Quickly Recovering Deleted Active Directory Objects



Similar documents
Active Directory 2008 Operations

Protecting Data with a Unified Platform

Auditing File and Folder Access

Maximizing Your Desktop and Application Virtualization Implementation

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

How Configuration Management Tools Address the Challenges of Configuration Management

The Essentials Series: Enterprise Identity and Access Management. Authorization. sponsored by. by Richard Siddaway

How to Install SSL Certificates on Microsoft Servers

Protecting Data with a Unified Platform

The Art of High Availability

Controlling and Managing Security with Performance Tools

Developing a Backup Strategy for Hybrid Physical and Virtual Infrastructures

Why Endpoint Encryption Can Fail to Deliver

Account Access Management - A Primer

Becoming Proactive in Application Management and Monitoring

Virtual Machine Environments: Data Protection and Recovery Solutions

Best Practices for Log File Management (Compliance, Security, Troubleshooting)

Mitigating Risks and Monitoring Activity for Database Security

What Are Certificates?

Understanding & Improving Hypervisor Security

Eradicating PST Files from Your Network

Real World Considerations for Implementing Desktop Virtualization

Tips and Best Practices for Managing a Private Cloud

Steps to Migrating to a Private Cloud

Streamlining Web and Security

The Definitive Guide. Active Directory Troubleshooting, Auditing, and Best Practices Edition Don Jones

Active Directory Recovery: What It Is, and What It Isn t

Collaborative and Agile Project Management

Isolating Network vs. Application Problems

Maximizing Your Desktop and Application Virtualization Implementation

The Essentials Series: Enterprise Identity and Access Management. Authentication. sponsored by. by Richard Siddaway

How to Use SNMP in Network Problem Resolution

Maximizing Your Desktop and Application Virtualization Implementation

Realizing the IT Management Value of Infrastructure Management

Tips and Tricks Guide tm. Windows Administration. Don Jones and Dan Sullivan

How to Install SSL Certificates on Microsoft Servers

Microsoft Active Directory Backup and Recovery in Windows Server written by Shawn Barker Product Manager, Quest Software, Inc.

Using Web Security Services to Protect Portable Devices

How To Protect Your Active Directory (Ad) From A Security Breach

11 Things to Know About Active Directory Recovery

The Next-Generation Virtual Data Center

Active Directory Change Notifier Quick Start Guide

Active Directory Disaster Recovery Workshop. Lab Manual Revision 1.7

The Business Case for Security Information Management

Data Protection in a Virtualized Environment

The Shortcut Guide To

How to Install SSL Certificates on Microsoft Servers

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Installing CPV Lab Version 2.17

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Beyond the Hype: Advanced Persistent Threats

SAM 8.0 Backup and Restore Guide. SafeNet Integration Guide

Active Directory backup and restore with Acronis Backup & Recovery 11. Technical white paper. o o. Applies to the following editions: Advanced Server

8.7. Target Exchange 2010 Environment Preparation

Dell Recovery Manager for Active Directory 8.6.0

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Object Level Authentication

Active Directory backup and restore with Acronis Backup & Recovery 10

Dell Statistica Statistica Enterprise Installation Instructions

CA VPN Client. User Guide for Windows

Dell Enterprise Reporter 2.5. Configuration Manager User Guide

10 Must-Have Features for Every Virtualization Backup and Disaster Recovery Solution

BES10 Self-Service. Version: User Guide

LifeSize Control Installation Guide

Top 10 Most Popular Reports in Enterprise Reporter

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

Transcription:

The Essentials Series: Tackling Active Directory s Four Biggest Challenges Quickly Recovering Deleted Active Directory Objects sponsored by by Greg Shields

Qu ickly Recovering Deleted Active Directory Objects... 1 The Native Solution... 1 The Need for Better Tools... 2 i

Copyright Statement 2009 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials ) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers or its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at info@realtimepublishers.com. ii

Quickly Recovering Deleted Active Directory Objects It s happened to your domain before. You walk back in after a long lunch or notice something peculiar as you re packing up for a long weekend. Users are calling in to complain that they can t access their resources. They re seeing errors all across the board when attempting to accomplish anything on their desktops. It s like someone has deleted their accounts. Or, even worse, someone has deleted an entire Organizational Unit (OU) full of them. At this point, you find yourself setting down your leftovers or your coat, realizing that you re about to be at work quite a bit later than you expected this evening. For a platform as powerful and pervasive as Active Directory (AD), it s a wonder how easy it remains to accidentally destroy huge sections of it. Whether you re a low level Help desk administrator or an all powerful Domain Admin, most IT professionals have enough rights to create this kind of havoc. Deleting a user account or an OU full of them is a particularly big problem. A problem that even today doesn t have a good resolution using native Windows tools alone. The Native Solution If this has happened to you, here s a glimpse of the process you re forced to undertake: Step1: Locate a Domain Controller that is also a Global Catalog (GC) and disconnect this server from the network. Step 2: Reboot the server into Directory Services Restore Mode and login using that server s unique DSRM password. On servers previous to Windows Server 2008, this can be done by repeatedly pressing the F8 key during the boot cycle to bring forward the boot menu. The process changes in Windows Server 2008, requiring you to run the MSCONFIG utility before rebooting. Once launched, navigate to the Boot tab and under the Boot Options selection box, choose to reboot into Safe boot Active Directory repair. Step 3: Restore the AD database also known as a System State Restore to the Domain Controller from a recent backup before the deletion event. This nonauthoritative restore will not actually restore any deleted objects. It only enables old objects that have been deleted to be selectively (authoritatively) restored in the next step. Step 4: Perform an authoritative restore on the object or objects that have been deleted. This involves launching the NTDSUTIL tool with the command ntdsutil authoritative restore. Then, restore the specific object with the command restore subtree <objectdn>. The value for <objectdn> will be the distinguished name (DN) of the object or container that was deleted. 1

Step 5: Reconnect the Domain Controller to the network and reboot it back into normal mode. Ensure that the restored object or objects replicate correctly to all Domain Controllers in the domain. Step 6: As the Domain Controller reboots, it will create a series of.ldf files. These files include the necessary back link information, which can be used to restore the groups of which the deleted object was a member. Restore those back links for each object using the command ldifde i k f <ldffile>. The file name structure of these.ldf files will resemble ar_<date> <time>_links_<domainname>.ldf. This process appears relatively trivial until you realize one piece of missing information. To properly restore a deleted object in Step 4, you must know the DN of that object. Thus, in order to know its DN, you must first know which objects were deleted. If an entire OU of objects was deleted, you ll need to know each of the objects to individually restore. For a large swath of deleted objects, this process can be complex to the point of absurdity. Even Windows Server 2008 R2 s Recycle Bin Is Insufficient At first blush, Windows Server 2008 R2 s new Recycle Bin feature might seem like a good solution. The new AD Recycle Bin provides a mechanism to bring back objects that have been deleted from your AD. However, it s important to know that AD s Recycle Bin isn t like the one you see on your desktop. Enabling its functionality requires upgrading your entire AD forest to the Windows Server 2008 R2 forest functional level. This means that each and every Domain Controller must also be at Windows Server 2008 R2, a process that can take a long time to complete. Even more challenging, actually using the AD Recycle Bin requires the use of scripting to restore an object. So, the less experienced admins who are more likely to cause a deletion problem are less likely to be able to fix it. The Need for Better Tools Organizations that base their computing infrastructure on AD cannot afford the lengthy and error ridden process of manually restoring objects after an accidental mouse click. Yet this manual process is the only way to solve the problem with Windows native tools. With the right third party tools in place, finding and restoring deleted AD objects can be as easy as the few mouse clicks that deleted them in the first place. These tools take and catalog regular snapshots of AD structure and objects, allowing administrators to look backwards in time. They provide a way to compare previous with current snapshots to quickly find and automatically restore lost objects. Yet the problem doesn t stop there. Best in class third party tools provide much needed further protections. They enable the additional capability to quickly restore your entire AD domain or forest in the case of corruption or malicious activity. Having this emergency restore capability in your back pocket is critical because every deleted object is equal to a worker s lost productivity, and every downed domain means an entire business going down. As such, implementing the right tools for comprehensive deletion protection is critical to turning major problems into minor restores. 2

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information