Daniel Ramawidjaja Blog

June 22, 2009

Restore Deleted Objects from Active Directory Database Using Tombstone Reanimation (AdRestore.exe and ADRestore.NET)
Filed under: Active Directory,Windows Server 2003,Windows Server 2008 Daniel Ramawidjaja @ 5:39 pm Tags: Active Directory, Windows Server 2003, Windows Server 2008 By using AdRestore.exe or ADRestore.NET, you can implement tombstone reanimation method to restore deleted objects from Active Directory database easily. So it basically do the same as using LDP in my previous post, Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE) I wrote the previous post to make deep understanding of the tombstone reanimation concept. AdRestore.exe Formerly Sysinternals and now Microsoft, Mark Russinovich has created a command-line freeware application called ADRestore. The tool enumerates all of the currently tombstoned objects in a domain and allows you to restore them selectively, and provides a convenient command-line interface for using the Active Directory reanimation functionality. You can download this tool from here: http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx

ADRestore.NET Restoring objects with ADRestore.net Guy Teverovsky has written a GUI version that allows you to easily restore deleted AD objects. I found this tool will help you a lot when you need to restore more than one deleted objects, for example, an OU contains some objects. You can download the ADRestore.NET here: http://blogs.microsoft.co.il/files/folders/guyt/entry40811.aspx

Here the demo steps:

I deleted an OU named Accounting contained some objects including users and groups.

Enumerating Tombstones

First restore the OU.

Then restore the other objects one by one.

Until the last object

Then view the result

You can see from the steps above that using ADRestore.NET will be a lot of easier to restore more than one objects. Ads by Google

Remote Backup Solution

Safely Backup to Remote Devices That You Control. Free Trial! www.LogMeIn.com

Leave a Comment
Like

Be the first to like this post.

Leave a Comment

No comments yet. RSS feed for comments on this post. TrackBack URI
Leave a Reply Cancel reply
Top of Form

Your email address will not be published. Required fields are marked * Name * Email * Website

Comment You may use these HTML tags and attributes: <a href="" title=""> <abbr title="">

<acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Post Comment 330 0

1290826537

Notify me of follow-up comments via email. Send me site updates

comment-form-te
Bottom of Form

Pages

About Me

Categories
Select Category

Tags

Active Directory Server 2007 Group Policy

Exchange Server 2010 Public Key Infrastructure

Command-Line Exchange Management Shell

Exchange

Office Outlook PowerShell

Security SQL Server Windows 7 Windows Server 2003

Windows Server 2003 R2

Windows Server 2008

Vista Windows XP

Windows Server 2008 R2 Windows

Archives
Select Month

Recent Posts Windows 7 to Windows XP File Sharing Problem Windows 7 to Windows XP File Sharing Create a New Mailbox Database In Exchange Server 2010 (ExMgmt-Shell) Mail Control Panel Paths Delegation Control to Modify Only Certain User Attributes (Part 2)

Blog at WordPress.com. June 22, 2009

Daniel Ramawidjaja Blog

Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

Filed under: Active Directory,Windows Server 2003,Windows Server 2008 Daniel Ramawidjaja @ 11:47 am Tags: Active Directory, Windows Server 2003, Windows Server 2008 This tip has been tested that it works for Windows Server 2003, Windows Server 2008, or later. For Windows Server 2008 R2, it is recommended to use Active Directory Recycle Bin feature. Its more efficient method and can do complete restore of the previous deleted objects. What Is a Tombstone? When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the objects isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the objects naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations. Obviously, objects dont remain in the CN=Deleted Objects container forever. The default tombstone lifetime is 60 days for forests initially built using Windows 2000 and Windows Server 2003, and 180 days for forests that were initially built with Windows Server 2003 SP1. You can change the tombstone lifetime by setting the tombstoneLifetime attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC= object. Every 12 hours, each domain controller starts a garbage collection process. (This can be changed by setting a new value for the garbageCollPeriod attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC= object.) This garbage collection scans all of the tombstones on the DC and physically deletes any that are older than the tombstone lifetime. The Deleted Objects container is hidden and can not be viewed by using Active Directory Users and Computers and ADSIEDIT.MSC. But you can use LDP.EXE. For example, in this documentation, I delete an account with distinguishedName: CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com. That account will be stored in Deleted Objects container in the form: CN=Jenny GatesADEL:c7f41f06-7f02-42c9-8701-d5ad5ee3a7d0,CN=Deleted Objects,DC=Microship,DC=com and with the attribute isDeleted is set TRUE.

To restore the user account, you have to use LDP.EXE to modify the properties of the deleted objects. Here the snapshots

The previous condition Jenny Gates (username: JennyG) has the following attributes:

Jenny has permissions set to C:\Data\Marketing folder.

Delete the user account Jenny

As the Result of Deletion The Jennys previous account will be shown in the folder as her old SID. If you create a new user, it actually create a new object with the new SID for the user. Thats why you have to use the Tombstone Reanimation method to restore the old object.

For preparation to restore the deleted object, you have to install Windows Server 2003 Support Tools. From the Windows Server 2003 Installation CD, it is located on \SUPPORT\TOOLS\SUPTOOLS.MSI You do not need to follow this step, if using Windows Server 2008.

Process to Restore the Deleted Object Run LDP.exe. On LDP window, click Connection menu, click Connect, type the appropriate server name and port. Click Connection menu, click Bind, and type the Administrator account and password. Click Options menu, click Controls. On Load Predefined, select Return deleted objects. This option will show the Deleted Objects container that is hidden by default.

Click View menu, click Tree, and then select the distinguished name of the domain name. On the left, select DC=Microship,DC=com. Then expand the Deleted Objects container, and find Jenny Gates. Right click on the Jenny account, then click Modify.

In the Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter. In the Attribute box, type distinguishedName, in the Values box, type CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com. Under operation, click Replace, and then click Enter. Select the Extended check box, and then click Run.

The result of restoring deleted objects using Tombstone Reanimation procedure is not perfect. You will restore a disabled account with all attributes has been stripped. You have to set the password and enable the account.

But as you can see from the following picture that the permissions for Jenny has been restored. Now Jenny can access the shared folder.

The next pictures show that, although you can restore the object, but many attributes has gone including the membership of the user.

If you want to have a successful restore including all attributes of the user, you should consider to do Authoritative Restore that need you to restore from backup. and you can not restore the active directory database from backup without restarting to Active Directory Restore Mode. Ads by Google

Remote Backup Solution

Safely Backup to Remote Devices That You Control. Free Trial! www.LogMeIn.com

Comments (4)
Like

Be the first to like this post.

4 Comments

1. [...] Tombsone Reanimation Using AdRestore.exe and ADRestore.NET By using AdRestore.exe or ADRestore.NET, you can easily restore deleted objects from Active Directory database by using tombstone reanimation method. So it basically do the same as using LDP in my previous post, Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE) [...] Pingback by Tombsone Reanimation Using AdRestore.exe and ADRestore.NET Daniel Ramawidjaja Blog June 22, 2009 @ 5:39 pm | Reply 2.

Great Help !!! Thanks for the Information. Comment by Pravin March 26, 2010 @ 1:39 pm | Reply 3.

I have noticed the using Exchange Console and removing the mailbox, awill remove the AD object also. but it doesnt show up in the garbage colection. why is that? what can I do if I have a user that instead of desabling a user mailbox, removes it, and the NT account, I have an administrator look and it doesnt show up in the Garbage can process to restore. anyone know what is the deal here? Comment by Dave keffer July 13, 2010 @ 4:43 pm | Reply

Its about Active Directory not Exchange. but its ok. You didnt say about the Exchange version you used. Assumed its Exchange 2010. You tried to do this. On your Exchange Server where you disable the mailbox, open Exchange Management Shell. run cmdlet: Get-MailboxDatabase | Clean-

MailboxDatabase. Then verify the result from Exchange Management Console, it should be visible on Disconnected Mailbox node. Comment by Daniel Ramawidjaja July 14, 2010 @ 12:31 am | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply Cancel reply

Top of Form

Your email address will not be published. Required fields are marked * Name * Email * Website

Comment You may use these HTML tags and attributes: <a href="" title=""> <abbr title="">

<acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Post Comment 299 0

1290827473

Notify me of follow-up comments via email.

Subscribe by email to this site

comment-form-te
Bottom of Form

Pages About Me

Categories
Select Category

Tags

Active Directory Server 2007 Group Policy

Exchange Server 2010 Public Key Infrastructure

Command-Line Exchange Management Shell

Exchange

Office Outlook PowerShell

Security SQL Server Windows 7 Windows Server 2003

Windows Server 2003 R2

Windows Server 2008

Vista Windows XP

Windows Server 2008 R2 Windows

Archives
Select Month

Recent Posts Windows 7 to Windows XP File Sharing Problem Windows 7 to Windows XP File Sharing Create a New Mailbox Database In Exchange Server 2010 (ExMgmt-Shell) Mail Control Panel Paths

Delegation Control to Modify Only Certain User Attributes (Part 2) Blog at WordPress.com.