slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin PowerPoint Presentation
Download Presentation
Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin

Loading in 2 Seconds...

play fullscreen
1 / 48

Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin - PowerPoint PPT Presentation


  • 167 Views
  • Uploaded on

Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin . John Craddock Infrastructure & Security Architect XTSeminars Ltd Session Code : SIA402 . Agenda . Deleting and recovering directory objects How objects are stored

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin' - merrill


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
online recovery of active directory deleted objects and the windows server 2008 r2 recycle bin

Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2Recycle Bin

John Craddock

Infrastructure & Security Architect

XTSeminars Ltd

Session Code: SIA402

agenda
Agenda
  • Deleting and recovering directory objects
  • How objects are stored
  • Incoming and outgoing linked-attributes
  • Authoritative restore
  • Enabling the Recycle Bin
  • Live, deleted and recycled objects
  • Recovering deleted objects from the Recycle Bin
once upon a time
Once Upon a Time

Deleted objectStripped of assets

Live Object

  • Why is the deleted object is retained in the database?
    • So that the deletion can replicate to other DCs

Delete

No online way back

Only option for recovery was

an Authoritative Restore

significant events
Significant Events

2008 R2 Forest

2003 Forest

2003 SKU

Recycle Bin can be enabled

Linked-valuereplication

Re-animation

of deleted objects

object deletion
Object Deletion

Majority of attributes deleted

  • The object is moved to the deleted objects container
    • Referred to as a tombstone
    • isDeleted attribute is set TRUE
    • The majority of attribute values are removed
      • Attributes can be retained by setting their searchFlags property

Garbagecollection

X

Live object

Tombstoneobject

Delete

Purged fromdirectory

Offline authoritative restore

Tombstone lifetime (180 days)

object deletion continued
Object Deletion (continued)
  • The RDN of the object is changed to a "delete-mangled RDN”
    • The mangled RDN includes the GUID of the object
      • Guarantees the mangle RDN is unique within the Deleted Objects container
        • There is no hierarchy in the container
  • Linked-attribute values (references) to and from the object are deleted
    • Not controlled by searchFlags
tombstone lifetime
Tombstone Lifetime
  • The object remains as a tombstone object for the Tombstone Lifetime (TSL = 180 days)
    • After this period the Garbage Collection service purges the object from the database
  • Backups older than the TSL cannot be used
    • This prevents objects that where deliberately deleted being reintroduced
object storage
Object Storage
  • If an object is moved the PDNT for the record is updated, the record never moves in the DB
viewing the database
Viewing the Database

No DN

  • dumpdatabase is an operational (RootDSE) attribute

Name of operational attribute

Required attributes for operation

Dumpdatabase: dumps text version ofthe database in the NTDS directory

working with deleted objects
Working with Deleted Objects
  • To view deleted objects requiresan LDAP control
    • Can select the control in LDP
  • Windows 2008 R2 PowerShell with AD module
    • Get-ADObject –LDAPFilter {} –IncludeDeletedObjects
reanimating an object
Reanimating an Object
  • Using LDP, in one operation you must
    • Remove the isDeleted attribute
    • Replace distinguishedName attribute with a new value
  • Use ADRestore from the Sysinternals tools
  • Create own utility
restored user object
Restored User Object
  • Most attributes missing, including the password
  • All inbound linked attribute values missing
    • For example, group membership
  • All outbound linked attribute values missing
    • For example, attribute containing link to manager
  • Could repopulate missing values from mounted directory snapshot
  • Microsoft solution is an authoritative restore
    • Restoring linked attribute values can be problematic
object references
Object References
  • One object can reference another either as a direct reference or using a linked-attribute reference
  • With a direct reference the attribute on one object reference the DN of another object
direct references
Direct References

Debbie

Dave

Valya

secretary

secretary

  • If Dave is deleted
    • Incoming references remain
    • Outgoing references remain
      • Provided the attribute that holds the reference is retained on logical deletion

4032

4033

DNT: 4031

DNT: 4032

DNT: 4033

Show in UI as DN, stored as a DNT

linked attributes
Linked Attributes
  • Linked attributes consist of a forward-link and back-link pair
  • The forward link can be populated and the back link is calculated
    • Forward links may be single-valued or multi-valued
    • Back links are always multi-valued
  • Each linked pair is identified by the linkID property of an attribute
    • Forward linkIDs are even (n) and for each forward link the associated back-link is an odd number (n+1)
single to multi valued

Nicola

Nicola

John

Maria

Peter

Peter

Tom

Nicola

Nicola

Single To Multi-Valued

John

Nicola

manager

Link Table (simplified)

  • An entry is created in a link table when a value is added to the manager attribute
    • The link tables are constructed on each DC and hold the DNT values

Reports

Maria

manager

Peter

Tom

Reports

manager

multi valued to multi valued

John

;Maria

John

G1

G2

Maria

Maria

G3

Maria

John

G3

G1

Maria

Maria

;John

Multi-Valued To Multi-Valued

John

G1

member

Link Table (simplified)

MemberOf

G2

Maria

member

G3

MemberOf

member

delete maria

Nicola

Nicola

John

Maria

Peter

Peter

Tom

Nicola

Nicola

Delete Maria

John

Nicola

manager

Link Table (simplified)

  • All outbound linked-attribute values are removed

Reports

Maria

X

----------------

manager

Peter

X

X

Tom

Reports

manager

delete maria continued

John

;Maria

John

G1

G2

Maria

Maria

G3

Maria

John

G3

G1

Maria

Maria

;John

Delete Maria (continued)

John

G1

member

Link Table (simplified)

----

MemberOf

X

G2

Maria

----------------

member

X

----

X

----------------

X

X

G3

----------------

MemberOf

member

----

  • All Inbound linked-attribute values are removed
restoring linked attributes
Restoring Linked Attributes

Manually restore allforward link references

  • Alternative to online reanimation
    • Authoritative restore
    • Third party solution

Manually restore all attribute values

Reanimatedobject

authoritatively restoring maria
Authoritatively Restoring Maria
  • Options
    • Boot into DS Restore Mode on a DC that has not received the replicated deletion of Maria
      • A lag-site may have been created for this
    • Boot a DC into DS restore mode
      • Restore AD from back-up
  • In DS Restore Mode mark Maria as authoritative
    • Use ntdsutil
  • Restart the domain controller
how successful will you be
How successful will you be?
  • On the authoritatively restored DC
    • The Maria is completely recovered including all entries for incoming and outgoing linked-attributes
      • Maria is a member of groups G1, G2 and G3
      • Maria’s manager attribute refers to Peter
    • All of Maria’s attributes are marked as authoritative and will replicate to the other DCs in the domain
  • The incoming linked-attribute values may or may not replicate
    • It depends on the current forest functional level and the level when Maria was added to the groups
linked value replication
Linked-Value replication

Replicates that G1 has Maria as a member

  • Windows 2003 forest functionality introduced linked-value replication
    • Replication metadata is attached to each entry in the link tables
    • When Maria is restored all incoming linked-values are marked as authoritative in the link table

Maria

Maria

G1

G1

AUTH

AUTH

DNT: 1000

DNT: 2000

DNT: 8657

DNT: 7654

DC2

DC1 Maria authoritatively restored

no linked value replication
No Linked Value Replication
  • Prior to 2003 forest functionality replication metadata existed on the attribute and not the individual links
    • To restore Marias group membership one option was to authoritatively restore all groups that she belonged to
  • If Maria was added to some groups before and after linked-value replication was enabled
    • During an authoritative restore of Maria, some links would replicate others wouldn’t
partial solution
Partial Solution

LDF Produced During Authoritative Restore

# CN=G1,OU=Groups,OU=Demo,DC=example,DC=com

# dn: <GUID=4ec2d1b7-354b-4f17-9a6b-c567888bcf24>

dn:: PEdVSUQ9NGVjMmQxYjctMzU0Yi00ZjE3LTlhNmItYzU2Nzg4OGJjZjI0Pg==

# Base64 encoded: <GUID=4ec2d1b7-354b-4f17-9a6b-c567888bcf24>

changetype: modify

delete: member

# CN=Maria,OU=Berlin Users,OU=Demo,DC=example,DC=com

# member: <GUID=6a677bde-f83e-49a5-b5fb-eb074a2899b7>

member:: PEdVSUQ9NmE2NzdiZGUtZjgzZS00OWE1LWI1ZmItZWIwNzRhMjg5OWI3Pg==

-

# CN=G1,OU=Groups,OU=Demo,DC=example,DC=com

# dn: <GUID=4ec2d1b7-354b-4f17-9a6b-c567888bcf24>

dn:: PEdVSUQ9NGVjMmQxYjctMzU0Yi00ZjE3LTlhNmItYzU2Nzg4OGJjZjI0Pg==

changetype: modify

add: member

# CN=Maria,OU=Berlin Users,OU=Demo,DC=example,DC=com

# member: <GUID=6a677bde-f83e-49a5-b5fb-eb074a2899b7>

member:: PEdVSUQ9NmE2NzdiZGUtZjgzZS00OWE1LWI1ZmItZWIwNzRhMjg5OWI3Pg==

-

recycle bin enabled
Recycle Bin Enabled

All attributes retained

Live object

Deletedobject

Delete

Deleted object lifetime (180 days)

Online undelete

Garbagecollection

Recycledobject

Garbagecollection

X

Purged fromdirectory

Tombstone lifetime (180 days)

recycle bin for ad
Recycle Bin for AD
  • Requires 2008 R2 Forest functionality
  • PowerShell driven
    • Enable-ADOptionalFeature ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target ‘forest’
      • Once enabled cannot be disabled
    • Get-ADObject –LDAPFilter {} –IncludeDeletedObjects
    • Restore-ADObject –Identity <id>
    • Parent object must be restored in advance of child object
  • Restores all attributes including linked attributes
object deletion31
Object Deletion

All attributes retained

Live object

Deletedobject

Delete

  • The object is moved to the deleted objects container
    • Referred to as a deleted object
    • isDeleted attribute is set TRUE
    • isRecycled attribute not present
    • lastKnownparent set
    • msDS-LastknownRDN set

Online undelete

object deletion continued32
Object Deletion (continued)
  • The RDN of the object is changed to a "delete-mangled RDN”
  • All attribute values with the exception objectCategory and sAMAccountType are retained
    • If the object is undeleted these are automatically restored from the defaultObjectCategory and userAccountControl attributes
object deletion continued33
Object Deletion (continued)
  • Linked-attribute values (references) to and from the object are retained
    • Not visible to LDAP with out special control
  • The object remains as a deleted object for the Deleted Object Lifetime (DOL = 180 days)
    • After this period the Garbage Collection service converts the object to a Recycled Object
recycled object
Recycled Object
  • Similar characteristics to a pre-recycle bin tombstone object
    • The majority of attribute values are removed
    • Linked-attribute values (references) to and from the object are deleted
  • isRecycled set TRUE
  • A recycled object cannot be reanimated
    • Retained to allow replication to occur
lifetimes
Lifetimes
  • Recycled object remains for the Tombstone Lifetime (TSL = 180 days)
    • After this period the Garbage Collection service purges the object from the directory
  • The DOL and TSL values are held in attributes of the “cn=Directory Service, cn=windows NT, cn=Services, cn=configuration, dc=<your forest>
    • DOL in msDS-deletedObjectLifetime attribute
    • TSL in tombstoneLifetime attribute
other thoughts
Other Thoughts
  • Backups are valid for max of smallest value of DOL or TSL
    • Best practice recommendation DOL = TSL
  • Anticipated database growth 5-10%
  • On deletion, regulatory compliance may not allow retained of full copy of deleted object
    • Permanently delete with
      • Get-Adobject –LDAPFilter {} –IncludeDeletedObjects | Remove-ADObject
restoring objects
Restoring Objects
  • Locate objects using the appropriate filter
    • Pipe the results into Restore-ADObject
  • Many ingenious filters can be constructed
    • Restore uses with particular job title, description etc
    • Restore use deleted after a certain date

$Event = New-Object Datetime(2009, 11, 5, 9,0,0)

Get-ADObject –filter ‘whenChanged –gt $event –and isDeleted –eq $true’ -includeDeletedObjects |Restore-ADObjects

hierarchy required
Hierarchy Required
  • You cannot restore an object if the parent container does not exist
    • Restore-ADObject
      • Can restore to alternate name and path
  • Microsoft provides a script to aid restoring a hierarchy of objects
    • http://technet.microsoft.com/en-us/library/dd379504(WS.10).aspx
and now
And Now

Live Object

Delete

Restore

slide42

Required Slide

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

summary
Summary
  • Deleting and recovering directory objects
  • How objects are stored
  • Incoming and outgoing linked-attributes
  • Authoritative restore
  • Enabling the Recycle Bin
  • Live, deleted and recycled objects
  • Recovering deleted objects from the Recycle Bin
resources

Required Slide

Speakers,

TechEd 2009 is not producing

a DVD. Please announce that

attendees can access session

recordings at TechEd Online.

Resources
  • www.microsoft.com/teched

Sessions On-Demand & Community

  • www.microsoft.com/learning
  • Microsoft Certification & Training Resources
  • http://microsoft.com/technet
    • Resources for IT Professionals
  • http://microsoft.com/msdn

Resources for Developers

related content

Required Slide

Speakers,

please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.

Related Content

Breakout Sessions:

SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin

SVR317 Managing Windows Server 2008 R2 and Windows 7 with Windows PowerShell V2

Interactive Theater Sessions :

SIA02-IS Active Directory: What's New in R2

Hands-on Labs:

WSV03-HOL Advanced Windows PowerShell Scripting

WSV20-HOL Windows Server 2008 R2: What's New in Microsoft Active Directory

my sessions at teched

Required Slide

Speakers,

please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.

My Sessions at TechEd

Breakout Sessions:

SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?

SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin

SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies

SVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together

Interactive Theater Sessions:

SVR08-IS End-to-End Remote Connectivity with DirectAccess

slide48

Required Slide

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.