(2008-03-20) Windows Server 2008 – Reanimating Objects And Restoring Additional Information

This post is an updated version of the following post and now contains RTM information: Windows Server Longhorn – Reanimating Objects And Restoring Additional Information

Reanimating Objects and Restoring Additional Information

Basically when restoring deleted objects you have two choices. You either authoritatively restore the object(s) using a DC that has not yet received the tombstone of the deleted object or by using the restore of the system state onto some DC. Another option is to reanimate the object. Both are also mentioned and described in MS-KBQ840001.

In my opinion, one major disappointment with Windows Server 2008 is that it is not possible to do an authoritative restore by stopping and starting the "Active Directory Domain Services" (ADDS). The first time I heard it is possible to stop and start ADDS I envisioned the following scenario when I had to recover one or more objects:

• Stop ADDS –> NET STOP NTDS
  
• Restore the System State –> WBADMIN START SYSTEMSTATERECOVERY
  
• Authoritative restore the object(s) –> RESTORE OBJECT "<DN>" or RESTORE SUBTREE "<DN>" (RESTORE DATABASE does not exist anymore in W2K8. In W2K/W2K3 it does exist but it should never be used!)
  
• Start ADDS –> NET START NTDS
  
• Import LDF files if needed/required –> LDIFDE –i –f <LDF file>
  

The main issue with reanimating objects is that only the mandatory information or any attribute configured to be preserved is retained (enable bit 3 [2^3=8] on "searchFlags" property of attribute) when the object is deleted. Other information is removed and lost at the moment the object is deleted. So, when reanimating an object only the mandatory information and the information within attributes configured to be preserved will be available again after the reanimation. So, what are you going to do to retrieve the other information that was lost during the deletion?

Although third party solutions are available to help you provide that missing information, Windows Server 2008 is also going to help you with the answer to that question.

The short story is that within Windows Server 2008 you are able to create a snapshot from AD, mount that snapshot and start it as a parallel AD instance and use any utility that is able target that parallel AD instance through another pre-configured LDAP ports than the default LDAP ports à (LDAP: 389, LDAP-SSL: 636, GC: 3268, GC-SSL: 3269)

The long story is a somewhat longer one! 😉

NTDSUTIL contains a new submenu called SNAPSHOT. Within that submenu new commands are available and one of those commands, ‘CREATE’, creates a snapshot of AD using "Volume Shadow Copy". When the snapshot is created, the logs are replayed and the database is defragmented (compared to offline defrag). Before using that command you need to activate the instance (ADDS or ADLDS) for which you want to create a snapshot. As soon as the snapshot has been created you need to mount it using the command ‘MOUNT <GUID>’ to make it available through the file system. By default the mounted snapshots will available through the C-drive. See picture below. After that you can see the available snapshots with ‘LIST ALL’ and all snapshots that are mounted with ‘LIST MOUNTED’. Unmounting a snapshot is done with ‘UNMOUNT <GUID>’. Deleting a snapshot is done with ‘DELETE <GUID>’ or all snapshots with ‘DELETE *’. As you can see great scripting capabilities!

As soon as the snapshot has been mounted you need to start the AD within that snapshot as a parallel AD instance. Because the default AD instance on the DC uses the standard LDAP/LDAP-SSL/GC/GC-SSL ports, it is mandatory to specify custom ports. You can specify all four ports if you want to, or just the LDAP port. The other ports will be derived from the LDAP port by adding +1, +2, +3. The rule is that the defined/used ports must be available to be used by the parallel AD instance. It is that simple!

The command to start the parallel AD instance is:

• CMD –> DSAMAIN –DBPATH <path to NTDS.DIT file within mounted snapshot> -LDAPPORT <custom LDAP port that is free to use>
  
• EXAMPLE: DSAMAIN -DBPATH C:\$SNAP_200803201137_VOLUMED$\AD\DB\ntds.dit -LDAPPORT 2389
  

The command prompt window should NOT be closed as that would stop the parallel AD instance!

Also see the picture below.

As soon as the parallel AD instance is up and running you can use any tool like LDP, ADSIEDIT, ADFIND, LDIFDE that is able to target the new AD instance through the custom configured ports and access information within that parallel AD instance. You can even target "Active Directory Users and Computers" and "Active Directory Sites and Services" against the parallel AD instance. There are two ways to do that. The first is through the command "DSA.MSC /SERVER=<DC>:<PORT>" or "DSA.MSC /SERVER=<DC>:<PORT>". The second is to just start the GUI and then retarget the GUI to another DC by specifying: "<DC>:<PORT>" Remember the information within the parallel AD instance is READ-ONLY! By default only Domain Admins are able to look inside the parallel AD instance. All others will be denied access into the parallel AD instance. If you need to allow a non-Domain Admin to access the information within the parallel AD instance you must specify the option called "-allowNonAdminAccess" option in the DSAMAIN command line. Access to the information in the parallel AD instance is still determined through the configured permissions. So, if you don’t have permissions to access some of the information, access will be denied!

As soon as you are ready using the parallel AD instance you can press CTRL+C in the open command prompt window to stop the parallel AD instance from running. Another way is to write the value 1 into the "stopService" operational attribute on the rootDSE of the DC at the specified port. An example of the command line is:

• CMD –> ADMOD.EXE -h <DC>:<LDAPPORT> -b "" "stopService::1"
  
• Example: ADMOD.EXE -h RFSRWDC1:2389 -b "" "stopService::1"
  

As soon as either one happens, you will not be able to target it through the earlier specified ports and those ports will be available again.

Again, great possibility for scripting!

This all works well if you want to target the parallel AD instance locally on the DC where it is loaded. But, let’s say you would want to target it remotely from your management workstation/server. By default that is not possible because the firewall on W2K8 servers/DCs is by default enabled and there is not firewall exception for it. For that to be possible you need to create a firewall exception for the parallel AD instance. You can do that through the GUI using FIREWALL.CPL or you can also do that through NETSH like:

• CMD to create firewall exception à NETSH FIREWALL SET PORTOPENING ALL <LDAPPORT> "DSAMAIN-<LDAPPORT>" ENABLE ALL
  
• Example: NETSH FIREWALL SET PORTOPENING ALL 2389 "DSAMAIN-2389" ENABLE ALL
  
• CMD to remove the firewall exception à NETSH FIREWALL DELETE PORTOPENING ALL <LDAPPORT>
  
• Example: NETSH FIREWALL DELETE PORTOPENING ALL 2389
  

The main use of this feature is to give you the possibility to retrieve the information that was lost when the object was deleted and apply it again after the object has been reanimated using whatever tool. One of the other uses to just be able to compare information between the default AD instance and the parallel AD instance for whatever reason needed. This feature does not replace the required backups that are needed for disaster recovery of a DC, a domain or even a forest! Be aware of that.

Unfortunately there is not tooling available by default that would allow you to retrieve the information in the parallel AD instance and apply it to the reanimated objects. The only way is to create something for yourself with LDIFDE and VBS scripting or buy a third party tool. However since the beginning of march 2008 a friend of mine created a tool that leverages this backup/restore feature. I have tested this tool for numerous times and it works quite well! The best of it all is that the tool is free!!! You can get the tool here.

One of the scenarios that people might try is creating a snapshot, getting the NTDS.DIT out to some place and deleting the snapshot. If that is the case, you can save yourself some time by creating an IFM set on an RWDC for an RWDC. The DSAMAIN tool can load any NTDS.DIT. But, the use of the snapshot/IFM set/NTDS.DIT must be treated as the use of any backup of a DC or the DC itself. Again, only very trusted people should be able to access the NTDS.DIT (not talking about accessing its contents remotely)

And if you want to go all crazy with the scripting capabilities within Windows Vista and Windows Server 2008, I suggest you read more about using "Windows Remote Management" (WinRM) and "Windows Remote Shell" (WinRS). It is possible to do all the above remotely using WinRS!

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————