Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2007-04-22) Windows Server Longhorn – Reanimating Objects And Restoring Additional Information

Posted by Jorge on 2007-04-22

Reanimating Objects and Restoring Additional Information

Basically when restoring deleted objects you have two choices. You either authoritatively restore the object(s) using a DC that has not yet received the tombstone of the deleted object or by using the restore of the system state onto some DC. Another option is to reanimate the object. Both are also mentioned and described in MS-KBQ840001.

The main issue with reanimating objects is that only the mandatory information or any attribute configured to be preserved is retained when the object is deleted. Other information is removed and lost at the moment the object is deleted. So, when reanimating an object only the mandatory information and the information within attributes configured to be preserved will be available again after the reanimation. So, what are you going to do to retrieve the other information that was lost during the deletion?

Although third party solutions are available to help you provide that missing information, Windows Server Longhorn is also going to help you with the answer to that question.

The short story is that within Windows Server Longhorn you are able to create a snapshot from AD, mount that snapshot and start it as a parallel AD instance and use any utility that is able target that parallel AD instance through another pre-configured LDAP ports than the default LDAP ports (LDAP: 389, LDAP-SSL: 636, GC: 3268, GC-SSL: 3269)

The long story is a somewhat longer one! 😉

NTDSUTIL contains a new submenu called SNAPSHOT. Within that submenu new commands are available and one of those commands, ‘CREATE’, creates a snapshot of AD using "Volume Shadow Copy". When the snapshot is created, the logs are replayed and the database is defragmented (compared to offline defrag). Before using that command you need to activate the instance (AD or ADAM) for which you want to create a snapshot. As soon as the snapshot has been created you need to mount it using the command ‘MOUNT’ to make it available through the file system. By default the mounted snapshots will available through the C-drive. See picture below.


As soon as the snapshot has been mounted you need to start the AD within that snapshot as a parallel AD instance. Because the default AD instance on the DC uses the standard LDAP/LDAP-SSL/GC/GC-SSL ports, it is mandatory to specify custom ports. The command to start the parallel AD instance is:

DSAMAIN –DBPATH:<path to NTDS.DIT file within mounted snapshot> -LDAPPORT:<custom LDAP port that is free to use> -SSLPORT:<custom LDAP-SSL port that is free to use> -GCPORT:<custom GC port that is free to use> -GCSSLPORT:<custom GC-SSL port that is free to use>

Also see the picture below.


The custom ports specified in the picture are derived from the default ports by just adding the value of 1000 to it. Of course it is possible to use some other logic. The rule is that the port must be available to be used by the parallel AD instance. It is that simple!

As soon as the parallel AD instance is up and running you can use any tool like LDP, ADSIEDIT, ADFIND, LDIFDE that is able to target the new AD instance through the custom configured ports and access information within that parallel AD instance. As soon as you are ready you can press CTRL+C to stop the parallel AD instance from running. As soon as that happens you will not be able to target it through the earlier specified ports and those ports will be available again.

All the information within the parallel AD instance is read-only when accessed and access to that information is still determined through the configured permissions. So, if you don’t have permissions to access some of the information, access will be denied!

The main use of this feature is to give you the possibility to retrieve the information that was lost when the object was deleted and apply it again after the object has been reanimated. One of the other uses to just be able to compare information between the default AD instance and the parallel AD instance for whatever reason needed. This feature does not replace the required backup that are needed for disaster recovery of a DC, a domain or even a forest!

The use of the snapshot must be treated as the use of any backup of a DC or the DC itself. Again, only very trusted people should be able to use the snapshot.

If you deleted an OU as an accident you can use the following command to reanimate the OU itself before reanimating its leaf objects:

adfind -default -f "lastKnownParent=<distinguishedName of parent OU>" -showdel -dsq | admod -undel
<distinguishedName parent OU> = the "distinguishedName" of the parent OU of the OU that got deleted

As soon as the deleted OU has been reanimated you reanimated its leaf objects:

adfind -default -f "lastKnownParent=<distinguishedName of deleted OU>" -showdel -dsq | admod –undel –unsafe
<distinguishedName of deleted OU> = the "distinguishedName" of the deleted OU that was reanimated previously


As soon as the objects are restored you can export the information from the parallel AD instance and import to the default AD instance. With that a lot of information is retrieved again. How, challenges still exist like restoring the back links. The way to restore those is also mentioned in MS-KBQ840001.

NOTE: this information is based upon a beta release of Windows Server Longhorn and thus subject to change in the final RTM release. Do not use Windows Server Longhorn in a production environment without the explicit commitment from Microsoft for help and support.

Additional interesting links:

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########


One Response to “(2007-04-22) Windows Server Longhorn – Reanimating Objects And Restoring Additional Information”

  1. […] This post is an updated version of the following post and now contains RTM information: Windows Server Longhorn – Reanimating Objects And Restoring Additional Information […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: