the evolution of active directory recovery n.
Skip this Video
Loading SlideShow in 5 Seconds..
The Evolution of Active Directory Recovery PowerPoint Presentation
Download Presentation
The Evolution of Active Directory Recovery

Loading in 2 Seconds...

play fullscreen
1 / 54

The Evolution of Active Directory Recovery - PowerPoint PPT Presentation

  • Uploaded on

SIA319. The Evolution of Active Directory Recovery. Ulf B. Simon-Weidner Senior Consultant, Author, Trainer, Speaker Computacenter, Germany. The Evolution of Windows – – The Evolution Active Directory. Windows Server Evolution. Active Directory gone bad. DC Recovery

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Evolution of Active Directory Recovery' - ike

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the evolution of active directory recovery


The Evolution of Active Directory Recovery

Ulf B. Simon-Weidner

Senior Consultant, Author, Trainer, Speaker

Computacenter, Germany

active directory gone bad
Active Directory gone bad

DC Recovery

  • Recreate or Restore
  • Where's a backup?
  • Is it the same Hardware?

Domain Recovery

  • Replicated Error in the domain partition
  • No DCs in the Domain are functional / replicate

Forest Recovery

  • Replicated Error in the configuration partition
  • Faulty Schema-Update
  • Corrupted Data (malicious or accidental)
  • No DCs in the Forest are functional / replicate
different scenarios
Different Scenarios

Multi-Object Recovery

  • Wrong Processes
  • Accidential Deletion
  • Bad Scripts / Tools

Object Recovery

  • Wrong Processes
  • Accidential Deletion
  • Bad Scripts / Tools

Attribute Recovery

  • Bad Scripts
  • Active Directory-Users and –Computers (WS2k3+): "Accidential editing" multiple Objects


My Users

My Users

My Groups

My Groups

My Computers

My Computers

authoritative restore


  • Getting a Domain Controller back via System State Restore


  • Using a Non-AuthoritativeRestored DC(whichhas not beereplicated)
  • Or DC whichdidn‘treceivethedeletionyet
  • Mark Objects asnewer
  • Replicate




My Users

My Users



My Groups

My Groups

My Computers

My Computers

main issue restoring links
Main Issue: Restoring Links
  • Users are members of Groups
  • There are other links, like Managers, Password Settings Objects, ...

To restore links:

  • Only Forward-Links are writeable
  • Only FW-Links will be restored where the Target is available


  • AuthoritativeRestoreat least twiceor
  • Use LDIFs (Windows Server 2003+)
  • Recycle Bin
behind the scenes ntds dit1
Behind thescenes: NTDS.dit

Deletion: Object is moved into „Deleted Objects“-Container and marked as deleted.Links are removed on each DC.

recycle bin lifecycle
Recycle Bin: Lifecycle

No Recycle bin feature






Tombstone Lifetime

60/180 Days

Auth Restore

  • with Recycle Bin enabled




Deleted Object



Deleted Object Lifetime

60/180 Days


60/180 Days


© Microsoft

ntds dit ad recyclebin
NTDS.dit: AD Recyclebin





Schema extended Forest-Level  Enable Recycle-Bin

ntds dit ad recyclebin1
NTDS.dit: AD Recyclebin



User Deleted Object (Duration: Deleted Objects-Lifetime)

restoring multiple objects





Restoring multiple Objects

Deleted Objects-Container

  • Everything flat
  • DN changed, Attributes still exist, lastKnownParent is helping

Objects must be reanimated into existing containers

  • Top-Bottom
  • Evaluate lastKnownParent and lastKnownRDN
  • RDN > 128 chars truncated







  • Undelete


CN=Deleted Objects







© Microsoft

issues and solution paths

Object(s) fully deleted

Recycle Bin


ad recycle bin
AD Recycle bin
  • Requires ForestlevelWindows Server 2008 R2
    • New in R2: Rollback to 2008 DL/FL when Recycle bin is not enabled
  • Optional Feature Recycle bin must be enabled
  • once on cannot be turned off
  • Now you are stuck with your forest level
  • Make sure that you have a solid state before
  • Enables to fully restore objects
    • To the state when they were deleted

Additional Scripts and Data helps

new in windows server 2012
New in Windows Server 2012

Active Directory Administrative Center

  • Supports Domain- and Forest level upgrade in the GUI
  • Supports enabling the Recycle bin in the GUI
  • Supports undeleting of single objects in the GUI

Undeleting multiple objects still requires PowerShell-Script

ws2k8 active directory snapshots
WS2k8+: Active Directory Snapshots

Create Snapshot

Ntdsutil.exe -> Snapshot -> Activate Instance NTDS -> Create

Mount Snapshot in File system

-> List All / Mount


-> Mount {GUID}

Ntdsutil.exe -> Snapshot

Snapshot as Read-Only Directory

Dsamain.exe –dbpath c:\$snap2007...\ntds.dit –ldapport 10000

Accessing the R/O Directory‘s Data

Active Directory-Users & - Computers, LDP, ADSIEdit, dsquery, ...

against Port 10000

reanimating tombstones
Reanimating Tombstones

e.g. ADRestore, admod, LDP

Manually, Script, LDIF,..

virtual dcs ready for today
Virtual DCs, ready for today?
  • “The most (forest/domain) recovery scenarios I’ve seen are caused by virtual environments!”
  • Lingering Objects or USN-Rollbacks are caused many times from virtual environments!
  • “Don’t use it? Wrong! Do it right!”

Spread DCs across VM-Infrastructures

Don’t roll back Snapshots

Synchronize the right time

virtualizing dcs usn rollback
Virtualizing DCs: USN-Rollback






















  • DC01 (USN 2220) and DC02 (USN 1040) in sync – DC02 Snapshot created
  • DC01 (USN 2260) in sync with DC02 (USN 1080)
  • DC02 rolled back to Snapshot at USN 1040
  • Result:
    • DC01 thinks he has all updates from DC02 since 1080, however DC02 is at 1040: changes between 1040 and 1080 not replicated to DC01
virtualizing dcs in windows server 2012
Virtualizing DCs in Windows Server 2012
  • Domain controllers recognize when being rolled back
  • DCs take same action when supported System State Restore is done and reinitializes replication agreements
  • Requirements:
    • VM Host must support „VM Generation Identifyer“ (e.g. Hyper-V 3.0)
    • VM Guest (=DC) must support feature(Windows Server 2012)
preventing human errors
Preventing human errors
    • If somehow possible delegate permissions
    • Avoid using Built-in Groups, especially Account Operators
    • Delegate Domain Admins if possible
    • Tools are helping
preventing accidental deletions
Preventing accidental deletions
  • In Windows Server 2008 (and R2):
  • Protect OUs from accidental deletion (GUI)
  • Migrated? Use PowerShell:

get-ADOrganizationalUnit –filter * | set-ADOrganizationalUnit –protectedFromAccidentalDeletion $true

  • Can (and should) be done in W2k(3) „manually“:
  • DENY Delete & Delete Subtree for Everyone on all Ous

for /f "tokens=*" %i in ('dsquery ou -limit 0') do

dsacls %i /d everyone:SDDT

  • Suggestion:
  • Change default security descriptor of OUs to ensure that delegated admins and older tools “inherit” the default
preperation backup
Preperation: Backup
  • It is very important to backup the right data
    • Systemstate (at least)
    • List of objects (distinguishedNames)
    • GPOs (contents)
    • GPO-Links
  • Optionally: maintain Versions of Backup
  • Optionally: keep AD-Snapshots
windows backup
Windows Backup
  • System State Backup
  • Data which is needed to restore the DC over existing OS
  • WS2k8 only: System State needs to be done via commandline

powershell.exe -command "&{import-module ServerManager; add-windowsfeature Backup}"

  • Critical Volume Backup
  • On „Dedicated DCs“ usually just 15% more
  • Bare Metal Restore
  • If incremental backups are used, don’t forget to create full backups also regulary
  • Needs to be installed:
lists of objects
Lists of objects
  • All distinguished names (for authoritative restore):

ldifde -f c:\Backupdata\DomainGpoLinks.ldf -r "(gplink=*)" -l gplink,gpoptions

ldifde -f c:\Backupdata\SiteGpoLinks.ldf -d

cn=configuration,dc=… -r "(gplink=*)" -l gplink,gpoptions

dsquery * domainroot -scope subtree -attr modifytimestamp distinguishedname -limit 0 > c:\backupdata\objlist.txt

  • All GPOs (requires BackupAllGPOs.wsf and Lib_CommonGPMCFunctions.js from the GPMC-Scripts):

cscript e:\scripts\BackupAllGPOs.wsf c:\BackupData

  • GPO-Links and their options, of the domain and sites
create backup snapshots
Create Backup / Snapshots
  • Create the Backup in the script:

wbadmin.exe START BACKUP -backupTarget:%TargetUNC% -allCritical -include:c:,e: -noVerify -vssFull -quiet

  • Create AD-Snapshots:

Ntdsutil.exe snapshot “Activate Instance NTDS” create quit quit

maintain versions
Maintain Versions

How many backups should be kept at the UNC?

Set Backup2Keep=10


set count=0

for /f "tokens=*" %%i in ('dir /o:-d /b %TargetUNC%\WindowsImageBackup\%computername%\backup*.') do (

set /a count=!count! + 1

if !count! GTR %Backup2Keep% (

echo DELETE !Count!: %%i

rd/s /q "%TargetUNC%\WindowsImageBackup\%computername%\%%i"

) else (

echo MAINTAIN !Count!: %%i



works against local or remote (UNC) repositories, even SMB-Filer ;)

snapshots as additions
Snapshots as additions
  • Enable „Versions“

Can be used in Quests AD Recovery Manager

  • Should be „managed“:
    • VSS only assures the „Volume“ of recent Snapshots to be kept
    • They grow over time
    • The dit might be small
  • What we do:
    • Configure how many snapshots are kept fully
    • Copy the DIT out of the snapshot to a repository
    • Configure how many DITs are kept
    • Delete old snapshots / DITs
issues and solution paths1
Issues and solution paths

Object(s) fully deleted

Recycle Bin


  • Enable Recyclebin
  • Enable-ADOptionalFeature ‘Recylce Bin Feature’ –Scope
  • ForestOrConfigurationSet –target (Get-ADForest).Name
  • Find Deleted Objects

Get-ADObject –LDAPFilter ‘(&(name=Ulf*)(isDeleted=*))’ -IncludeDeletedObjects

  • Restore Deleted Objects (and their Links)
  • … | Restore-ADObject
  • Restore Tree:Leverage script from
restoring object data
Restoring Object Data
  • LDIFDE –r "(name=)" –m
  • –f filename.ldf –p port
  • LDIFDE –i –z –f input.ldf

dn: CN=User,OU=Demo,DC=xyz,DC=com

changetype: add

cn: User_Marketing

sn: Marketing

c: DE

l: Hometown

title: Worker-Bee


dn: CN=User,OU=Demo,DC=xyz,DC=com

changetype: modify

replace: cn

cn: User_Marketing


dn: CN=User,OU=Demo,DC=xyz,DC=com

changetype: modify

replace: sn

sn: Marketing


dn: CN=User,OU=Demo,DC=xyz,DC=com

changetype: modify

replace: c

c: DE


different scenarios1
Different Scenarios
  • Objects underneath an specific OU

ldifde–d “ou=Demo,dc=…” –m –f filename.ldf –p port

  • Specific Objects

ldifde –d “ou=Demo,dc=…” –r “(objectClass=User)” –f filename.ldf –p port

  • Specific attributes

ldifde –d “ou=demo,dc=…” –l “physicalDeliveryOfficeName, telephoneNumber”filename.ldf–p port

restoring links
Restoring Links

Forward-Link in the Restored Object

Will be recovered if target is there

Read from Snapshot and update

Backlink in the Restored Object:

Update the object in the Backlink, e.g. update the group in memberOf with the object recovered

dsget user cn=Ulf,ou=Demo,dc=xyz,dc=com -s localhost:10002 -memberof | dsmod group -addmbrcn=Ulf,ou=Demo,dc=xyz,dc=com


Run this procedure against a GC (recovered or snapshot) in every domain

ways to get data
  • Recycle Bin:Availableif all DCs are WS2k8R2 orhigher
  • Snapshots:Availableifone DC (per Domain) is WS2k8+
  • W2k(3): Backups also create a consistentstateofthe DIT
  • WS2k3-DITS andhighercanbemountedwithdsamain (-allowUpgrade)
  • WS2k8 w/o DC (member or stand alone) can mount DITs: AD binaries or AD-LDS
  • Windows 7/8: AD-LDS for Win7 bringsdsamain
deploy your backup strategy
Deployyour Backup-Strategy

Group Policy Preferences in WS2k8R2:

  • Create Policy which
    • Create Folders
    • Copies Files needed
    • Creates Scheduled Task
  • One Policy for
    • DCs_which_are_backed_up
    • DCs_which_maintain_snapshots (create and manage)
    • All_DCs to synchronize NTDS-Password
  • Prepare RDP for Directory Services Restore Mode
    • RDP into Machine  Change default boot option Boot RDP into DSRM
  • bcdedit /copy {current} /d
  • bcdedit /set {%i} safebootdsrepair
  • Sync DSRM Password:
    • Deactivated Domain Account
    • Regulary set Password
    • Schedule the following Commandline on all DCs (via GPO)
  • ntdsutil "set dsrm password“ "sync from domain account xyz“ q q
get your data up to date after the restore
Get your data up-to-date after the restore
  • Documented Changes are helping
  • Windows Server 2008+: Auditing of object changes
  • Windows Server 2008+: Auditing of object changes
  • auditpol /get /category:“DS Access“
  • auditpol /set /subcategory:“Directory Service Changes“
  • auditpol /get /category:“DS Access“
  • auditpol /set /subcategory:“Directory Service Changes“
  • Maybe a ntds.dit of the faulty state, use the AD Snapshot Browser
  • Link-Value Replication also helps (if the Domain is at Windows Server 2003 and the group was editied afterwards)
extending the management interfaces
Extendingthe Management Interfaces
  • Active Directory Administrative Center
    • Registering legacy-tabs for objects is possible
    • Extending the Context-Menu is not possible
  • Active Directory Users and Computers
    • Both options are still possible
consider dc cloning for recovery in windows server 2012
Consider DC-CloningforRecoveryin Windows Server 2012

First DC recoveredfrom Backup

Additional DCs deployedusingCloning


First DC recoveredfrom Backup

Additional DCs deployedusingCloning


think beyond
Think beyond

One company manages 5000 separate, single domain forests via slow lines

Data needs to stay on decentral premises

Minimum Infrastructure / Storage, regular backup to large

1 DC + Clients, quite at physical risk to be stolen

single dc restore

Task: How to restore an AD without using large Backups?

  • Known AD- and OU-Structure which is installed automatically
  • Create a dump of all Users and Groups with min. Information (import would create them)
  • Create a dump of all Users and Groups with all Information (import will modify attributes)
  • Create a list of all computers
  • Create a list of all Users/Groups and their SIDs
single dc restore1

To restore:

  • During installation of AD, Server recognizes he's being rebuild
  • Creates minimum Users and Groups from script
  • Modifies all writeable attributes from Users and Groups (incl. Links)
  • Add new SIDs to list of Users/Groups + Old  SID
  • Reacl: change all Permissions Old-SID  New  SID
  • Rejoin Computers to domain (netdom + reacl)
related content
Related Content

Note to Track-Owner / „PowerpointScrubbers“:

I haveoneofthe last sessions. Product Demo Stationsareclosed after I‘mfinished, so I cannotbethereforattendees after mysession (and IMHO does not make sense mentioningtheProduct Demo Station on thisslide.

I‘llbeavailable after thesessionfor Q&A, maybetakingit outside in the hall, or via contact on myblog

  • Breakout Sessions: SIA313 (2:45 S220A), Review Sessions you missed online

Hands-on Labs: SIA11-HOL, SIA21-HOL, WSV44-HOL

Related Certification Exam: (70-410 + 70-411 + 70-412) or 70-416 (available later this year)

Find Me Later: Q&A after the session,

sia wsv and vir track resources
SIA, WSV, and VIR Track Resources


Talk to our Experts at the TLC

Hands-On Labs

DOWNLOAD Windows Server 2012 Release Candidate

DOWNLOAD Windows Azure





  • Connect. Share. Discuss.
  • Microsoft Certification & Training Resources

  • Resources for IT Professionals
  • Resources for Developers


Required Slide

Complete an evaluation on CommNet and enter to win!

ms tag
MS Tag

Scan the Tag

to evaluate this

session now on

myTechEd Mobile


© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.