Restore delete objects in AD 2008
prior to AD2008 restoring a deleted AD object requires going through AD Authoritative restore using NTDSUtil which was too much hustle.
I believ Microsoft has improved this type of AD individual restore in AD 2008.
Can someone explain how this is done in AD2008, and how the improvment is ?
thanks
I believ Microsoft has improved this type of AD individual restore in AD 2008.
Can someone explain how this is done in AD2008, and how the improvment is ?
thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yo_bee
in which case we'll use LDP.exe and in which we need to use NTDSUTIL [Authoritative Restore].
LDP.exe looks easier according to the step by step from Microsoft:
http://technet.microsoft.com/en-us/library/dd379509(WS.10).aspx
in which case we'll use LDP.exe and in which we need to use NTDSUTIL [Authoritative Restore].
LDP.exe looks easier according to the step by step from Microsoft:
http://technet.microsoft.com/en-us/library/dd379509(WS.10).aspx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So NTDSUTIL is still around...
LDP.exe would achieve the same thing as NTDSUTIL, Correct ? is there any preference ??
on the link it says do the non-authoritative restore and don't reboot.
If I had made a full backup on Friday, and today is Thursday and have accidentaly deleted some objects in AD.
Do I need to go to the tape and Restore from Friday backup ? this would overwrite the currect AD data,which means I would have lost the changes that have been made from Friday to Thursday (objects that have been added).
Does Authoritative restore means Overwrite the currect AD data?
LDP.exe would achieve the same thing as NTDSUTIL, Correct ? is there any preference ??
on the link it says do the non-authoritative restore and don't reboot.
If I had made a full backup on Friday, and today is Thursday and have accidentaly deleted some objects in AD.
Do I need to go to the tape and Restore from Friday backup ? this would overwrite the currect AD data,which means I would have lost the changes that have been made from Friday to Thursday (objects that have been added).
Does Authoritative restore means Overwrite the currect AD data?
Yes, then you need to do "authoritative restore" for user object from Firday's backup. Authoritative restore is an extension of Non-Authoritative Restore.
You need to restore Friday's backup on a DC from which you have System State Backup (in Directory Services Restoration Mode DSRM in 2003 or stop AD:DS role service in 2008) and do not reboot server. Run ntdsutil and do authoritative restore of a user object. That means, USN of restored object will be changed to higher value and after reboot, current AD database doesn't delete it.
When you do non-authoritative restore, after restore you have to reboot server then each object with lower USN will be overwritten, the only authoritative restore changes USN and prevent for overwritting.
How to do that, you may visit Sandesh blog which is given by him above
Krzysztof
You need to restore Friday's backup on a DC from which you have System State Backup (in Directory Services Restoration Mode DSRM in 2003 or stop AD:DS role service in 2008) and do not reboot server. Run ntdsutil and do authoritative restore of a user object. That means, USN of restored object will be changed to higher value and after reboot, current AD database doesn't delete it.
When you do non-authoritative restore, after restore you have to reboot server then each object with lower USN will be overwritten, the only authoritative restore changes USN and prevent for overwritting.
How to do that, you may visit Sandesh blog which is given by him above
Krzysztof
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
if you check the link again you will see:
"Restore Server 2008 Active Directory (non-authoritative), do not reboot the server"
would this overwrite the current AD data?
"Restore Server 2008 Active Directory (non-authoritative), do not reboot the server"
would this overwrite the current AD data?
Nope, non-authoritative restore, restores objects with USNs from that day when backup was created. Non-authoritative restore is performed when your DC was crashed and you want to reinitialize AD database on it. Then all objects from the old backup with lower USN will be overwritten by new ones from other DC. Non-Authoritative restor cannot overwrite anything in current database!
Krzysztof
Krzysztof
ASKER
So if the accidentally deleted object were created right after the full back was taken on Friday, then there is no chance to recover them. Correct ?
From System State Backup - no (you cannot perform authoritative restore for deleted object if it is not in previous backup). But for that (if tombstone lifetime doen't expire (by default t is 60days) you can use ADRESTORE to restore deleted objec. But there will be no group membership restored and account is by deafult lockedout without password.
Krzysztof
Krzysztof
ASKER
Ok...
ADRESTORE, LDP.exe, NTDSUTIL
Any preference?
I know that you said with ADRESTORE "there will be no group membership restored and account is by deafult lockedout without password."
ADRESTORE, LDP.exe, NTDSUTIL
Any preference?
I know that you said with ADRESTORE "there will be no group membership restored and account is by deafult lockedout without password."
NTDSUTIL, each time it is possible. If object has been deleted recently then ADRESTORE and manually recreate group membership and other missing attributes, re-join Exchange mailbox
Krzysztof
Krzysztof
ASKER
what about LDP.exe ? have you used it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent !
Thank you Guys!
Thank you Guys!
You're welcome :)
Krzysztof
Krzysztof
unfortunately, there is no better native restore of deleted object. In previous Windows Server versions (2000, 2003, 2008), you have only non-authoritative na authoritative restore. The last one is used for deleted object(s). If you want to restore them, you need to do "hard" work.
All you need to do that is in this MS article at
http://technet.microsoft.com/en-us/library/cc779573%28WS.10%29.aspx
When Winodws Server 2008 R2 was released, Microsoft introduced new feature "AD Recycle Bin". But it can be only used when your Forest Functional Level is set up to Windows Server 2008 R2 mode. By default this feature is not enabled, you need to run a proper command in Active Directory PowerShell module to activate this feature. After that, you can simply restore deleted object using also Windows Server native PowerShell.
Now, Microsoft is workoing on successor of Windows Server 2008 R2. It is Windows Server 8 Active Directory Administrative Center (which firstly was also introduced in 2008 R2) has many improvements. One of them is simple "AD Recycle Bin" function to enable that feature and restore delteted object. It's only in developer's previiew edition but it's wort checking its feature now. Please visit Mike's blog and read an article about ADAC and its new features at
http://adisfun.blogspot.com/2011/09/windows-server-8-active-directory_14.html
For now, if your Forest Fuctional Level is set up below 2008 R2 you have to use standard "authoritative restore" method or buy 3rd party tool which allows doing that directly
Regards,
Krzysztof