Solved

Active Directory object recovery

Posted on 2013-12-17
8
406 Views
Last Modified: 2013-12-19
I had a question about Active Directory object recovery. I have an AD where two problems arose. The first was after clicking "enable inheritance" on a couple of users. It changed a list of known accounts to unknown. The second is one of the unknown accounts was accidentally removed. Being unknown, I don't know what it was to add it back.

I am somewhat familiar with AD Restore, but not sure if this will work since the changes would have replicated to all of the other DC's in the area. The box where the changes were made was an exchange server with ADUC installed and it would have replicated (from my understanding) to the DC's.

The exchange box is a 2012 server with exchange 2013 on it. The other DC's are 2008R2 I believe.

Can someone point in me the right direction of what I need to do to rollback the changes (if possible)

If more information is needed, I will provide as I can.

Thanks in advanced
0
Comment
Question by:camstutz
  • 4
  • 2
  • 2
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39724350
you mentioned 2008 R2...are you in 2008 F2 forest functional level.

The reason I ask is because if you have the AD recycle bin feature enabled that makes recovery much easier.

Do you have a good backup of your system state on the DC?  May need too which is why I'm asking.

Thanks

Mike
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 150 total points
ID: 39724404
As Mike has already asked the question, if you have a 2008 R2 Forest you can recover items with powershell or using ldp.exe.

Below are a couple of links which should be able to assist with your restore process.

Powershell/LDP.exe Restore - http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx

Free AD Restore Tools - (try ADRestore.net) http://social.technet.microsoft.com/wiki/contents/articles/5035.free-ad-objects-recovery-tools.aspx

Will.
0
 

Author Comment

by:camstutz
ID: 39724484
I apologize, we are are in a 2003 forest and domain functional level.
0
 

Author Comment

by:camstutz
ID: 39724500
I'm sorry for leaving this out in the first post, but the user wasn't deleted, just a security principal/group was removed and how to change the account unknowns back to known (this happened after clicking "enable inheritance" on an already existing user account.

Again, I apologize that it wasn't clear in the first post.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39724503
The Restore Tools should work for you. ADRestore.net is compatible with 2003 Forest/Domain FL.

Will.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 350 total points
ID: 39724525
Once you are done with this fire, consider taking regular AD snapshots, you can search for more info on them   http://blogs.technet.com/b/niraj_kumar/archive/2009/02/05/active-directory-snapshot-new-feature-in-windows-2008.aspx

If you had one you could just mount the snapshot and see what groups the user used to be a part of.  Some folks take daily and/or weekly snapshots.

Thanks

Mike
0
 

Author Comment

by:camstutz
ID: 39730397
Hello Mike and Will.

I apologize for not getting back sooner. After looking into this problem first, I am changing my mind that the known accounts changed to unknown. I looked at the security principals on the OU itself and it had a list of unknown accounts. I think that the user object picked up the "Account Unknown" entries from the OU itself. (after clicking 'enable inheritance').  I am decently certain that an "Account Unknown" entry was one that was accidentally removed.

Additionally, the servers have DPM backups with system state that include Active Directory. Using a method that was suggested, I was able to restore the system state to an alternative directory. I then mounted the vhd and then mounted and browsed the ntds.dit file using ADUC (using change domain controller:port) I did this on a test system.
0
 

Author Closing Comment

by:camstutz
ID: 39730405
I am accepting Mike's solution as it led me to the answer to view. But I am also awarding some points to Will as he introduced me to great software as well.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now