When an object is deleted from Active Directory, it is not immediately erased, but is marked for future deletion. Active Directory uses a replication model "multi-master loose consistency with convergence". Changes can be made on any DC in the forest are incrementally replicated throughout the forest. So in windows AD object deletion will not remove an object.
A tombstone is an object whose ISDeleted property has be set to true, and it indicates that the object has been deleted but not removed from the directory, much like a deleted file is removed from the file allocation table but the data is not actually removed from the drive. The directory service moves tombstoned objects to the Deleted Objects container, where they remain until the garbage collection process removes the objects. The garbage collection process by default runs every 12 hours on a DC. The length of time tombstoned objects remain in the directory service before being deleted is either 60 days for Windows 2000/2003 Active Directory, or 180 days for Windows Server 2003 SP1. AS per the above info, a delete operation is essentially a special modify operation to an object that:
1. Sets the IsDeleted value to True.
2. Sets the internal WhenDeleted column to the IsDeleted metadata's TimeChanged time stamp.
3. Sets the Windows NT security descriptor to a special value.
4. Changes the relative distinguished name (RDN) to a value that is otherwise impossible, (that is, one that cannot be set by an LDAP program).
5. Strips all attributes not needed at this point by Active Directory. Key attributes such as the following are hard-coded to survive deletion:
o Object-GUID
o Object-SID
o Object-Dist-Name
o USN
Methods for restoring deleted items in Active Directory
Restoring the item from a previous backup
Restoring deleted items by usage of the NTBACKUP program and the System State backup involve shutting down the DC and booting it into "DS Restore Mode", the reanimation mechanism is the only way to recover deleted objects without taking a DC offline.
You can use one of the three methods to restore Active Directory from backup media Primary Restore, Normal Restore (i.e. Non Authoritative), and Authoritative Restore.
• Primary Restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup. Members of the Administrators group can perform the primary restore on local computer. On a domain controller, only members of the Domain Admins group can perform this restore.
• Normal Restore: This method makes the Active Directory data to the state before the backup, and then updates the data through normal replication process. Perform a normal restore for a single domain controller to a previously known good state.
• Authoritative Restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain. Perform an authoritative restore for individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. You need to use the NTDSUTIL command line utility to perform an authoritative restore. You need to use it in order to mark Active Directory objects as authoritative, so that they receive a higher version recently changed data on other domain controllers does not overwrite System State data during replication.
Performing an authoritative restore
After the data has been restored, use Ntdsutil.exe to perform the authoritative restore. To do this, follow these steps:
1. At a command prompt, type ntdsutil, and then press ENTER.
2. Type authoritative restore, and then press ENTER.
3. Type restore database, press ENTER, click OK, and then click Yes.
Restoring the objects with LDP.EXE
Deleted objects in Active Directory are not really deleted, they are just "tombstoned" for a period of time that can either be 60/180 days, depending on your DCs' operating system, or any other value, if it was ever changed by the system administrator.
Restoring objects with ADRestore.net
This one more way to restore your deleted object from the tombstone
You can go through this link ADRestore.net
No comments:
Post a Comment