One of the tasks detested by many AD administrators is the recovery of deleted objects. Recovery efforts typically include restarting a production domain controller in Directory Services Restore Mode, getting the latest System State backup restored on the DC, and using NTDSUTIL to Authoritatively Restore the deleted objects.
While that process works well, it can be very time consuming, assuming that a good backup is available. For those of you who have upgraded your infrastructure to AD 2008 R2, you are now fortunate to have access to the AD Recycle Bin. However, for those that are on pre-2008 R2 domain, this process is still necessary.
There is one option that can be used to quickly restore deleted objects without depending on system state backups. This option does require an additional server, but it is well worth it if you are supporting a large organization that routinely deletes objects that need to be restored.
The typical restore time using the following design can be from 5-15 minutes, rather than up to several hours using the traditional restore methods. This option creates a sort of “Online Backup” of your AD objects.
To create this “Online Backup” all you need to simply do is create an additional SITE, possibly called “Recovery” using the Active Directory Sites and Services Console (ADSS). To further segregate this site, it would be best to place it on its own dedicated subnet so that you can effectively control traffic to and from this site.
You really do not want users to use the “Recovery DC” for authentication and authorization since it’s going to have somewhat stale AD information. From a physical perspective, this site can be located in the same data center as your other DCs.
Once the Site and Subnet object is created, the next step is to create a new SITELINK, possibly called RECOVERY_SITELINK which connects the Recovery Site with another major site defined in AD. Configure this new SITELINK to ONLY replicate during off-peak hours, for example, between 11:00 pm and 6:00 am.
You can shorten this window for smaller AD infrastructures. You only need this window to be as big as needed so that the Recovery DC can replicate with other production DCs periodically.
The result of this design is that any object deleted prior to 11:00 pm can be immediately recovered using the “Recovery DC” without using a backup. After 11:00 pm, you will be forced to use a good backup from the previous day. This is because the deletion has not replicated to the “Recovery DC”.
Let’s take a look at an example in more detail. Say a user’s object gets deleted in error at 2:00 pm by a Help Desk technician. When the object is deleted, AD will replicate the deletion of this object to the rest of the DCs in the domain according to intra-site and inter-site replication schedules. From an intra-site perspective, the DCs in the site that had the deletion take place would replicate the deletion almost immediately.
However, depending on the SITELINKS in place, the rest of the DCs in the domain may replicate as quickly as 15 minutes or several hours. Again, that would depend on the SITELINKS in place. However, the “Recovery DC” will NOT replicate the deletion until 11:00 pm that evening.
If the Help Desk Technician reports this event before 11:00 pm, an Active Directory Administrator can use the Recovery DC to quickly restore the object. Here is how it would be done:
For a 2000 or 2003 Recovery DC:
- Restart the DC in Directory Services Restore ModeOpen a command prompt using Administrator credentialsStart the NTDSUTIL promptPerform an AUTHORITATIVE RESTORE of the deleted object(s)Restart the DC in normal mode
For a 2008 Recovery DC:
- Stop the service, “Active Directory Domain Services”Open a command prompt using Administrator credentialsStart the NTDSUTIL promptPerform an AUTHORITATIVE RESTORE of the deleted object(s)Start the service, “Active Directory Domain Services”
Since the object that was deleted was authoritatively restored, once replication has been completed domain-wide, the object will be fully restored on all DCs. The procedure of the “authoritative restore” will be slightly different depending on the type of object (user, computer, group, OU, etc…).
As you can read, as long as you are aware of the deletion within the same day, recovery of the deleted objects can be performed in a fraction of the time.
Additional Resources:
Performing an Authoritative Restore of Active Directory Objectshttp://technet.microsoft.com/de-de/library/cc779573(WS.10).aspx
How to restore deleted user accounts and their group memberships in Active Directoryhttp://support.microsoft.com/kb/840001/en-us