When the Active Directory Recycling Bin Isn t Enough

Transcription

1 When the Active Directory Recycling Bin Isn t Enough Don Jones w w w. s c r i p t l o g i c. c o m / s m b I T

2 2011 ScriptLogic Corporation ALL RIGHTS RESERVED. ScriptLogic, the ScriptLogic logo and Point,Click,Done! are trademarks and registered trademarks of ScriptLogic Corporation in the United States of America and other countries. All other trademarks and registered trademarks are property of their respective owners. 2 When the Active Directory Recycling Bin Isn t Enough

3 One of the much-hyped new features in Windows Server 2008 R2 is the Active Directory Recycle Bin. An ambitiously-named feature, it does provide some much-needed native recovery options to Active Directory, but the Recycle Bin part of the name is overselling it just a bit. Let s take a look at what this feature is, what it offers, and where it might fall short of your business needs. Tombstones: Not Recyclable AD has always retained copies of deleted objects. Rather than actually deleting an object, AD marks it with a tombstone, essentially an attribute that says, This object was deleted. Tombstones can then replicate, ensuring that each domain controller knows the object is deleted. After a certain period of time, tombstones objects are actually deleted. Tombstoned objects do, however, have most of their attributes stripped away immediately. The tombstone process isn t intended to be a recycle bin of any kind, and tombstoned objects aren t intended to be re-animated under normal circumstances. The tombstone is simply a way of ensuring that every domain controller gets the delete notification for the object. While it s entirely possible to re-animate a tombstoned object, you d have to manually re-enter any attributes, which isn t practical if you need to recover a lot of objects quickly. The New Recycle Bin The new feature is designed to supplement the tombstone functionality by retaining complete copies of deleted objects, including all of their attributes. The objects are stored in a special Deleted Objects container, from which they can be restored for up to 180 days. There are, however, a few caveats: Every domain controller in your forest must be running Windows Server 2008 R2, and your forest functional level must be set to Windows Server 2008 R2. That involves a forest schema extension, and requires that you first raise all domains in the forest to the Windows Server 2008 R2 functional level. You have to manually enable the Recycle Bin feature. You ll usually do this by opening Windows PowerShell, importing the ActiveDirectory module, and running the Enable-ADOptionalFeature cmdlet to enable the Recycle Bin feature. This can also be done in an Active Directory Lightweight Directory Services (AD LDS) environment. You may have to run this command on the domain controller that is your schema master in order for it to work. Note that, after the default 180-day deleted item lifetime has passed, deleted items are recycled. At that time their attributes are stripped, much like a tombstoned object. Recycled objects, however, can t be re-animated, and you can t restore them from a backup. That means if you delete an object, you have 180 days to undelete it, or you can never bring it back again without essentially restoring the entire domain. Recycled objects, like tombstoned ones, are permanently removed from the directly after a period of time. Once you enable the Recycle Bin feature, any tombstoned objects in your domain immediately become recycled objects, eliminating the possibility of restoring them from backup, or re-animating them, at any time in the future. That s a big deal, so make sure you re really ready to proceed before enabling the feature. With the new feature enabled, you ll no longer have tombstoned objects in the directory, ever. With the feature enabled, you can restore objects from the so-called Bin. Unfortunately, you won t find an actual recycle bin icon a la Windows Explorer; by default, the new Deleted Objects directory container isn t even 3 When the Active Directory Recycling Bin Isn t Enough

4 displayed in the AD Users and Computers console. You have to use the Ldp.exe tool to display the container; see for details. That page also provides details on the commands you can use to restore objects, both from Cmd.exe or from PowerShell. Restoring multiple objects can be tricky, and that article will walk you through that process as well. For example, to restore an OU containing two users and a child OU you ll need to: Restore the top-level deleted OU Restore the user accounts Restore the child OU Restore the user accounts from the child OU It s not like the Windows Explorer Recycle Bin, where you can just drag stuff from place to place in order to recover it; with this new feature, you ll mainly be running commands. If you need to restore an entire hierarchy, you ll be doing so manually, one piece at a time. You also can t restore an object that hasn t been deleted. In other words, if someone changes, but doesn t delete, a user, the new Recycle Bin won t have the change, and won t be able to help you roll back the change. Let s dig into some examples. Note that all of these assume you re running the Active Directory Shell (which preimports the ActiveDirectory PowerShell module), and that you re running as a member of the Domain Admins group. Let s start by recovering a single object, such as a user named DonJ: Get-ADObject -filter {displayname -eq 'DonJ'} -IncludeDeletedObjects Restore-ADObject Simple enough, although you ll need to be able to identify the user (or other object) by means of a filter, like the one I provided. The help for this command provides examples of acceptable filters. Now let s do something harder. Suppose you have deleted an OU named Sales, which contained two users named Greg and Jeff, as well as a sub-ou named West which contained a user named Mike. You re going to need to restore all four objects more or less individually, and you ll need to go from the top down. Let s start by assuming that what you re really after are the user accounts, and you need to find out what OU they were in: Get-ADObject -SearchBase "cn=deleted Objects,dc=company,dc=com" -ldapfilter "(msds-lastknownrdn=greg)" -includedeletedobjects -properties lastknownparent That will show you that Greg was in the Sales OU. You ll notice in the output that the distinguished name, or DN, of the OU is weird, which is what AD does to the DN when it puts an object into the Recycle Bin. You might, for example, see a DN like this: "OU=Sales\0ADEL:e954edda-db8c-41be-bbbd-599bef5a5f2a,CN=Deleted Objects,DC=company,DC=com" 4 When the Active Directory Recycling Bin Isn t Enough

5 Now you need to find everything that was in that OU. Copy that mangled DN to the clipboard (highlight it in the shell and hit Enter), and then run this command. Notice here that the slash gets escaped by typing two slashes: Get-ADObject SearchBase "CN=Deleted Objects,DC=company,DC=com" -Filter {lastknownparent -eq 'OU=Sales\\0ADEL:e954edda-db8c-41be-bbbd- 599bef5a5f2a,CN=Deleted Objects,DC=commpany,DC=com'} -IncludeDeletedObjects -Properties lastknownparent Format-Table Wow, this is just like using the Recycle Bin in Explorer to recover a deleted file, right? You d notice in the output that the Sales OU also contained the West OU, so now you ll have to search for that sub-ous old contents: Get-ADObject SearchBase "CN=Deleted Objects,DC=company,DC=com" -Filter {lastknownparent -eq 'OU=West\\0ADEL:6b405c87-027c af- 36c31002be5a,CN=Deleted Objects,DC=company,DC=com'} -IncludeDeletedObjects -Properties lastknownparent ft Now you should have a list of all the users you need to restore, as well as all the OUs. # Sales OU Get-ADObject -ldapfilter:"(msds-lastknownrdn=sales)" IncludeDeletedObjects Restore-ADObject # Sales OU users and West OU Get-ADObject -SearchBase "CN=Deleted Objects,DC=company,DC=com" -Filter {lastknownparent -eq "OU=Sales,DC=company,DC=com"} -IncludeDeletedObjects Restore-ADObject # West OU users Get-ADObject -SearchBase "CN=Deleted Objects,DC=company,DC=com" -Filter {lastknownparent -eq "OU=West,OU=Sales,DC=company,DC=com"} -IncludeDeletedObjects Restore-ADObject My feeling is that the new Recycle Bin feature is a bare-minimum set of functionality; all but the smallest businesses would probably benefit from a more powerful and easier-to-use recovery tool. What features would such a tool offer? Going Beyond the Recycle Bin There are a lot of players in the add-on AD recovery space, and they ve created a compelling marketplace. I ve worked with many different products at my customers sites, and I ve developed a sort of wish list of the features I like to see present in such a solution: Graphical interface, preferably integrated with Active Directory Users and Computers. I m a big PowerShell fan, but for stuff that you shouldn t be doing that often, a GUI rocks. Recovery from a backup file. In other words, I don t necessarily need a recovery solution to store deleted objects in the directory - I m fine with them being stored in some kind of backup file. In fact, I prefer it, because it gets the deleted objects out of the directory. I have a few customers who are under government rules on how long they can retain employees personal information once those employees are gone, and the way the Recycle Bin works creates some legal complications for them. 5 When the Active Directory Recycling Bin Isn t Enough

6 Automation for hierarchies. You should be able to drag an entire OU back to life and get all of its sub- OUs and objects, all in one operation. Online recovery. The native feature doesn t require you to take a domain controller offline, and a thirdparty solution shouldn t, either. Bigger recovery. A third-party solution should combine single- and mass-object recovery with wholedomain, and potentially even whole-forest, recovery. There s no reason to use multiple tools. Targeted domain controller. You should be able to recover an object to whatever DC you want, so that you can get a user up and running quickly, without having to wait for replication (especially across sites). Comparisons. Sometimes, I don t want to restore a deleted user, I want to restore a changed user - which is something the native Recycle Bin feature can t do. In such cases, I want to be able to compare the currently-live object to one from a backup, so I can see exactly what I m going to be restoring. Note that, if you do elect to use a third-party recovery solution, you should not enable the native Recycle Bin feature unless your solution s vendor explicitly advises you to do so. You can also find some integrating auditing/recovery solutions. With these, you might look at an audit trail that shows changes being made to a user, or perhaps an OU being deleted. If you want to roll back those changes, you click a button and the solution uses a recent backup, or translation log, or something, to restore the object to its condition before that change. It s an interesting and useful approach, since it lets you easily put objects back to the way they used to be, even if they weren t entirely deleted. I ve heard of - but not personally seen - Active Directory Users and Computers graphical add-ins that leverage the underlying native feature. If you re okay with the caveats and limitations of the native Recycle Bin, then such an add-on would help eliminate the tedious, complex commands and make the native feature more of a true Recycle Bin. But most of the companies I ve worked with still prefer a more complete, third-party recovery solution. 6 When the Active Directory Recycling Bin Isn t Enough