Archive for the ‘Object Deletion/Restore’ Category

(2014-08-02) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 7)

Posted by Jorge on 2014-08-02

PART 6 is here.

WARNING/DISCLAIMER: I provide this information on a FYI basis. Be very very very careful in actually doing these steps on your production systems as it may brake or destroy your AD domain or AD forest. You are fully responsible for any steps you use from this blog post. If you do not understand what you are doing, either hire someone who does, or call Microsoft for support!

According to the DFS Replication Event Log the Staging Area was inaccessible.

Figure 1: Event ID 4212 For The Missing Staging Area

–

Looking at the folder structure I was missing the folder "staging" and its subfolder "domain" and the "staging areas" with the junction point.

The complete folder structure for the SYSVOL is:

<Drive>:\<Folder>\<SYSVOL or SYSVOL_DFSR>
- domain
- staging
  - domain
- staging areas
  - <FQDN AD domain> = JUNCTION POINT to <Drive>:\<Folder>\<SYSVOL or SYSVOL_DFSR>\staging\domain (see: Create the SYSVOL Root and Staging Areas Junction Point)
- sysvol
  - <FQDN AD domain> = JUNCTION POINT to <Drive>:\<Folder>\<SYSVOL or SYSVOL_DFSR>\domain (see: Create the SYSVOL Root and Staging Areas Junction Point)

Stopping the DFSR service and then creating the yellow marked folders and junction points, and then restarting the DFSR service again solver all SYSVOL related problems! YES!

–

Executing DFSRDIAG DUMPADCFG on both RWDCs should show very similar output and the DFSR Service Event Log should show the following event ID:

Figure 2: Event ID 4604 For DFSR Service Having Initialized The SYSVOL And Having Performed Initial Replication

–

My test environment is running only W2K12R2 RWDCs. However, in the original scenario the ‘C1FSRWDC1.CHILD.ADCORP.LAB’ RWDC was running W2K8R2. Because of that, but also depending on what occurred with the RWDC (e.g. dirty shutdown) you might end up with the event 2213.

EVENT LOG: DFS Replication
SOURCE DFSR
EVENT ID: 2213
The DFS Replication service stopped replication on volume D:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
Additional Information:
Volume: D:
GUID: 74D84752-A63E-11E0-8F2A-00155D006D28
Recovery Steps
1. Back up the files in all replicated folders on the volume. Failure to do so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
2. To resume the replication for this volume, use the WMI method ResumeReplication of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="74D84752-A63E-11E0-8F2A-00155D006D28" call ResumeReplication

–

See:

–

I hope you enjoyed this ride. I did! Smile

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), KCC, Metadata Cleanup, Object Deletion/Restore, Promotion/Demotion, Replication, SYSVOL | 3 Comments »

(2014-08-01) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 6)

Posted by Jorge on 2014-08-01

PART 5 is here.

So I decided to undelete ‘CN=DFSR-LocalSettings’.

Figure 1: Undeleting The ‘DFS-R-LocalSettings’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ On ‘C1FSRWDC1.CHILD.ADCORP.LAB’

–

It is not possible to undelete ‘CN=Domain System Volume’ and ‘CN=SYSVOL Subscription’ using LDP as one of the required, but missing, attributes has binary values (‘msDFSR-ReplicationGroupGuid’ on ‘CN=Domain System Volume’, ‘msDFSR-ContentSetGuid’ and ‘msDFSR-ReplicationGroupGuid’ on ‘CN=SYSVOL Subscription’). It is not as easy as copying and pasting values into LDP. Does it stop here? No it does not! This is where PowerShell comes into the rescue! With PowerShell it is possible to use an existing object as a template to update or create another object.

First things first, let’s update the object ‘CN=DFSR-LocalSettings’ of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template.

Import-Module ActiveDirectory
$templateDomainSystemVolume = Get-ADObject "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC2,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" `
    -Properties "msDFSR-ReplicationGroupGuid","showInAdvancedViewOnly"
$templateDomainSystemVolume
New-ADObject -Instance $templateDomainSystemVolume -name "Domain System Volume" `
    -type "msDFSR-Subscriber" `
    -path "CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" `
    -OtherAttributes @{'msDFSR-MemberReference'="CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB"}

–

Figure 2: Updating The ‘DFS-R-LocalSettings’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ Using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template

–

Now, let’s recreate the object ‘CN=Domain System Volume’ of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template.

Import-Module ActiveDirectory
$templateSYSVOLSubscription = Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC2,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" `
    -Properties "msDFSR-ContentSetGuid","msDFSR-ReplicationGroupGuid","msDFSR-Enabled","msDFSR-ReadOnly","msDFSR-ReplicationGroupGuid","msDFSR-RootPath","msDFSR-StagingPath","showInAdvancedViewOnly"
$templateSYSVOLSubscription
New-ADObject -Instance $templateSYSVOLSubscription "SYSVOL Subscription" `
    -type "msDFSR-Subscription" `
    -path "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB"

–

Figure 3: Recreating The ‘CN=Domain System Volume’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template

–

Now, let’s recreate the object ‘CN=SYSVOL Subscription’ of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template

Import-Module ActiveDirectory
$templateSYSVOLSubscription = Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC2,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" `
    -Properties "msDFSR-ContentSetGuid","msDFSR-ReplicationGroupGuid","msDFSR-Enabled","msDFSR-ReadOnly","msDFSR-ReplicationGroupGuid","msDFSR-RootPath","msDFSR-StagingPath","showInAdvancedViewOnly"
$templateSYSVOLSubscription
New-ADObject -Instance $templateSYSVOLSubscription "SYSVOL Subscription" `
    -type "msDFSR-Subscription" `
    -path "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB"

–

REMARK: either RWDC may have been migrated from NTFRS to DFSR whereas the SYSVOL is not named SYSVOL, but rather SYSVOL_DFSR. When using the DC object "CN=SYSVOL Subscription" CHECK if the applied paths are correct!

–

Figure 4: Recreating The ‘CN=SYSVOL Subscription’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template

–

Now also restart the DFSR service on both ‘C1FSRWDC1.CHILD.ADCORP.LAB’ and ‘C1FSRWDC2.CHILD.ADCORP.LAB’. It should start inbound replicating the SYSVOL contents immediately! In my case it didn’t! Damn!

–

PART 7 continues here.

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), KCC, Metadata Cleanup, Object Deletion/Restore, Promotion/Demotion, Replication, SYSVOL | 14 Comments »

(2014-07-31) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 5)

Posted by Jorge on 2014-07-31

PART 4 is here.

After promoting the second RWDC for the child AD domain ‘CHILD.ADCORP.LAB’ I noticed, it was taking some time to have the SYSVOL replicated to that new RWDC. While the SYSVOL is not replicated, the RWDC will not advertise itself. And if it does not advertise itself, it is basically useless! Let start by checking the event viewer on both RWDCs, the source and the destination RWDC.

On the destination RWDC ‘C1FSRWDC2.CHILD.ADCORP.LAB’ (the one receiving) you may see the following event IDs:

Figure 1: Event ID 4614 For DFSR Service Initializing The SYSVOL And Waiting For Initial Replication

–

The DFS Replication service initialized SYSVOL at local path D:\AD\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner C1FSRWDC1.CHILD.ADCORP.LAB. If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.

Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: E59797D1-0652-4D1F-8ACF-4AB0D2DA8632
Replication Group Name: Domain System Volume
Replication Group ID: 1CED6656-CE5C-43B6-9F18-288417F99AF5
Member ID: 79EAC8E2-CD53-4136-843E-AB4CDEB2A0C5
Read-Only: 0

Figure 2: Event ID 5012 For DFSR Service On ‘C1FSRWDC2.CHILD.ADCORP.LAB’ Not Being Able To Communicate With ‘C1FSRWDC1.CHILD.ADCORP.LAB’

–

The DFS Replication service failed to communicate with partner C1FSRWDC1 for replication group Domain System Volume. The partner did not recognize the connection or the replication group configuration.

Partner DNS Address: C1FSRWDC1.CHILD.ADCORP.LAB

Optional data if available:
Partner WINS Address: C1FSRWDC1
Partner IP Address: 10.1.1.11

The service will retry the connection periodically.

Additional Information:
Error: 9026 (The connection is invalid)
Connection ID: AF63F561-E219-4792-8473-754A85D9ECF9
Replication Group ID: 1CED6656-CE5C-43B6-9F18-288417F99AF5

Figure 3: Event ID 4612 For DFSR Service Initializing The SYSVOL And Waiting For Initial Replication

–

The DFS Replication service initialized SYSVOL at local path D:\AD\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner C1FSRWDC1.CHILD.ADCORP.LAB. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.

Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: E59797D1-0652-4D1F-8ACF-4AB0D2DA8632
Replication Group Name: Domain System Volume
Replication Group ID: AF63F561-E219-4792-8473-754A85D9ECF9
Member ID: 79EAC8E2-CD53-4136-843E-AB4CDEB2A0C5
Read-Only: 0

Figure 4: Event ID 5002 For DFSR Service On ‘C1FSRWDC2.CHILD.ADCORP.LAB’ Not Being Able To Communicate With ‘C1FSRWDC1.CHILD.ADCORP.LAB’

–

On the source RWDC ‘C1FSRWDC1.CHILD.ADCORP.LAB’ (the one sending) you will not see any event ID, and it appears as if everything is OK, but it is not! Let’s have a look at how each server sees its own configuration and execute DFSRDIAG DUMPADCFG on each RWDC.

Figure 5: The AD Configuration For ‘C1FSRWDC1.CHILD.ADCORP.LAB’

–

Figure 6: The AD Configuration For ‘C1FSRWDC2.CHILD.ADCORP.LAB’

–

Wow, that a difference! Something is wrong definitely wrong here. Using ADSIEDIT it can be seen that ‘C1FSRWDC1.CHILD.ADCORP.LAB’ is missing the objects ‘CN=DFSR-LocalSettings’, ‘CN=Domain System Volume’ and ‘CN=SYSVOL Subscription’. Somehow these got deleted as these were available as deleted objects.

–

PART 6 continues here.

–

Posted in Active Directory Domain Services (ADDS), KCC, Metadata Cleanup, Object Deletion/Restore, Promotion/Demotion, Replication, SYSVOL | 2 Comments »

(2014-07-30) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 4)

Posted by Jorge on 2014-07-30

PART 3 is here.

Now on ‘C1FSRWDC1.CHILD.ADCORP.LAB’ (figure 1a) or on ‘R1FSRWDC1.ADCORP.LAB’ (figure 1b) use Active Directory Sites And Services to force the replication of the configuration partition from ‘C1FSRWDC1.CHILD.ADCORP.LAB’ to ‘R1FSRWDC1.ADCORP.LAB’ (the RWDC where the undeletions occurred). Make sure to do this with enterprise admin credentials, otherwise you get an access denied.

Figure 1a: Forcing Replication Of Configuration Partition From ‘C1FSRWDC1.CHILD.ADCORP.LAB’ To ‘R1FSRWDC1.ADCORP.LAB’ On ‘C1FSRWDC1.CHILD.ADCORP.LAB’

–

Figure 1b: Forcing Replication Of Configuration Partition From ‘C1FSRWDC1.CHILD.ADCORP.LAB’ To ‘R1FSRWDC1.ADCORP.LAB’ On ‘R1FSRWDC1.ADCORP.LAB’

–

Only when getting the following error….

Figure 2: Mutual Authentication Error When Replicating

–

…mutual authentication needs to be disabled on the receiving RWDC ‘R1FSRWDC1.ADCORP.LAB’. To do that implement the following registry setting and then restart the Active Directory Domain Services (NTDS) service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Replicator Allow SPN Fallback = 1 (DWORD)

The following command can be used:

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v "Replicator Allow SPN Fallback" /t REG_DWORD /d 1
NET STOP NTDS
NET START NTDS

–

Now try to execute the step as mentioned in either figure 1a or figure 1b to force the replication of the configuration partition. To make sure everything is updated correctly, while using Active Directory Sites And Services force the replication of the AD domain partitions (forest root AD domain and child) between the RWDCs. Then force the replication of the configuration partition once again.

Now remember that if the options as shown in figure 1a or figure 1b are not available, it is still possible to use REPADMIN instead! Also see Repadmin for Experts.

# On R1FSRWDC1.ADCORP.LAB (forest root AD domain RWDC) turn OFF the KCC adding/removing replication
# links (repsFrom) based on available connection objects
REPADMIN /OPTIONS R1FSRWDC1.ADCORP.LAB +DISABLE_NTDSCONN_XLATE

# Create a replication link (repsFrom) for the configuration NC from C1FSRWDC1.CHILD.ADCORP.LAB to R1FSRWDC1.ADCORP.LAB
# and initiate a replication request
REPADMIN /ADD "CN=Configuration,DC=ADCORP,DC=LAB" R1FSRWDC1.ADCORP.LAB C1FSRWDC1.CHILD.ADCORP.LAB

# Create a replication link (repsFrom) for the child AD domain NC from C1FSRWDC1.CHILD.ADCORP.LAB to R1FSRWDC1.ADCORP.LAB
# and initiate a replication request. This does assume the receiving RWDC is also a GC
REPADMIN /ADD "DC=CHILD,DC=ADCORP,DC=LAB" R1FSRWDC1.ADCORP.LAB C1FSRWDC1.CHILD.ADCORP.LAB /READONLY

# Force the replication of the configuration NC between C1FSRWDC1.CHILD.ADCORP.LAB to R1FSRWDC1.ADCORP.LAB
REPADMIN /REPLICATE R1FSRWDC1.ADCORP.LAB C1FSRWDC1.CHILD.ADCORP.LAB "CN=Configuration,DC=ADCORP,DC=LAB" /FORCE /FULL

# Force the replication of the child AD domain NC between C1FSRWDC1.CHILD.ADCORP.LAB to R1FSRWDC1.ADCORP.LAB
REPADMIN /REPLICATE R1FSRWDC1.ADCORP.LAB C1FSRWDC1.CHILD.ADCORP.LAB "DC=CHILD,DC=ADCORP,DC=LAB" /FORCE /FULL

# Force the replication of the configuration NC between C1FSRWDC1.CHILD.ADCORP.LAB to R1FSRWDC1.ADCORP.LAB
REPADMIN /REPLICATE R1FSRWDC1.ADCORP.LAB C1FSRWDC1.CHILD.ADCORP.LAB "CN=Configuration,DC=ADCORP,DC=LAB" /FORCE /FULL

# Displays the status of inbound AD replication for all hosted NCs
REPADMIN /SHOWREPL

# On R1FSRWDC1.ADCORP.LAB (forest root AD domain RWDC) turn ON the KCC adding/removing replication
# links (repsFrom) based on available connection objects
REPADMIN /OPTIONS R1FSRWDC1.ADCORP.LAB -DISABLE_NTDSCONN_XLATE

–

Figure 3: Establishing Replication Links And Forcing AD Replication For Specific NCs

–

Figure 4: Checking The Inbound AD Replication Status

–

Mutual authentication needs to be again on the receiving RWDC ‘R1FSRWDC1.ADCORP.LAB’. To do that remove the following registry setting and then restart the Active Directory Domain Services (NTDS) service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Replicator Allow SPN Fallback = 1 (DWORD)

The following command can be used:

REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v "Replicator Allow SPN Fallback"
NET STOP NTDS
NET START NTDS

–

Now ALL RWDCs in the AD forest have the exact same view of which RWDC is hosting which AD domain NC and application NC! Yiihhhaaa! Smile

–

PART 5 continues here.

–

Cheers,

Jorge

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), KCC, Metadata Cleanup, Object Deletion/Restore, Promotion/Demotion, Replication, SYSVOL | 2 Comments »

(2014-07-29) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 3)

Posted by Jorge on 2014-07-29

PART 2 is here.

To make the rest of the AD forest aware about ‘C1FSRWDC1.CHILD.ADCORP.LAB’ I chose one of the RWDCs in the forest root AD domain and undeleted the Server object and the NTDS Settings object that belonged to ‘C1FSRWDC1.CHILD.ADCORP.LAB’. Be aware though that both objects are deleted objects, but they cannot be found in the deleted objects container in the configuration partition. You will be able to find those objects in their original location. The reason for that is that both objects are configured with the systemFlag ‘DISALLOW_MOVE_ON_DELETE’. To be able to see the deleted objects and undelete them you need to enable the ‘SHOW_DELETED’ LDAP control. In this case the Recycle Bin is not enabled, therefore not every attribute can be restore. However, the previous authoritative restore will take care of that!

REMARK: If you see multiple deleted Server Objects and multiple deleted NTDS Settings Objects for the RWDC you want to undelete objects, how do you know which one to undelete? Correct, get the objectGUID for the Server object and NTDS Settings object on the RWDC ‘C1FSRWDC1.CHILD.ADCORP.LAB’, and then on the other RWDC undelete the corresponding Server object and NTDS Settings object with the same objectGUID. DO NOT just undelete any object as you might end up with multiple live objects, and then you have other issues to resolve!

First undelete the Server object through LDP.

Figure 1: Undeleting The Server Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ On Another RWDC

–

Then undelete the NTDS Settings object through LDP.

Figure 2: Undeleting The NTDS Settings Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ On Another RWDC

–

PART 4 continues here.

–

Posted in Active Directory Domain Services (ADDS), KCC, Metadata Cleanup, Object Deletion/Restore, Promotion/Demotion, Replication, SYSVOL | 3 Comments »

(2014-07-28) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 2)

Posted by Jorge on 2014-07-28

PART 1 is here.

All the objects related to the RWDC ‘C1FSRWDC1.CHILD.ADCORP.LAB’ in any way are still available on ‘C1FSRWDC1.CHILD.ADCORP.LAB’ itself, but are either deleted or not up-to-date on the rest of the RWDCs in the AD forest (think about configuration partition and the read-only child AD domain partition on GCs). To make sure those objects are either updated or undeleted, I have to increase the version of all those objects on ‘C1FSRWDC1.CHILD.ADCORP.LAB’ as it is authoritative for those objects.

The list of objects is:

Server Object: CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
NTDS Settings Object: CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
All connection objects
RWDC computer account: CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
RWDC Rid Set Object: CN=RID Set,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
DFSR Settings Object: CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
SYSVOL Subscriber Object: CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
SYSVOL Subscription Object: CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
DFSR Membership Object: CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB

REMARK: If you are not DFS-R yet for SYSVOL replication, then you need to think about ALL NTFRS objects for that RWDC!

–

When thinking about authoritative restore of the objects above, you can think about increasing the version of every single object individually, or can increase the version of a complete subtree. I preferred to increase the version of the complete subtree as that was less work and achieved the same end result. So I will be only restoring the yellow marked objects as all child objects will have their version increased automatically.

Remember, in this scenario I do not need to restore anything, I just want to increase the version of the objects so during AD replication their version wins and updates or restores the same objects on the other RWDCs. To do this you need to either restart ‘C1FSRWDC1.CHILD.ADCORP.LAB’ in DSRM or just stop the AD service (preferred!) on it. It is not needed to increase the version with the default of 100000. In this case I just increase the version with 25. For all the steps see below.

Figure 1: Stopping The Active Directory Domain Services (NTDS) Service And All Depended Services

–

Figure 2: Authoritatively Restoring (Increasing The Version Of) The DFSR Membership Object And Any Leaf Objects

–

Figure 3: Authoritatively Restoring (Increasing The Version Of) The RWDC computer account And Any Leaf Objects

–

Figure 4: Authoritatively Restoring (Increasing The Version Of) The Server Object And Any Leaf Objects

–

In figure 2, 3 and 4 you see NTDSUTIL created both TXT and LDF files. You can find those files in the folder where NTDSUTIL was started. The TXT files just tell you for which objects the authoritative restore was done and the LDF files have the objects with the forward links that correspond with any backlink on the authoritative restored objects. When performing authoritative restores, restoring links between objects and make sure AD replication resolves any inconsistencies it is very important to import all the LDF files against a RWDC for the partition the LDF contains objects for. In this case all LDF files can be imported against ‘C1FSRWDC1.CHILD.ADCORP.LAB’. Of course not to forget, before importing the LDF files, start the AD service again! Wait a minute or so to make sure all other dependent services have started too. Oh, and do not worry about any errors regarding object class violations. The import of the LDF files first deletes the values and then repopulates the value. When trying to delete a value of a mandatory attribute, you get this error.

Figure 5: Starting The Active Directory Domain Services (NTDS) Service And Importing All LDF Files

–

PART 3 continues here.

–

Posted in Active Directory Domain Services (ADDS), KCC, Metadata Cleanup, Object Deletion/Restore, Promotion/Demotion, Replication, SYSVOL | 2 Comments »

(2014-07-27) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 1)

Posted by Jorge on 2014-07-27

–

This is a true story about a test environment from a, not to be named (to protect the innocent!), friend of mine. The AD forest was a multiple AD domain environment and each AD domain consisted of multiple RWDCs, no RODCs. To mimic the scenario, I going to to use my own test environment as it is representative enough to replay all the broken stuff that I found and eventually also fixed.

–

My test environment:

forest root AD domain: ADCORP.LAB
- RWDC: R1FSRWDC1.ADCORP.LAB (GC and all 5 FSMOs)
- RWDC: R1FSRWDC2.ADCORP.LAB (GC)
child AD domain: CHILD.ADCORP.LAB
- RWDC: C1FSRWDC1.CHILD.ADCORP.LAB (GC and all 3 FSMOs)
- RWDC: C1FSRWDC2.CHILD.ADCORP.LAB (GC)

–

The scenario:

forest root AD domain: ADCORP.LAB
- RWDC: R1FSRWDC1.ADCORP.LAB –> everything working, no issues
- RWDC: R1FSRWDC2.ADCORP.LAB –> everything working, no issues
child AD domain: CHILD.ADCORP.LAB
- RWDC: C1FSRWDC1.CHILD.ADCORP.LAB –> with broken AD replication with ‘C1FSRWDC2.CHILD.ADCORP.LAB’, but not the forest root AD RWDCs, its metadata was cleaned on ‘C1FSRWDC2.CHILD.ADCORP.LAB’ and that cleanup replicated to all other RWDCs in the AD forest. This RWDC had a complete SYSVOL content
- RWDC: C1FSRWDC2.CHILD.ADCORP.LAB –> with broken AD replication with ‘C1FSRWDC1.CHILD.ADCORP.LAB’, but not the forest root AD RWDCs, the metadata of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ was cleaned on ‘C1FSRWDC2.CHILD.ADCORP.LAB’ and that cleanup replicated to all other RWDCs in the AD forest’. Although the promotion succeeded in the past, this RWDC did not receive any content at all. Because of that it was not advertising as a DC and was therefore useless.

–

‘C1FSRWDC2.CHILD.ADCORP.LAB’ was having all kinds of issues and fixing it was quite painful. Therefore I decided to do a FORCED DEMOTION of ‘C1FSRWDC2.CHILD.ADCORP.LAB’. A forced demotion can be done through server manager or PowerShell. Through server manager just try to remove the "Active Directory Domain Services" role and at some point you will the option you need to demote the RWDC first. Through PowerShell you can execute the following commands:

Import-Module ADDSDeployment
Uninstall-ADDSDomainController -ForceRemoval:$true -Force:$true

–

Because ‘C1FSRWDC2.CHILD.ADCORP.LAB’ was force demoted, I cleaned up its metadata on ‘C1FSRWDC1.CHILD.ADCORP.LAB’. Because ‘C1FSRWDC1.CHILD.ADCORP.LAB’, the only RWDC for ‘CHILD.ADCORP.LAB’, was disconnected from the rest of the AD forest, I also had to delete the NTDS Settings object and Server object that belonged to ‘C1FSRWDC2.CHILD.ADCORP.LAB’. After removal of the metadata, I tried to repromote it to RWDC while using ‘C1FSRWDC1.CHILD.ADCORP.LAB’ as the source RWDC. The promotion can be done through server manager or PowerShell. Through server manager just click on the notification flag and choose to promote the server to a DC. Through PowerShell you can execute the following commands (MAKE SURE TO REPLACE ALL RED VALUES WITH YOUR OWN!):

Import-Module ADDSDeployment
Install-ADDSDomainController `
-AllowDomainControllerReinstall:$true `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$true `
-Credential (Get-Credential) `
-CriticalReplicationOnly:$false `
-DatabasePath "D:\AD\DB" `
-DomainName "CHILD.ADCORP.LAB" `
-InstallDns:$true `
-LogPath "D:\AD\LOG" `
-NoRebootOnCompletion:$false `
-ReplicationSourceDC "C1FSRWDC1.CHILD.ADCORP.LAB" `
-SiteName "DTCNTR01" `
-SysvolPath "D:\AD\SYSVOL" `
-Force:$true

–

At some point, the promotion of the RWDC ‘C1FSRWDC2.CHILD.ADCORP.LAB’ halted while it was trying to create the NTDS Settings object for the DC. I decided to have a look at the ‘C:\Windows\Debug\DCPROMO.LOG’ file and that’s when I noticed it was complaining about not being able to able to find a DC for the AD domain. I thought it was weird, and did not fully understood why it was saying that. The only thing I can think of is maybe incorrect DNS (delegation) information. In my test environment the promotion succeeded. In the real scenario I decided to stop the promotion and leave that DC alone for a while and focus on reconnecting the orphaned RWDC ‘C1FSRWDC1.CHILD.ADCORP.LAB’ back to the rest of the AD forest.

This is how the AD forest looked like on a forest root AD domain RWDC

Figure 1: The View Of The AD Forest On The Forest Root AD Domain RWDC

–

This is how the AD forest looked like on the (orphaned) child AD domain RWDC

Figure 2: The View Of The AD Forest On The Child AD Domain RWDC

–

‘C1FSRWDC1.CHILD.ADCORP.LAB’ knew about the rest of the AD forest, but the rest of the AD forest did not know about ‘C1FSRWDC1.CHILD.ADCORP.LAB’ anymore. To make sure AD replication started working again between the rest of the AD forest and ‘C1FSRWDC1.CHILD.ADCORP.LAB’ (and vice versa) I needed to make the AD forest aware of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ again and I wanted to make sure the authoritative information from ‘C1FSRWDC1.CHILD.ADCORP.LAB’ on ‘C1FSRWDC1.CHILD.ADCORP.LAB’ itself was not lost. The rest of the AD forest still knew about the child AD domain (and the application NCs) as the cross-reference objects were still there.

Figure 3: The Cross-Reference Objects Of The Child AD Domain And The Application Partitions (NCs) On The Forest Root AD Domain RWDC

–

PART 2 continues here.

–

Cheers,

Jorge

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Domain Services (ADDS), KCC, Metadata Cleanup, Object Deletion/Restore, Promotion/Demotion, Replication, SYSVOL | 1 Comment »

(2012-10-22) Presenting At The Experts Conference (TEC) In Barcelona (Spain)

Posted by Jorge on 2012-10-22

As we speak, I’m preparing my presentation and demo’s for tomorrow (Tuesday, October 23rd 2012) about all object recovery methods in all Windows Server versions released until now. It will cover common information related to object recovery and then I will dive in into the technical specific for each method available. This presentation will consist of two sessions of each 75 minutes and I will also show 4 demo’s, one for each method of recovering objects.

Figure 1: Opening Slide Of Session

–

Location: Barcelona, Spain – Hotel Rey Juan Carlos I
Meeting Room: “J”
Time: 10:15 – 11:30 (part 1) & 11:30 – 12:45 (part 2)
Session Title: “The Evolution Of Object Recovery In AD – The Road To Perfection – A Technical Deep Dive (Part 1 and Part 2)”
Level: 400
Abstract: Since the beginning, when Active Directory was first released with Windows 2000 Server, the methods and means for object recovery in AD have evolved and improved each time a new version of Windows was released. In time, the technology made it more easy to recover objects and prevent the loss of data after recovery. We will start this session with an introduction to object recovery related topics, followed by an explanation of all object recovery methods in all versions of AD after an accidental (mass) deletion, including what’s new in Windows Server 2008 R2 and in Windows Server "8". The session will finish with recommendations around object recovery. This session consists of two parts (2x 75 min.) and will include multiple demos!
Bios (Dutch): Jorge de Almeida Pinto is Principal Consultant Infrastructure Services binnen Valid (http://www.valid.nl/). Binnen zijn functie heeft hij een sterke focus op Microsoft Identity and Access Management (IAM) technologieën. Aangezien zijn professionele passie in deze technologieën gevonden kan worden, heeft hij zich ook gespecialiseerd in Microsoft producten zoals Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (ADLDS), Identity Lifecycle Manager (ILM), Forefront Identity Manager (FIM) en Active Directory Federation Services (ADFS) in contexten zoals analyse, ontwerpen, implementaties, migraties, troubleshooting en recovery.
Jorge is Microsoft gecertificeerd (MCP, MCSE, MCITP, MCT) en is sinds januari 2006 MVP op het “Identity & Access – Directory Services” vlak.
Een andere passie van Jorge is het spreken op conferenties en het schrijven van artikelen. Hij is sinds 2006 een frequente spreker op de “The Experts Conference (TEC)” van Quest en andere (Microsoft) conferenties en seminars en sinds 2005 schrijft hij artikelen in het technische blad "NetOpus/NetworkPro".
Om voorop te blijven, participeert Jorge in beta programma’s van nieuwe Microsoft IAM gerelateerde producten en onderhoudt hij het contact met de Microsoft Product Group door het bijwonen van de jaarlijkse MVP Summit en de maandelijkse “Product Group Interaction Events”. Jorge heeft ook nog een blog welke gevonden kan worden op https://jorgequestforknowledge.wordpress.com/.
Bios (English): Jorge de Almeida Pinto is a Principal Consultant Infrastructure Services working for Valid (http://www.valid.nl/). Within his role he has a strong focus on Microsoft Identity and Access Management (IAM) technologies. Because his professional passion can be found in these technologies, he has specialized himself in Microsoft products such as Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (ADLDS), Identity Lifecycle Manager (ILM), Forefront Identity Manager (FIM) and Active Directory Federation Services (ADFS) in contexts such as analysis, design, deployment, migration, troubleshooting and recovery.
Jorge is Microsoft certified (MCP, MCSE, MCITP, MCT) and he has received the MVP Award for “Identity & Access – Directory Services” since January 2006.
Another passion of Jorge is speaking at conferences and writing articles. He has been a frequent speaker at “The Experts Conference (TEC)” from Quest and other (Microsoft) conferences/seminars since 2006, and he has been writing articles in the Dutch technical magazine “NetOpus/NetworkPro” since 2005.
To stay ahead, Jorge participates in beta programs of new Microsoft IAM related products and he maintains the contact with the Microsoft Product Group by attending the MVP Summit every year and by participating in the monthly “Product Group Interaction Events”. Jorge also has a blog, which can be found at https://jorgequestforknowledge.wordpress.com/.

–

With this I would like to thank:

“Quest Software”" (http://www.quest.com/) (now part of “Dell” (http://www.dell.com)) for inviting me as a speaker again (since 2006!)

and of course,last but not least, “Valid” my employer (http://www.valid.nl/) for making this possible

–

Posted in Active Directory Domain Services (ADDS), Company/Employer Stuff, Conferences, Object Deletion/Restore | 1 Comment »

(2012-03-28) Managing The ‘Protect From Accidental Deletion’ Option On AD Objects Through PowerShell

Posted by Jorge on 2012-03-28

In this post I explain the “Protect From Accidental Deletion” feature that is made accessible through both “Active Directory Users And Computers” and “Active Directory Administrative Center”. Under the hood that feature in reality is implemented through a combination of ACEs on objects. If you wanted to script the addition or removal of the protection you had to screw with ACEs and that was not always a fun thing to do as it could be quite complex to achieve a simple configuration.

–

Let’s say you want to create and protect the OU "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB". The OU "OU=TOPLevel,DC=ADCORP,DC=LAB" already exists and is already protected!

–

[1] Using ADMOD and DSACLS

Creating the OU:

ADMOD -sc adaou:1;OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB

Adding the protection:

DSACLS "OU=TOPLevel,DC=ADCORP,DC=LAB" /D "EVERYONE:DC" (DENY ACE for Everyone to DELETE CHILD with the This object only scope)
DSACLS "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" /D "EVERYONE:SDDT" (DENY ACE for Everyone to DELETE and DELETE TREE with the This object only scope)

–

[2] Using the Microsoft AD PowerShell CMDlets And Configuring The Correct ACEs

Creating the OU (I know I could use the CMDlet “New-ADOrganizationalUnit”…):

$objParent = [ADSI]"LDAP://ADCORP.LAB/OU=TOPLevel,DC=ADCORP,DC=LAB"
$objOU = $objParent.Create("organizationalUnit","OU=MyProtectedOU")
$objOU.SetInfo()

Adding the protection:

Import-Module ActiveDirectory
$sidEVERYONE = [System.Security.Principal.SecurityIdentifier]’S-1-1-0′
$ACLParent = Get-Acl "AD:\OU=TOPLevel,DC=ADCORP,DC=LAB"
$ACEParent = $sidEVERYONE,"DeleteChild","Deny"
$AccessRuleParent = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEParent
$ACLParent.AddAccessRule($AccessRuleParent)
Set-Acl -ACLObject $ACLParent -Path "AD:\OU=TOPLevel,DC=ADCORP,DC=LAB"
$ACLOU = Get-Acl "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"
$ACEOU = $sidEVERYONE,"Delete,DeleteTree","Deny"
$AccessRuleOU = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEOU
$ACLOU.AddAccessRule($AccessRuleOU)
Set-Acl -ACLObject $ACLOU -Path "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"

Removing the protection:

Import-Module ActiveDirectory
$sidEVERYONE = [System.Security.Principal.SecurityIdentifier]’S-1-1-0′
$ACLOU = Get-Acl "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"
$ACEOU = $sidEVERYONE,"Delete,DeleteTree","Deny"
$AccessRuleOU = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEOU
$ACLOU.RemoveAccessRule($AccessRuleOU)
Set-Acl -ACLObject $ACLOU -Path "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"

–

[3] Using the Microsoft AD PowerShell CMDlets And Using The Exposed Property

Creating the OU:

Import-Module ActiveDirectory
New-ADOrganizationalUnit -Name ‘MyProtectedOU’ -Path ‘OU=TOPLevel,DC=ADCORP,DC=LAB’

REMARK: when using this CMDlet, the default behavior is to protect the created OU

Adding the protection:

Import-Module ActiveDirectory
Set-ADOrganizationalUnit "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" -ProtectedFromAccidentalDeletion:$true

Removing the protection:

Import-Module ActiveDirectory
Set-ADOrganizationalUnit "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" -ProtectedFromAccidentalDeletion:$false

–

[4] Using the Quest AD PowerShell CMDlets

Creating the OU:

Add-PSSnapin Quest.ActiveRoles.ADManagement
New-ADOrganizationalUnit -Name ‘MyProtectedOU’ -Path ‘OU=TOPLevel,DC=ADCORP,DC=LAB’

Adding the protection:

Add-PSSnapin Quest.ActiveRoles.ADManagement
Add-QADPermission -identity ‘OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘DeleteChild’ -ApplyTo ThisObjectOnly
Add-QADPermission -identity ‘OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘Delete,DeleteTree’ -ApplyTo ThisObjectOnly

Removing the protection:

Add-PSSnapin Quest.ActiveRoles.ADManagement
Get-QADPermission -identity ‘OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘Delete,DeleteTree’ -ApplyTo ThisObjectOnly | Remove-QADPermission

–

[5] Adjusting the default security descriptor for OUs

When you create any object, that object will receive the default explicit permissions as configured in the AD schema. So, by adjusting the default explicit permissions (a.k.a. the default Security Descriptor) for the organizationalUnit objectClass any newly created organizational unit from that point on will receive the new default security descriptor. The change to the default security descriptor can be undone if you desire so! However, just making the change is not enough as the schema is cached for performance reasons. Therefore any changes to the AD schema will be refreshed into the cache within five minutes after the change has been committed into the database. If you cannot wait and you want to reload the schema right away you can follow either of the following procedures:

Start the Active Directory Schema MMC, right-click “Active Directory Schema” and then click “Reload the Schema”
OR
Add the “schemaUpdateNow” operational attribute to rootDSE with a value of 1

For more detailed information about the schema please see: How the Active Directory Schema Works

–

To adjust the default security descriptor for the organizationalUnit objectClass perform the following steps:

Open ADSIEDIT.MSC and connect to the SCHEMA naming context
Find the object “CN=Organizatinal-Unit” and adjust the value of the “defaultSecurityDescriptor” property

From the default value:

D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO)

To the custom value (difference with the default has been highlighted in red):

D:(D;;DCDTSD;;;WD)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO)

Figure 1: Adjusting The Default Security Descriptor Of The ObjectClass OrganizationalUnit

–

REMARK: During my testing with Windows Server “8” Beta, I discovered that there is a difference in behavior between ADUC and ADAC if you select to NOT protect the if the above custom configuration for the default security descriptor is in place. In ADAC, after the new object has been created/instantiated it will in addition remove the protection as expected. However, in ADUC it will not be removed as requested. I’m not sure if Microsoft will change this unexpected behavior for ADUC in the official release of Windows Server “8”. Just be aware of this!

–

Posted in Active Directory Domain Services (ADDS), Delegation Of Control, Object Deletion/Restore, PowerShell | 5 Comments »

(2008-03-26) Free AD Objects Recovery Tools

Posted by Jorge on 2008-03-26

UPDATED: 09-10-2010

A while ago, I wrote about the new feature within Windows Server 2008 to reanimate and populate the attributes from a snapshot backup. That post can be found here. I thought it would be interesting to summarize the tools available that can help you recover deleted objects for free. Some of the tools are CLI based and some are GUI based. Again, some provide basic functionality (hey, it’s free!) and some provide advanced functionality (hey, it’s still free you lucky…).

Tools available to save the day for free:

Active Directory PowerShell CMDlets in W2K8R2
- Site: http://technet.microsoft.com/en-us/library/ee617195.aspx
- Type: Command Line
- Leverages: Object Reanimation
- OS: W2K8 (R2) (and probably later)
ADRecycleBin
- Site: http://www.overall.ca/index.php?option=com_content&view=article&id=40:adrecyclebin&catid=15:adrecyclebinexe&Itemid=64
- Type: GUI
- Leverages: Object Reanimation
- OS: W2K3 and W2K8 (R2) (and probably later)
OneIdentity Recovery Manager
- Site: http://blogs.dirteam.com/blogs/tomek/pages/snapshot-recover-tool.aspx
- Type: Command line
- Leverages: Object Reanimation and Attribute Population through AD snapshot backups
- OS: W2K3 and W2K8 (R2) (and probably later)
Directory Service Comparison Tool (DSCT)
- Site: http://lindstrom.nullsession.com/?cat=7
- Type: GUI
- Leverages: Attribute Population through AD snapshot backups (and contains tons of other nice features)
- OS: W2K8 (R2) (and probably later)
ADRestore.NET
- Site: http://blogs.microsoft.co.il/blogs/guyt/archive/2007/12/15/adrestore-net-rewrite.aspx
- Type: GUI
- Leverages: Object Reanimation
- OS: W2K3 and W2K8 (R2) (and probably later)
ADRestore
- Site: http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx
- Type: Command line
- Leverages: Object Reanimation
- OS: W2K3 and W2K8 (R2) (and probably later)
Quest Object Restore for AD
- Site: http://www.quest.com/object-restore-for-active-directory/
- Type: GUI
- Leverages: Object Reanimation
- OS: W2K3 and W2K8 (R2) (and probably later)
ADFIND and ADMOD
- Site: http://www.joeware.net/freetools/tools/adfind/index.htm & http://www.joeware.net/freetools/tools/admod/index.htm
- Type: Command line
- Leverages: Object Reanimation and Attribute Population through AD snapshot backups (additional scripting/commands required!)
- OS: W2K3 and W2K8 (R2) (and probably later)

A tool should not only be able to restore one or a few objects, but it should also be able to restore a complete OU structure with all kinds of objects in that OU structure. It should also be possible to filter objects based upon time. What I mean with the last remark is that until the major accidental deletion, you may have deleted all kinds of objects intentionally, which you may not want to restore. Your best bet to filter on time, is by using the whenChanged attribute, and preferably determine the very first object that was deleted as the deletion occurs from the bottom to the OU that was selected to be (accidentally) deleted. Be careful though with just using the whenChanged attribute. That attribute does not replicate between DCs, so before using any RWDC for the undeletion, make sure to determine the RWDC where the deletion occurred!!!

–

Posted in Active Directory Domain Services (ADDS), Object Deletion/Restore, Tooling/Scripting | 2 Comments »

« Previous Entries

Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

For Ad Free Blog

Social Media

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Object Deletion/Restore’ Category

(2014-08-02) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 7)

(2014-08-01) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 6)

(2014-07-31) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 5)

(2014-07-30) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 4)

(2014-07-29) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 3)

(2014-07-28) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 2)

(2014-07-27) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 1)

(2012-10-22) Presenting At The Experts Conference (TEC) In Barcelona (Spain)

(2012-03-28) Managing The ‘Protect From Accidental Deletion’ Option On AD Objects Through PowerShell

(2008-03-26) Free AD Objects Recovery Tools

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

For Ad Free Blog

Social Media

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Object Deletion/Restore’ Category

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: