Solved

Active Directory object recovery

Posted on 2013-12-17
8
408 Views
Last Modified: 2013-12-19
I had a question about Active Directory object recovery. I have an AD where two problems arose. The first was after clicking "enable inheritance" on a couple of users. It changed a list of known accounts to unknown. The second is one of the unknown accounts was accidentally removed. Being unknown, I don't know what it was to add it back.

I am somewhat familiar with AD Restore, but not sure if this will work since the changes would have replicated to all of the other DC's in the area. The box where the changes were made was an exchange server with ADUC installed and it would have replicated (from my understanding) to the DC's.

The exchange box is a 2012 server with exchange 2013 on it. The other DC's are 2008R2 I believe.

Can someone point in me the right direction of what I need to do to rollback the changes (if possible)

If more information is needed, I will provide as I can.

Thanks in advanced
0
Comment
Question by:camstutz
  • 4
  • 2
  • 2
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39724350
you mentioned 2008 R2...are you in 2008 F2 forest functional level.

The reason I ask is because if you have the AD recycle bin feature enabled that makes recovery much easier.

Do you have a good backup of your system state on the DC?  May need too which is why I'm asking.

Thanks

Mike
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 150 total points
ID: 39724404
As Mike has already asked the question, if you have a 2008 R2 Forest you can recover items with powershell or using ldp.exe.

Below are a couple of links which should be able to assist with your restore process.

Powershell/LDP.exe Restore - http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx

Free AD Restore Tools - (try ADRestore.net) http://social.technet.microsoft.com/wiki/contents/articles/5035.free-ad-objects-recovery-tools.aspx

Will.
0
 

Author Comment

by:camstutz
ID: 39724484
I apologize, we are are in a 2003 forest and domain functional level.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:camstutz
ID: 39724500
I'm sorry for leaving this out in the first post, but the user wasn't deleted, just a security principal/group was removed and how to change the account unknowns back to known (this happened after clicking "enable inheritance" on an already existing user account.

Again, I apologize that it wasn't clear in the first post.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39724503
The Restore Tools should work for you. ADRestore.net is compatible with 2003 Forest/Domain FL.

Will.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 350 total points
ID: 39724525
Once you are done with this fire, consider taking regular AD snapshots, you can search for more info on them   http://blogs.technet.com/b/niraj_kumar/archive/2009/02/05/active-directory-snapshot-new-feature-in-windows-2008.aspx

If you had one you could just mount the snapshot and see what groups the user used to be a part of.  Some folks take daily and/or weekly snapshots.

Thanks

Mike
0
 

Author Comment

by:camstutz
ID: 39730397
Hello Mike and Will.

I apologize for not getting back sooner. After looking into this problem first, I am changing my mind that the known accounts changed to unknown. I looked at the security principals on the OU itself and it had a list of unknown accounts. I think that the user object picked up the "Account Unknown" entries from the OU itself. (after clicking 'enable inheritance').  I am decently certain that an "Account Unknown" entry was one that was accidentally removed.

Additionally, the servers have DPM backups with system state that include Active Directory. Using a method that was suggested, I was able to restore the system state to an alternative directory. I then mounted the vhd and then mounted and browsed the ntds.dit file using ADUC (using change domain controller:port) I did this on a test system.
0
 

Author Closing Comment

by:camstutz
ID: 39730405
I am accepting Mike's solution as it led me to the answer to view. But I am also awarding some points to Will as he introduced me to great software as well.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question