Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2008-03-20) Windows Server 2008 – Reanimating Objects And Restoring Additional Information

Posted by Jorge on 2008-03-20


This post is an updated version of the following post and now contains RTM information: Windows Server Longhorn – Reanimating Objects And Restoring Additional Information

Reanimating Objects and Restoring Additional Information

Basically when restoring deleted objects you have two choices. You either authoritatively restore the object(s) using a DC that has not yet received the tombstone of the deleted object or by using the restore of the system state onto some DC. Another option is to reanimate the object. Both are also mentioned and described in MS-KBQ840001.

In my opinion, one major disappointment with Windows Server 2008 is that it is not possible to do an authoritative restore by stopping and starting the "Active Directory Domain Services" (ADDS). The first time I heard it is possible to stop and start ADDS I envisioned the following scenario when I had to recover one or more objects:

  • Stop ADDS –> NET STOP NTDS
  • Restore the System State –> WBADMIN START SYSTEMSTATERECOVERY
  • Authoritative restore the object(s) –> RESTORE OBJECT "<DN>" or RESTORE SUBTREE "<DN>" (RESTORE DATABASE does not exist anymore in W2K8. In W2K/W2K3 it does exist but it should never be used!)
  • Start ADDS –> NET START NTDS
  • Import LDF files if needed/required –> LDIFDE –i –f <LDF file>

The main issue with reanimating objects is that only the mandatory information or any attribute configured to be preserved is retained (enable bit 3 [2^3=8] on "searchFlags" property of attribute) when the object is deleted. Other information is removed and lost at the moment the object is deleted. So, when reanimating an object only the mandatory information and the information within attributes configured to be preserved will be available again after the reanimation. So, what are you going to do to retrieve the other information that was lost during the deletion?

Although third party solutions are available to help you provide that missing information, Windows Server 2008 is also going to help you with the answer to that question.

The short story is that within Windows Server 2008 you are able to create a snapshot from AD, mount that snapshot and start it as a parallel AD instance and use any utility that is able target that parallel AD instance through another pre-configured LDAP ports than the default LDAP ports à (LDAP: 389, LDAP-SSL: 636, GC: 3268, GC-SSL: 3269)

The long story is a somewhat longer one!😉

NTDSUTIL contains a new submenu called SNAPSHOT. Within that submenu new commands are available and one of those commands, ‘CREATE’, creates a snapshot of AD using "Volume Shadow Copy". When the snapshot is created, the logs are replayed and the database is defragmented (compared to offline defrag). Before using that command you need to activate the instance (ADDS or ADLDS) for which you want to create a snapshot. As soon as the snapshot has been created you need to mount it using the command ‘MOUNT <GUID>’ to make it available through the file system. By default the mounted snapshots will available through the C-drive. See picture below. After that you can see the available snapshots with ‘LIST ALL’ and all snapshots that are mounted with ‘LIST MOUNTED’. Unmounting a snapshot is done with ‘UNMOUNT <GUID>’. Deleting a snapshot is done with ‘DELETE <GUID>’ or all snapshots with ‘DELETE *’. As you can see great scripting capabilities!

image

image

As soon as the snapshot has been mounted you need to start the AD within that snapshot as a parallel AD instance. Because the default AD instance on the DC uses the standard LDAP/LDAP-SSL/GC/GC-SSL ports, it is mandatory to specify custom ports. You can specify all four ports if you want to, or just the LDAP port. The other ports will be derived from the LDAP port by adding +1, +2, +3. The rule is that the defined/used ports must be available to be used by the parallel AD instance. It is that simple!

The command to start the parallel AD instance is:

  • CMD –> DSAMAIN –DBPATH <path to NTDS.DIT file within mounted snapshot> -LDAPPORT <custom LDAP port that is free to use>
  • EXAMPLE: DSAMAIN -DBPATH C:\$SNAP_200803201137_VOLUMED$\AD\DB\ntds.dit -LDAPPORT 2389

The command prompt window should NOT be closed as that would stop the parallel AD instance!

Also see the picture below.

image

As soon as the parallel AD instance is up and running you can use any tool like LDP, ADSIEDIT, ADFIND, LDIFDE that is able to target the new AD instance through the custom configured ports and access information within that parallel AD instance. You can even target "Active Directory Users and Computers" and "Active Directory Sites and Services" against the parallel AD instance. There are two ways to do that. The first is through the command "DSA.MSC /SERVER=<DC>:<PORT>" or "DSA.MSC /SERVER=<DC>:<PORT>". The second is to just start the GUI and then retarget the GUI to another DC by specifying: "<DC>:<PORT>" Remember the information within the parallel AD instance is READ-ONLY! By default only Domain Admins are able to look inside the parallel AD instance. All others will be denied access into the parallel AD instance. If you need to allow a non-Domain Admin to access the information within the parallel AD instance you must specify the option called "-allowNonAdminAccess" option in the DSAMAIN command line. Access to the information in the parallel AD instance is still determined through the configured permissions. So, if you don’t have permissions to access some of the information, access will be denied!

As soon as you are ready using the parallel AD instance you can press CTRL+C in the open command prompt window to stop the parallel AD instance from running. Another way is to write the value 1 into the "stopService" operational attribute on the rootDSE of the DC at the specified port. An example of the command line is:

  • CMD –> ADMOD.EXE -h <DC>:<LDAPPORT> -b "" "stopService::1"
  • Example: ADMOD.EXE -h RFSRWDC1:2389 -b "" "stopService::1"

As soon as either one happens, you will not be able to target it through the earlier specified ports and those ports will be available again.

Again, great possibility for scripting!

This all works well if you want to target the parallel AD instance locally on the DC where it is loaded. But, let’s say you would want to target it remotely from your management workstation/server. By default that is not possible because the firewall on W2K8 servers/DCs is by default enabled and there is not firewall exception for it. For that to be possible you need to create a firewall exception for the parallel AD instance. You can do that through the GUI using FIREWALL.CPL or you can also do that through NETSH like:

  • CMD to create firewall exception à NETSH FIREWALL SET PORTOPENING ALL <LDAPPORT> "DSAMAIN-<LDAPPORT>" ENABLE ALL
  • Example: NETSH FIREWALL SET PORTOPENING ALL 2389 "DSAMAIN-2389" ENABLE ALL
  • CMD to remove the firewall exception à NETSH FIREWALL DELETE PORTOPENING ALL <LDAPPORT>
  • Example: NETSH FIREWALL DELETE PORTOPENING ALL 2389

The main use of this feature is to give you the possibility to retrieve the information that was lost when the object was deleted and apply it again after the object has been reanimated using whatever tool. One of the other uses to just be able to compare information between the default AD instance and the parallel AD instance for whatever reason needed. This feature does not replace the required backups that are needed for disaster recovery of a DC, a domain or even a forest! Be aware of that.

Unfortunately there is not tooling available by default that would allow you to retrieve the information in the parallel AD instance and apply it to the reanimated objects. The only way is to create something for yourself with LDIFDE and VBS scripting or buy a third party tool. However since the beginning of march 2008 a friend of mine created a tool that leverages this backup/restore feature. I have tested this tool for numerous times and it works quite well! The best of it all is that the tool is free!!! You can get the tool here.

One of the scenarios that people might try is creating a snapshot, getting the NTDS.DIT out to some place and deleting the snapshot. If that is the case, you can save yourself some time by creating an IFM set on an RWDC for an RWDC. The DSAMAIN tool can load any NTDS.DIT. But, the use of the snapshot/IFM set/NTDS.DIT must be treated as the use of any backup of a DC or the DC itself. Again, only very trusted people should be able to access the NTDS.DIT (not talking about accessing its contents remotely)

And if you want to go all crazy with the scripting capabilities within Windows Vista and Windows Server 2008, I suggest you read more about using "Windows Remote Management" (WinRM) and "Windows Remote Shell" (WinRS). It is possible to do all the above remotely using WinRS!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

4 Responses to “(2008-03-20) Windows Server 2008 – Reanimating Objects And Restoring Additional Information”

  1. Hi Jorge,

    excellent as usual.
    One question: do you know WHY the Authoritative Restore doesn’t work when the service is stopped? I’m quite disappoointed that it doesn’t…

  2. Jorge said

    I explained my disappointment about not being able to recovery objects when the ADDS service is stopped. Someone I know within the MS Productgroup explained it to me, but I not recall the details. Sorry
    Jorge

  3. Darren said

    Similar tool by our company: NetWrix AD Restore Wizard: http://www.netwrix.com/active_directory_object_restore_wizard_freeware.html

    It may not be the best and “right” way to do AD object recovery since it’s not based on “native” snapshots, but it works on all versions on Windows Server (not only 2008). And also it’s much easier to use (no need to start “parallel AD instance” and hence no overhead of VSS) and has built-in scheduling (so you don’t care about snapshots. Take a look, you may find it useful and the tool is available as freeware (+ commercial version with more features).

    P.S. I work for NetWrix so please don’t treat this post as a “hidden advertisement”🙂 You may just find our tool useful and nice to use.

  4. […] Server 2008 to reanimate and populate the attributes from a snapshot backup. That post can be found here. I thought it would be interesting to summarize the tools available that can help you recover […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: