Did you find this useful?
Socialize it today.


Restore AD Deleted Objects Without a Recycle Bin

Friday, October 28, 2011

One of the tasks detested by many AD administrators is the recovery deleted objects. Recovery efforts typically include restarting a production domain controller in “Directory Services Restore Mode”, getting the latest System State backup restored on the DC, and using NTDSUTIL to Authoritatively Restore the deleted objects.

While that process works well, it can be very time consuming, assuming that a good backup is available. For those of you who have upgraded your infrastructure to AD 2008 R2, you are now fortunate to have access to the AD Recycle Bin. However, for those that are on pre-2008 R2 domain, this process is still necessary.

There is one option that can be used to quickly restore deleted objects without depending on system state backups. This option does require an additional server, but it is well worth it if you are supporting a large organization that routinely deletes objects that need to be restored. The typical restore time using the following design can be from 5-15 minutes, rather than up to several hours using the traditional restore methods. This option creates a sort of “Online Backup” of your AD objects.

To create this “Online Backup” all you need to simply do is create an additional SITE, possibly called “Recovery” using the Active Directory Sites and Services Console (ADSS). To further segregate this site, it would be best to place it on its own dedicated subnet so that you can effectively control traffic to and from this site. You really do not want users to use the “Recovery DC” for authentication and authorization since its going to have somewhat stale AD information. From a physical perspective, this site can be located in the same datacenter as your other DCs.




AD replication sites


Once the Site and Subnet object is created, the next step is create a new SITELINK, possibly called RECOVERY_SITELINK which connects the Recovery Site with another major site defined in AD. Configure this new SITELINK to ONLY replicate during off-peak hours, for example, between 11:00 pm and 6:00 am. You can shorten this window for smaller AD infrastructures. You only need this window to be as big as needed so that the Recovery DC can replicate with other production DCs periodically.

The result of this design is that any object deleted prior to 11:00 pm can be immediately recovered using the “Recovery DC” without using a backup. After 11:00 pm, you will be forced to use a good backup from the previous day.  This is because the deletion has not replicated to the "Recovery DC".

Let’s take a look at an example in more detail. Say a user’s object gets deleted in error at 2:00 pm by a Help Desk technician. When the object is deleted, AD will replicate the deletion of this object to the rest of the DCs in the domain according to intra-site and inter-site replication schedules. From an intra-site perspective, the DCs in the site that had the deletion take place would replicate the deletion almost immediately. However, depending on the SITELINKS in place, the rest of the DCs in the domain may replicate as quickly as 15 minutes or several hours. Again, that would depend on the SITELINKS in place. However, the “Recovery DC” will NOT replicate the deletion until 11:00 pm that evening. If the Help Desk Technician reports this event before 11:00 pm, an Active Directory Administrator can use the Recovery DC to quickly restore the object. Here is how it would be done:


For a 2000 or 2003 Recovery DC:

1) Restart the DC in Directory Services Restore Mode

Go to step 2 below.

For a 2008 Recovery DC:

1) Stop the service, “Active Directory Domain Services”

2) Open a command prompt using Administrator credentials.
3) Start the NTDSUTIL prompt.
4) Perform an AUTHORITATIVE RESTORE of the deleted oject(s).

For a 2000 or 2003 Recovery DC:

5) Restart the DC in normal mode. (proceed to step 6)

For a 2008 Recovery DC:

5) Start the service, “Active Directory Domain Services” (proceed to step 6)


6) Open the Active Directory Sites and Services Console
7) Force replication between Sites (Recovery and connected site)

Since the object that was deleted was authoritatively restored, once replication has completed domain-wide, the object will be fully restored on all DCs. The procedure of the “authoritative restore” will be slightly different depending on the type of object (user, computer, group, OU, etc…).

As you can read, as long as you are aware of the deletion within the same day, recovery of the deleted objects can be performed in a fraction of the time.


Additional Resources:

Performing an Authoritative Restore of Active Directory Objects
http://technet.microsoft.com/de-de/library/cc779573(WS.10).aspx

How to perform an authoritative restore to a domain controller in Windows 2000
http://support.microsoft.com/kb/241594

How to restore deleted user accounts and their group memberships in Active Directory
http://support.microsoft.com/kb/840001/en-us

Please help us spread the word by socializing it today!

email contact us

Did you find something wrong with the information on this page? Please take a moment to report it to us so that we can continue to improve the quality of the information on this site. Click here to report an issue with this page.



Recommended Books & Training Resources

Windows Server 2008 R2 Unleashed MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647