Active Directory Disaster Recovery Workshop. Lab Manual Revision 1.7

Transcription

1 Active Directory Disaster Recovery Workshop Lab Manual Revision 1.7

2 Table of Contents LAB 1: Introduction to the Lab Environment... 1 Goals... 1 Introduction... 1 Exercise 1: Inspect the Lab Environment... 3 LAB 2: Object Recovery Using Authoritative Restore... 4 Goals... 4 Introduction... 4 Exercise 1: Recover User Object and its Group Memberships Using Authoritative Restore... 5 Exercise 2: Recover OU and its Contents Using Authoritative Restore LAB 3: Object Recovery Using Reanimation Goals Introduction Exercise 1: Recover User Object Using Object Reanimation LAB 4: Group Policy Recovery Goals Introduction Exercise 1: Backup All Group Policies in the Forest Exercise 2: Change existing GPO and Analyze Changes via GPO Reports Exercise 3: Restore a GPO using GPMC LAB 5: Forest Recovery Goals Introduction Exercise 1: Melt Down the Forest Exercise 2: Recover First DC of the Root Domain Exercise 3: Recover First DC of CHILD Domain Exercise 4: Recover CHILDDC

3 LAB 1: Introduction to the Lab Environment Goals To familiarize you with the lab environment To make sure you can use the lab environment Introduction The Disaster Recovery lab consists of three virtual machines. The machines are all connected to a single subnet so that the DCs can communicate with your workstation and with each other. Each virtual machine is running Windows Server 2003 Enterprise Edition, with SP1. The three virtual machines are configured as three DCs in a single Active Directory forest, as described below. Active Directory Forest Your forest consists of two domains, drroot.local and child.drroot.local. The entire forest is running at Windows 2003 forest functional level. DNS The drroot.local forest uses Microsoft DNS running on one DC, and is Active Directory integrated. There is one DNS server in the drroot.local domain (ROOTDC1) and one in the child.drroot.local domain (CHILDDC1). They point to themselves for their primary DNS resolver. Root Domain Domain administrator: adm.root Domain administrator password: netpro ROOTDC1 configuration IP Address /16 Site Roles Is GC? Hosts DNS? DRSM credentials HubSite Domain naming, RID master, PDC emulator, schema master Yes Yes Username: Administrator Password: netpro All rights reserved. Page 1

4 CHILD Domain Domain administrator: adm.child Domain administrator password: netpro CHILDDC1 configuration IP Address /16 Site Roles Is GC? Hosts DNS? DRSM credentials HubSite RID master, PDC emulator Yes No Username: Administrator Password: netpro CHILDDC2 configuration IP Address /16 Site Roles Is GC? Hosts DNS? DRSM credentials HubSite Infrastructure master No No Username: Administrator Password: netpro All rights reserved. Page 2

5 Exercise 1: Inspect the Lab Environment Install virtual machine images from DVD 1. Copy the virtual machine images from the DVDs you were provided to your laptop hard drive(s), and configure the virtual machines appropriately. Be sure that the VMs are all connected to the same virtual (guest-only) network. If you are going to run your VMs on two separate machines, BEFORE connecting them to the physical network, boot the images with no network connection and set the IP addresses on all three VMs so that there will be no conflicts on the physical lab network. See you instructor for an appropriate set of IP addresses. Inspect the DRROOT domain Inspect the CHILD domain 1. Start the image for ROOTDC1. 2. Login to the DRROOT domain using the domain administrator credentials listed 3. On ROOTDC1, run Active Directory Users and Computers (ADUC) to inspect the contents of the ROOT domain. In particular note that the users and computers have all been moved under the OU=Delegated-OUs organizational unit. 4. Note that the C:\Workshop\Scripts directory contains files you will use during subsequent exercises. 1. Start the images for CHILDDC1 and CHILDD2. 2. On CHILDDC1, login to the CHILD domain using the domain administrator credentials listed 3. On CHILDDC1, run ADUC to inspect the contents of the CHILD domain. Note that the structure is very similar to that of the ROOT domain. 4. Note that the C:\Workshop\Scripts directory contains files you will use during subsequent exercises. All rights reserved. Page 3

6 LAB 2: Object Recovery Using Authoritative Restore Goals Understand the peculiarities of Active Directory data structures and how they affect data recovery. Learn how to recover a single object from backup, including properly restoring its linked attributes, e.g. the group memberships of a user object. Learn how to recover a deleted OU and its contents using an authoritative restore. Introduction The lab focuses on recovering deleted Active Directory objects. You should have a good understanding of the following concepts from the presentation: Tombstoned objects and how they are created. Linked attributes and how they are maintained, including forward links and backward links. Link-value replication in Windows Server How authoritative restore works. This lab includes two exercises. In the first exercise you will delete and restore a user object with multiple group memberships. You will see for yourself all of the strange and wonderful aspects of restoring an Active Directory user object in a multi-domain environment. In the second exercise, you will delete and authoritatively restore an entire OU, including users and groups. Note: These exercises are based on a Windows Server 2003 SP1 environment running in Windows Server 2003 forest functional level. If you are running a different Active Directory environment, some of the steps for these tasks would be different. The instructors will discuss some of these differences during the presentation. On to the exercises! All rights reserved. Page 4

7 Exercise 1: Recover User Object and its Group Memberships Using Authoritative Restore Select a user and inspect its group memberships on CHILDDC1 Inspect the user s group memberships on CHILDDC2 Inspect the user s group memberships on ROOTDC1 1. Log in to CHILDDC1 using the domain administrator credentials provided 2. On CHILDDC1, run Active Directory Users and Computers and find a user object, for instance CN=Simpson, Bart,OU=Accounts,OU=ChildOU1,OU=Delegated- OUs,DC=child,DC=drroot,DC=local. Note the content of its memberof attribute (the backlink). These are the groups in the CHILD domain that Bart is a member of. 3. On CHILDDC1, run ADSIEDIT.MSC, locate the user object, and note the memberof attribute. The memberof attribute will contain backlinks to the Universal groups in the DRROOT domain that Bart is a member of. ADUC explicitly filters these to provide a consistent view of the memberof attribute. These are visible on CHILDDC1 because CHILDDC1 is also a GC and has entries for the group objects from the DRROOT domain. 1. Log in to CHILDDC2 using the domain administrator credentials provided 2. On CHILDDC2, the non-gc, do the same thing. Note that the memberof attribute does NOT contain the backlinks to the universal groups in the DRROOT domain. 1. Log in to ROOTDC1 using the domain administrator credentials provided in the introduction 2. From the Start menu, select Run, type LDP, and press Ok. 3. In LDP connect to the default server and bind using default credentials. 4. Search the DRROOT NC (set scope = subtree) to find all the groups of which Bart is a member. Use the following search filter: (&(objectclass=group)(member=cn=simpson\, Bart,OU=Accounts,OU=ChildOU1,OU=Delegated- OUs,DC=child,DC=drroot,DC=local)) Note: Bart s common name (CN) attribute contains an embedded space, so type carefully. Or even better, cut and paste the DN from C:\Workshop\Scripts\Lab 1.Object Recovery\LDPFilter.txt file. Delete the selected user object Verify replication of the delete operation 5. Note that Bart is a member of two universal groups and one local group in the DRROOT domain. You should still be logged in as the domain administrator on CHILDDC1. 1. On CHILDDC1, run Active Directory Users and Computers and locate the user you selected in the first step. 2. Delete the user object. You should still be logged in as the domain administrator on CHILDDC2. 1. On CHILDDC2, run Active Directory Users and Computers and verify the user you deleted in the previous step has been deleted from CHILDDC2. All rights reserved. Page 5

8 Boot the GC into Directory Services Restore Mode Perform a System State restore of the GC You should still be logged in as the domain administrator on CHILDDC1. 1. On CHILDDC1, edit the startup parameters by right-clicking My Computer, selecting Properties/Advanced/Startup and Recovery, and selecting Directory Service Restore Mode from the Default operating system drop-down list. 2. Restart the GC. When the GC restarts, it will come up in Directory Services Restore Mode. 1. Log in to CHILDDC1 using the DSRM credentials provided in the introduction. 2. From the Start menu, select Run, enter NTBACKUP, and press the Ok button. 3. On the initial NTBACKUP dialog, click Next. 4. On the Backup or Restore Wizard dialog, select restore files and settings and click Next. 5. On the What to Restore dialog, double-click the File entry on the left, double-click on the appropriate backup file, check the System State entry, and click Next. Note that we have included a system state backup of CHILDDC1 for you to use in the C:\Workshop\Backups directory. Figure 1 Selecting System State restore 6. On the Complete the Backup or Restore Wizard dialog, click the Advanced button, ensure that the entry for Restore files to: is set to Original location, and press Next. 7. On the How to Restore dialog, select Leave existing files, and press Next. 8. On the Advanced Restore options dialog, check When restoring replicated datasets, mark the restored data as the primary data for all replicas, and press Next. This will mark the restored SYSVOL as authoritative for the entire domain and start the restore. 9. Do NOT restart the GC at this time. All rights reserved. Page 6

9 Authoritatively restore the deleted object on the GC 1. On CHILDDC1 (still in Directory Service Restore Mode), run NTDSUTIL. 2. At the ntdsutil: prompt, type authoritative restore. 3. At the authoritative restore: prompt, type restore subtree <distinguished name>, where <distinguished name> is the DN of the object you deleted, e.g. CN=Simpson\, Bart,OU=Accounts,OU=ChildOU1,OU=Delegated- OUs,DC=child,DC=drroot,DC=local. Note: Bart s common name (CN) attribute contains a comma and an embedded space, so type carefully. Commas embedded in an RDN must be escaped with a backslash ( \ ), and the entire DN should be enclosed in quotes. Even better, cut and paste the DN from another application. Reboot CHILDDC1 into normal mode Restore group memberships in the users domain 4. Type quit twice to exit ntdsutil. 5. Note the creation of two LDIF files, one for each domain. These LDIF files contain group and manager update operations to help recover the group memberships of the restored user. Also note the creation of a.txt file containing the objectguid and DN of the restored object. Use NOTEPAD to look at the files to make sure the contents make sense. You will find them in the directory from which NTDSUTIL has been executed. 1. On CHILDDC1, edit the DC startup parameters by right-clicking My Computer and selecting Properties/Advanced/Startup and Recovery. 2. Select Windows Server 2003, Enterprise from the Default operating system drop-down list. 3. Save your changes by pressing Ok twice. 4. Restart CHILDDC1. Note: This step is NOT necessary in our Disaster Recovery Lab today because we are running in Windows Server 2003 Forest Functional Level enabling Link Value Replication (LVR), and all of the links were created in that mode. NTDSUTIL automatically recovers the local domain links (e.g. group memberships) for you. We ve included these steps here as a reference for object recovery in non-lvr forest, or in an LVR-forest where the links were created before the upgrade to Windows 2003 FFL. 1. Run LDIFDE to import the LDIF file created by NTDSUTIL to restore the local domain group memberships. For instance: C:\> ldifde i k f ar_ _links_child.drroot.local.ldf Copy NTDSUTILgenerated files to ROOTDC1 2. Run Active Directory Users and Computers, locate the restored user, and verify that the user has been added to the appropriate groups in the CHILD domain. 1. Log in to ROOTDC1 using the domain administrator credentials provided 2. Copy the NTDSUTIL-generated files from CHILDDC1, e.g. C:\> COPY \\CHILDDC1\C$\ar_ _links_drroot.local.ldf C:\ C:\> COPY \\CHILDDC1\C$\ar_ _objects.txt All rights reserved. Page 7

10 Boot ROOTDC1 into Directory Services Restore Mode Perform a system state restore on ROOTDC1 1. On ROOTDC1, edit the startup parameters by right-clicking My Computer, selecting Properties/Advanced/Startup and Recovery, and selecting Directory Service Restore Mode from the Default operating system drop-down list. 2. Restart ROOTDC1. When ROOTDC1 restarts, it will come up in Directory Services Restore Mode. 1. Log in to ROOTDC1 using the DSRM credentials provided in the introduction. 2. From the Start menu, select Run, enter NTBACKUP, and press the Ok button. 3. On the initial NTBACKUP dialog, click Next. 4. On the Backup or Restore Wizard dialog, select restore files and settings and click Next. 5. On the What to Restore dialog, double-click the File entry on the left, double-click on the appropriate backup file, check the System State entry, and click Next. Use NTDSUTIL to create LDIF files for Figure 2 Selecting System State restore 6. On the Complete the Backup or Restore Wizard dialog, click the Advanced button, ensure that the entry for Restore files to: is set to Original location, and press Next. 7. On the How to Restore dialog, select Leave existing files, and press Next. 8. On the Advanced Restore options dialog, check When restoring replicated datasets, mark the restored data as the primary data for all replicas, and press Next. This will mark the restored SYSVOL as authoritative for the entire domain and start the restore. 9. Edit the startup parameters by right-clicking My Computer, selecting Properties/Advanced/Startup and Recovery, and selecting Windows Server 2003, Enterprise from the Default operating system drop-down list. 10. Do NOT reboot ROOTDC1 at this time. 1. On ROOTDC1, run NTDSUTIL All rights reserved. Page 8

11 group memberships 2. At the ntdsutil: prompt, type authoritative restore. 3. At the authoritative restore: prompt, type create ldif file(s) from <filename>, where <filename> is the name of the.txt file you copied from CHILDDC1, for example ar_ _objects.txt. This will create LDIF files to run to restore group memberships in the DRROOT domain. Note: The only reason we perform an authoritative restore on a DC in the DRROOT domain is so that NTDSUTIL can create an LDIF file containing the group memberships in the domain. Because we will not perform an authoritative restore, the normal replication process in the DRROOT domain will overwrite the data we have non-authoritatively restored. Reboot ROOTDC1 into normal mode Import LDIF files created by NTDSUTIL on ROOTDC1 1. On ROOTDC1, edit the DC startup parameters by right-clicking My Computer and selecting Properties/Advanced/Startup and Recovery. 2. Select Windows Server 2003, Enterprise from the Default operating system drop-down list. 3. Save your changes by pressing Ok twice. 4. Restart ROOTDC1. 1. Log in to ROOTDC1 using the domain administrator credentials provided 2. Run LDIF to import the LDIF file created for the DRROOT domain in the previous step, for instance: C:\> ldifde i k f ar_ _links_drroot.local.ldf Note that NTDSUTIL created two LDIF files, one for membership information for groups in the DRROOT domain, and one for memberships in groups in the CHILD domain. Because we recovered the user on a GC in the CHILD domain, the CHILD domain memberships have already been restored, and we do not have to import the LDIF file for the CHILD domain memberships. Summary 3. Run Active Directory Users and Computers and verify the appropriate DRROOT group memberships have been updated with the restored user. In this exercise we have deleted a user with group memberships both in its own and another domain. We then restored the user from backup using authoritative restore, and then recovered the user s group memberships in both its own and the other domain. All rights reserved. Page 9

12 Exercise 2: Recover OU and its Contents Using Authoritative Restore Create a new system state backup of CHILDDC1 1. Log in to CHILDDC1 using the domain administrator credentials provided 1. Open My Computer and navigate to the batch file you created to run perform a system state backup. 2. Double-click on the batch file to run the backup. 3. Make sure the backup file was created by checking that the C:\Workshop\Backup\samplebackup.bkf file has been created and contains some data. Note: You may wonder why you can t just use the backup you created originally. The explanation is a little involved. The original objects in the directory you are using started out with attribute version numbers of 1. When you deleted the computer and user objects in the earlier exercises, and then authoritatively restored them, NTDSUTIL increased the version numbers of the object s attributes to 10001, and this replicated out to the other DCs. If we don t create a new backup now, but instead use the original backup, when we authoritatively restore the deleted objects, the version numbers will again be incremented to But the other DC in the domain will already have this version number, and there the replication conflict resolution code will select the attribute value from the DC with higher DSA GUID value. The result will be that the authoritatively restore values will be overwritten by values from the other DC in the domain. This is a problem whenever you authoritatively restore the same object more than once in a day. Note that you could also use the verinc option in NTDSUTIL to increase the version number by some larger amount. Select and delete an OU 1. On CHILDDC1, run Active Directory Users and Computers and locate an OU to delete, for instance OU=ChildOU1,OU=Delegated- OUs,DC=child,DC=drroot,DC=local. 2. Delete the OU. Verify replication of the delete operation 1. Log in to CHILDDC2 using the domain administrator credentials provided 2. Run Active Directory Users and Computers and verify the OU you deleted in the previous step has been deleted from CHILDDC2. All rights reserved. Page 10

13 Boot the GC into Directory Services Restore Mode Perform a System State restore of the GC Authoritatively restore the deleted object on the GC Reboot CHILDDC1 into normal mode Verify restoration of OU and its contents 1. On CHILDDC1, edit the startup parameters by right-clicking My Computer, selecting Properties/Advanced/Startup and Recovery, and selecting Directory Service Restore Mode from the Default operating system drop-down list. 2. Restart the GC. When the GC restarts, it will come up in Directory Services Restore Mode. 1. Log in to CHILDDC1 using the DSRM credentials provided in the introduction. 2. From the Start menu, select Run, enter NTBACKUP, and press the Ok button. 3. On the initial NTBACKUP dialog, click Next. 4. On the Backup or Restore Wizard dialog, select restore files and settings and click Next. 5. On the What to Restore dialog, double-click the File entry on the left, double-click on the appropriate backup file, check the System State entry, and click Next. 6. On the Complete the Backup or Restore Wizard dialog, click the Advanced button, ensure that the entry for Restore files to: is set to Original location, and press Next. 7. On the How to Restore dialog, select Leave existing files, and press Next. 8. On the Advanced Restore options dialog, check When restoring replicated datasets, mark the restored data as the primary data for all replicas, and press Next. This will mark the restored SYSVOL as authoritative for the entire domain and start the restore. 9. Do NOT restart the GC at this time. 1. On CHILDDC1 (still in Directory Service Restore Mode), run NTDSUTIL. 2. At the ntdsutil prompt, type authoritative restore. 3. At the authoritative restore prompt, type restore subtree <distinguished name>, where <distinguished name> is the DN of the OU you deleted earlier, for instance OU=ChildOU1,OU=Delegated- OUs,DC=child,DC=drroot,DC=local. 4. Type quit twice to exit ntdsutil. 5. Note the creation of two LDIF files, one for each domain. These LDIF files contain group and manager update operations to help recover the group memberships of the restored users. Also note the creation of a.txt file containing the objectguid and DN of the restored objects. Use NOTEPAD to look at the files to make sure the contents make sense. You will find them in the directory from which NTDSUTIL has been executed. 1. On CHILDDC1, edit the DC startup parameters by right-clicking My Computer and selecting Properties/Advanced/Startup and Recovery. 2. Select Windows Server 2003, Enterprise from the Default operating system drop-down list. 3. Save your changes by pressing Ok twice. 4. Restart CHILDDC1. 1. Log in to CHILDDC1 using the domain administrator credentials provided Note: Be sure to allow enough time for replication to occur before continuing. You can use REPLMON to check that replication is complete. 2. Run ADSIEDIT to verify that the OU has been restored. 3. Log in to CHILDDC2 using the domain administrator credentials provided All rights reserved. Page 11

14 Restore group memberships in the users domain 4. Run ADSIEDIT and verify the OU you restored has been restored on CHILDDC2. 5. Note the following: The contents of the OU (user objects) have been restored as well. The group memberships of the user objects have been restored as well, including universal group memberships in the DRROOT domain. The objects have replicated to CHILDDC2 and all of the CHILD domain group memberships are properly replicated. 6. Log in to ROOTDC1 using the domain administrator credentials provided 7. Run ADSIEDIT to verify that the restored OU has replicated to ROOTDC1 (the GC in the DRROOT domain). You will have to connect to the GC port by clicking the Advanced button on the ADSIEDIT Connection Settings dialog. 8. Note the following: The objects contained in the OU have replicated to the GC as well. Only the universal group memberships of the users have been restored. The domain local group memberships in the DRROOT domain have not been restored, because there was no record of these memberships in the CHILD domain. Note: This step is NOT necessary in our Disaster Recovery Lab today because we are running in Windows Server 2003 Forest Functional Level enabling Link Value Replication (LVR), and all of the links were created in that mode. NTDSUTIL automatically recovers the local domain links (e.g. group memberships) for you. We ve included these steps here as a reference for object recovery in non-lvr forest, or in an LVR-forest where the links were created before the upgrade to Windows 2003 FFL. 1. On CHILDDC1 (you should still be logged in as the domain administrator), run LDIFDE to import the LDIF file created by NTDSUTIL to restore the local domain group memberships. For instance: C:\> ldifde i k f ar_ _links_child.drroot.local.ldf Copy NTDSUTILgenerated files to ROOTDC1 2. Run Active Directory Users and Computers, locate the restored user, and verify that the user has been added to the appropriate groups in the CHILD domain. 1. Log in to ROOTDC1 using the domain administrator credentials provided 2. Copy the NTDSUTIL-generated files from CHILDDC1, e.g. C:\> COPY \\CHILDDC1\C$\ar_ _links_drroot.local.ldf C:\ C:\> COPY \\CHILDDC1\C$\ar_ _objects.txt All rights reserved. Page 12

15 Boot ROOTDC1 into Directory Services Restore Mode Perform a system state restore on ROOTDC1 Use NTDSUTIL to create LDIF files 1. Log in to ROOTDC1 using the domain administrator credentials provided 2. On ROOTDC1, edit the startup parameters by right-clicking My Computer, selecting Properties/Advanced/Startup and Recovery, and selecting Directory Service Restore Mode from the Default operating system drop-down list. 3. Restart ROOTDC1. When ROOTDC1 restarts, it will come up in Directory Services Restore Mode. 4. Log in to ROOTDC1 using the DSRM credentials provided in the introduction. 1. Log in to ROOTDC1 using the DSRM credentials provided in the introduction. 2. From the Start menu, select Run, enter NTBACKUP, and press the Ok button. 3. On the initial NTBACKUP dialog, click Next. 4. On the Backup or Restore Wizard dialog, select restore files and settings and click Next. 5. On the What to Restore dialog, double-click the File entry on the left, double-click on the appropriate backup file, check the System State entry, and click Next. 6. On the Complete the Backup or Restore Wizard dialog, click the Advanced button, ensure that the entry for Restore files to: is set to Original location, and press Next. 7. On the How to Restore dialog, select Leave existing files, and press Next. 8. On the Advanced Restore options dialog, check When restoring replicated datasets, mark the restored data as the primary data for all replicas, and press Next. This will mark the restored SYSVOL as authoritative for the entire domain and start the restore. 9. Do NOT restart ROOTDC1 at this time. 1. On ROOTDC1, run NTDSUTIL 2. At the ntdsutil prompt, type authoritative restore. 3. At the authoritative restore prompt, type create ldif file(s) from <filename>, where <filename> is the name of the.txt file you copied from CHILDDC1, for example ar_ _objects.txt. This will create LDIF files to run to restore group memberships in the DRROOT domain. Note: The only reason we perform an authoritative restore on a DC in the DRROOT domain is so that NTDSUTIL can create an LDIF file containing the group memberships in the domain. Because we will not perform an authoritative restore, the normal replication process in the DRROOT domain will overwrite the data we have non-authoritatively restored. Reboot ROOTDC1 into normal mode Import LDIF files created by NTDSUTIL on ROOTDC1 1. On ROOTDC1, edit the DC startup parameters by right-clicking My Computer and selecting Properties/Advanced/Startup and Recovery. 2. Select Windows Server 2003, Enterprise from the Default operating system drop-down list. 3. Save your changes by pressing Ok twice. 4. Restart ROOTDC1. 1. Log in to ROOTDC1 using the domain administrator credentials provided 2. Run LDIF to import the LDIF files created in the previous step, for All rights reserved. Page 13

16 instance: C:\> ldifde I k f ar_ _links_drroot.local.ldf Summary 3. Run Active Directory Users and Computers and verify the appropriate DRROOT group memberships have been updated with the restored users. In this exercise we deleted an entire OU containing many users, and recovered the users, along with their group memberships using authoritative restore. All rights reserved. Page 14

17 LAB 3: Object Recovery Using Reanimation Goals Learn how to reanimate a deleted object. Understand what happens when you reanimate an object. Understand the benefits and limitations of object reanimation as a data recovery mechanism. See how third-party tools can simplify data recovery using object reanimation. Introduction The lab focuses on recovering deleted Active Directory objects by reanimating them. You should have a good understanding of the following concepts from the presentation: Tombstoned objects and how they are created. Linked attributes and how they are maintained, including forward links and backward links. What happens when you reanimate an object. All rights reserved. Page 15

18 All rights reserved. Page 16

19 Exercise 1: Recover User Object Using Object Reanimation Select a user and inspect its memberships Delete a user object Find the tombstone of the deleted object Reanimate the deleted object using ADRECOVER 1. On CHILDDC1 (the GC), find a user object, for instance CN=Simpson\, Bart,OU=Accounts,OU=ChildOU1,OU=Delegated- OUs,DC=child,DC=drroot,DC=local, and note the content of its memberof attribute (the backlink). These are the groups in the CHILD domain that Bart is a member of. Write these down for later. 2. On CHILDDC1, run ADSIEdit, locate the user object, and note the memberof attribute. The memberof attribute will contain backlinks to the Universal groups in the DRROOT domain that Bart is a member of. ADUC explicitly filters these to provide a consistent view of the memberof attribute. 3. On CHILDDC2, the non-gc, do the same thing. The memberof attribute will not contain the backlinks to the universal groups in the ROOT domain. 4. On ROOTDC1, run LDP. 5. Connect to ROOTDC1 and bind using adm.root credentials. 6. Search the DRROOT NC to find all the groups of which Bart is a member. Use the following search filter: (&(objectclass=group)(member=cn=simpson\, Bart,OU=Accounts,OU=ChildOU1,OU=Delegated- OUs,DC=child,DC=drroot,DC=local)) 7. Note that the CN component of the DN has an embedded comma and space, so type carefully! Or even better, cut and paste the DN from another app. 8. Note that Bart is a member of two universal groups and one local group in the DRROOT domain. 1. On CHILDDC1, start Active Directory Users and Computers (ADUC). 2. Find a user object, for instance CN=Simpson\, Bart,OU=Accounts,OU=ChildOU1,OU=Delegated- OUs,DC=child,DC=root,DC=net. 3. Delete the user object. 4. Use ADUC to verify that the user object has been deleted on CHILDDC2 1. On CHILDDC1, run LDP 2. Connect and bind to the local domain controller 3. On the menu bar, select Options/Controls and add the Return deleted objects control to the active control list. 4. On the menu bar, select View/View Tree. Use the domain NC DC=child,DC=drroot,DC=local as the BaseDN of the search. 5. Expand the tree on the left-hand side. 6. Double-click the CN=Deleted Objects entry to view the deleted objects. 7. Find the object you deleted, and double-click it to see its contents. Note that most of its attributes have been removed, and that its CN has been changed. Also note the value of the lastknownparent attribute. 1. On CHILDDC1, open a command prompt. 2. Use ADRestore from Sysinternals to reanimate the tombstone of the deleted user object. You can find ADRecover.exe in C:\Workshop\Scripts\Lab 4 Reanimation. Use the r switch to enable recovery. For instance, to recover an object with a cn containing the text bart, you would use: C:\Workshop\Scripts\Lab 3 Reanimation> adrestore r bart 3. Use ADUC to verify that the user object has been properly restored to its original location in AD. Note that most of the attributes are still missing. Object reanimation does not restore group memberships. To restore group memberships and other linked attributes, you will have to resort to another mechanism, for instance restoring memberships from an LDIF file that you create periodically as a All rights reserved. Page 17

20 backup. 4. Use ADUC to restore the group memberships in the CHILD domain. 5. Login to ROOTDC1 and use ADUC to restore the group memberships in the DRROOT domain. All rights reserved. Page 18