LDP.exe looks easier according to the step by step from Microsoft:
http://technet.microsoft.com/en-us/library/dd379509(WS.10).aspx
0
 
SandeshdubeyCommented:
Refer this link for Authoritative /Non-Authoritative Restore in Windows2008
http://sandeshdubey.wordpress.com/2011/10/09/authoritative-non-authoritative-restore-in-windows2008/

You can also use ADRestore tool free utility that allows you to restore accidentally deleted Active Directory objects.
0
 
jskfanAuthor Commented:
So NTDSUTIL is still around...
LDP.exe would achieve the same thing as NTDSUTIL, Correct ? is there any preference ??

on the link it says do the non-authoritative restore and don't reboot.
If I had made a full backup on Friday, and today is Thursday and have accidentaly deleted some objects in AD.
Do I need to go to the tape and Restore from Friday backup ? this would overwrite the currect AD data,which means I would have lost the changes that have been made from Friday to Thursday (objects that have been added).

Does Authoritative restore means Overwrite the currect AD data?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Yes, then you need to do "authoritative restore" for user object from Firday's backup. Authoritative restore is an extension of Non-Authoritative Restore.

You need to restore Friday's backup on a DC from which you have System State Backup (in Directory Services Restoration Mode DSRM in 2003 or stop AD:DS role service in 2008) and do not reboot server. Run ntdsutil and do authoritative restore of a user object. That means, USN of restored object will be changed to higher value and after reboot, current AD database doesn't delete it.

When you do non-authoritative restore, after restore you have to reboot server then each object with lower USN will be overwritten, the only authoritative restore changes USN and prevent for overwritting.

How to do that, you may visit Sandesh blog which is given by him above

Krzysztof
0
 
SandeshdubeyCommented:
Once you do non authorative restore and do not do auth restore of object then the user which was restore from backup will be deleted as it was not marked as authorative.

If you do non  authorative restore this method will restore an active directory to the server and will then receive all of the recent updates from its replication partners in the domain. For example, a server that has a System State backup from two days ago goes down. A restore of the two-day old active directory would be performed and it would then be updated from the other domain controllers when the next replication takes place. No other steps would be required.

The second method of restoring an active directory is Authoritative restore. This method restores the DC directory to the state that it was in when the backup was made, then overwrites all the other DC's to match the restored DC, thereby removing any changes made since backup. Authoritative restores do not have to be made of the entire directory, to restore only parts of the directory. When only parts of the active directory are restored, say an organizational unit, this information is pushed out to the remaining DC's and they are overwritten. However, the rest of the directory's information is then replicated to the restored DC's directory and it is updated.

An example of when an Authoritative restore would be used is when an organizational unit is deleted but everything else in the active directory is working as required. A good backup of an active directory is available and it is decided to just restore this organizational unit authoritatively. This will ensure that it will not be deleted again as it will overwrite all other DC's and let the rest of the restored DC's directory be updated from its replication partners.

If the environment only has a single domain controller, then there is never a reason to perform an authoritative restore as there are no replication partners
0
 
jskfanAuthor Commented:
if you check the link again you will see:
"Restore Server 2008 Active Directory (non-authoritative), do not reboot the server"

would this overwrite the current AD data?


0
 
Krzysztof PytkoActive Directory EngineerCommented:
Nope, non-authoritative restore, restores objects with USNs from that day when backup was created. Non-authoritative restore is performed when your DC was crashed and you want to reinitialize AD database on it.  Then all objects from the old backup with lower USN will be overwritten by new ones from other DC. Non-Authoritative restor cannot overwrite anything in current database!

Krzysztof
0
 
jskfanAuthor Commented:
So if the accidentally deleted object were created right after the full back was taken on Friday, then there is no chance to recover them. Correct ?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
From System State Backup - no (you cannot perform authoritative restore for deleted object if it is not in previous backup). But for that (if tombstone lifetime doen't expire (by default t is 60days) you can use ADRESTORE to restore deleted objec. But there will be no group membership restored and account is by deafult lockedout without password.

Krzysztof
0
 
jskfanAuthor Commented:
Ok...

ADRESTORE, LDP.exe, NTDSUTIL
Any preference?
I know that you said with ADRESTORE "there will be no group membership restored and account is by deafult lockedout without password."
0
 
Krzysztof PytkoActive Directory EngineerCommented:
NTDSUTIL, each time it is possible. If object has been deleted recently then ADRESTORE and manually recreate group membership and other missing attributes, re-join Exchange mailbox

Krzysztof
0
 
jskfanAuthor Commented:
what about LDP.exe ? have you used it?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Yes, but LDP can be used only in 2008 R2 if you enabled AD Recycle Bin, if not you have to use both previous commands. If your Forest Functional Level is et up to Windows Server 2008 R2 mode and AD Recycle Bin is enabled, you don't have to use NTDSUTIL and/or ADRESTORE. In that case only LDP ot AD PowerShell module is far better and enough.

How to do that using LDP
http://technet.microsoft.com/en-us/library/dd379509%28WS.10%29.aspx

and how to do that using PowerShell
the same link as above but you need to go few sections below

Krzysztof
0
 
jskfanAuthor Commented:
Excellent !
Thank you Guys!
0
 
Krzysztof PytkoActive Directory EngineerCommented:
You're welcome :)

Krzysztof
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 7
  • 7
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now