Online Recovery of Active Directory Deleted Objects and

Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R 2 John Craddock Infrastructure & Security Architect Recycle Bin XTSeminars Ltd Session Code: SIA 402

Agenda Deleting and recovering directory objects How objects are stored Incoming and outgoing linked-attributes Authoritative restore Enabling the Recycle Bin Live, deleted and recycled objects Recovering deleted objects from the Recycle Bin

Once Upon a Time Live Object Deleted object Stripped of assets No online way back Only option for recovery was an Authoritative Restore Why is the deleted object is retained in the database? So that the deletion can replicate to other DCs

Significant Events 2003 SKU Re-animation of deleted objects 2003 Forest Linked-value replication 2008 R 2 Forest Recycle Bin can be enabled

In the dark days before the recycle bin

Object Deletion Majority of attributes deleted Live object Delete Tombstone object Offline authoritative restore Garbage collection X Purged from directory Tombstone lifetime (180 days) The object is moved to the deleted objects container Referred to as a tombstone is. Deleted attribute is set TRUE The majority of attribute values are removed Attributes can be retained by setting their search. Flags property

Object Deletion (continued) The RDN of the object is changed to a "deletemangled RDN” The mangled RDN includes the GUID of the object Guarantees the mangle RDN is unique within the Deleted Objects container There is no hierarchy in the container Linked-attribute values (references) to and from the object are deleted Not controlled by search. Flags

Tombstone Lifetime The object remains as a tombstone object for the Tombstone Lifetime (TSL = 180 days) After this period the Garbage Collection service purges the object from the database Backups older than the TSL cannot be used This prevents objects that where deliberately deleted being reintroduced

Object Storage DNT PDNT NCDNT instance. Type RDN 4024 1788 4 Demo 4025 4024 1788 4 London Users 4026 4024 1788 4 Berlin Users 4027 4024 1788 4 Groups 4028 4027 1788 4 G 1 4029 4027 1788 4 G 2 4030 4027 1788 4 G 3 4031 4025 1788 4 Debbie 4032 4025 1788 4 Dave If an object is moved the PDNT for the record is updated, the record never moves in the DB

Viewing the Database No DN Name of operational attribute Required attributes for operation Dumpdatabase: dumps text version of the database in the NTDS directory dumpdatabase is an operational (Root. DSE) attribute

Working with Deleted Objects To view deleted objects requires an LDAP control Can select the control in LDP Windows 2008 R 2 Power. Shell with AD module Get-ADObject –LDAPFilter {} –Include. Deleted. Objects

Reanimating an Object Using LDP, in one operation you must Remove the is. Deleted attribute Replace distinguished. Name attribute with a new value Use ADRestore from the Sysinternals tools Create own utility

Restored User Object Most attributes missing, including the password All inbound linked attribute values missing For example, group membership All outbound linked attribute values missing For example, attribute containing link to manager Could repopulate missing values from mounted directory snapshot Microsoft solution is an authoritative restore Restoring linked attribute values can be problematic

Object References One object can reference another either as a direct reference or using a linked-attribute reference With a direct reference the attribute on one object reference the DN of another object

Direct References Debbie secretary Dave 4032 DNT: 4031 secretary Valya 4033 DNT: 4032 DNT: 4033 Show in UI as DN, stored as a DNT If Dave is deleted Incoming references remain Outgoing references remain Provided the attribute that holds the reference is retained on logical deletion

Linked Attributes Linked attributes consist of a forward-link and back-link pair The forward link can be populated and the back link is calculated Forward links may be single-valued or multi-valued Back links are always multi-valued Each linked pair is identified by the link. ID property of an attribute Forward link. IDs are even (n) and for each forward link the associated back-link is an odd number (n+1)

Single To Multi-Valued John Maria Tom manager Nicola Link Table (simplified) Forward manager Peter manager Nicola John Maria Tom Back Nicola Peter Nicola Reports Peter Reports An entry is created in a link table when a value is added to the manager attribute The link tables are constructed on each DC and hold the DNT values 19

Multi-Valued To Multi-Valued G 1 G 2 G 3 John member John ; Maria Link Table (simplified) Forward member Maria; John G 1 G 2 G 3 G 1 Back John Maria Member. Of

Delete Maria John manager Nicola Link Table (simplified) Forward Maria X Tom manager Peter X manager Nicola John Maria Tom Back Nicola Peter Nicola Reports -------- Peter X Reports All outbound linked-attribute values are removed

Delete Maria (continued) G 1 John member John ; Maria Link Table (simplified) ---- G 2 member Maria ---- G 3 member Maria; John ---- X X X Forward G 1 G 2 G 3 G 1 Back John Maria ----------------------- Member. Of Maria X X Member. Of All Inbound linked-attribute values are removed

Restoring Linked Attributes Manually restore all forward link references Manually restore all attribute values Reanimated object Alternative to online reanimation Authoritative restore Third party solution

Authoritatively Restoring Maria Options Boot into DS Restore Mode on a DC that has not received the replicated deletion of Maria A lag-site may have been created for this Boot a DC into DS restore mode Restore AD from back-up In DS Restore Mode mark Maria as authoritative Use ntdsutil Restart the domain controller

How successful will you be? On the authoritatively restored DC The Maria is completely recovered including all entries for incoming and outgoing linked-attributes Maria is a member of groups G 1, G 2 and G 3 Maria’s manager attribute refers to Peter All of Maria’s attributes are marked as authoritative and will replicate to the other DCs in the domain The incoming linked-attribute values may or may not replicate It depends on the current forest functional level and the level when Maria was added to the groups

Linked-Value replication Replicates that G 1 has Maria as a member G 1 DNT: 1000 Maria 1000 2000 1000 4567 G 1 AUTH DNT: 2000 DC 1 Maria authoritatively restored Maria 8657 7654 DNT: 8657 AUTH DNT: 7654 DC 2 Windows 2003 forest functionality introduced linked-value replication Replication metadata is attached to each entry in the link tables When Maria is restored all incoming linked-values are marked as authoritative in the link table

No Linked Value Replication Prior to 2003 forest functionality replication metadata existed on the attribute and not the individual links To restore Marias group membership one option was to authoritatively restore all groups that she belonged to If Maria was added to some groups before and after linked-value replication was enabled During an authoritative restore of Maria, some links would replicate others wouldn’t

Partial Solution LDF Produced During Authoritative Restore # CN=G 1, OU=Groups, OU=Demo, DC=example, DC=com # dn: <GUID=4 ec 2 d 1 b 7 -354 b-4 f 17 -9 a 6 b-c 567888 bcf 24> dn: : PEd. VSUQ 9 NGVj. Mm. Qx. Yjct. Mz. U 0 Yi 00 Zj. E 3 LTlh. Nm. It. Yz. U 2 Nzg 4 OGJj. Zj. I 0 Pg== # Base 64 encoded: <GUID=4 ec 2 d 1 b 7 -354 b-4 f 17 -9 a 6 b-c 567888 bcf 24> changetype: modify delete: member # CN=Maria, OU=Berlin Users, OU=Demo, DC=example, DC=com # member: <GUID=6 a 677 bde-f 83 e-49 a 5 -b 5 fb-eb 074 a 2899 b 7> member: : PEd. VSUQ 9 Nm. E 2 Nzdi. ZGUt. Zjgz. ZS 00 OWE 1 LWI 1 Zm. It. ZWIw. Nz. Rh. Mjg 5 OWI 3 Pg== # CN=G 1, OU=Groups, OU=Demo, DC=example, DC=com # dn: <GUID=4 ec 2 d 1 b 7 -354 b-4 f 17 -9 a 6 b-c 567888 bcf 24> dn: : PEd. VSUQ 9 NGVj. Mm. Qx. Yjct. Mz. U 0 Yi 00 Zj. E 3 LTlh. Nm. It. Yz. U 2 Nzg 4 OGJj. Zj. I 0 Pg== changetype: modify add: member # CN=Maria, OU=Berlin Users, OU=Demo, DC=example, DC=com # member: <GUID=6 a 677 bde-f 83 e-49 a 5 -b 5 fb-eb 074 a 2899 b 7> member: : PEd. VSUQ 9 Nm. E 2 Nzdi. ZGUt. Zjgz. ZS 00 OWE 1 LWI 1 Zm. It. ZWIw. Nz. Rh. Mjg 5 OWI 3 Pg== -

The dawn of a New Era

Recycle Bin Enabled All attributes retained Live object Deleted object lifetime (180 days) Online undelete Garbage collection Recycled object Garbage collection Tombstone lifetime (180 days) X Purged from directory

Recycle Bin for AD Requires 2008 R 2 Forest functionality Power. Shell driven Enable-ADOptional. Feature ‘Recycle Bin Feature’ – Scope Forest. Or. Configuration. Set –Target ‘forest’ Once enabled cannot be disabled Get-ADObject –LDAPFilter {} –Include. Deleted. Objects Restore-ADObject –Identity <id> Parent object must be restored in advance of child object Restores all attributes including linked attributes

Object Deletion All attributes retained Live object Deleted object Online undelete The object is moved to the deleted objects container Referred to as a deleted object is. Deleted attribute is set TRUE is. Recycled attribute not present last. Knownparent set ms. DS-Lastknown. RDN set

Object Deletion (continued) The RDN of the object is changed to a "deletemangled RDN” All attribute values with the exception object. Category and s. AMAccount. Type are retained If the object is undeleted these are automatically restored from the default. Object. Category and user. Account. Control attributes

Object Deletion (continued) Linked-attribute values (references) to and from the object are retained Not visible to LDAP with out special control The object remains as a deleted object for the Deleted Object Lifetime (DOL = 180 days) After this period the Garbage Collection service converts the object to a Recycled Object

Recycled Object Similar characteristics to a pre-recycle bin tombstone object The majority of attribute values are removed Linked-attribute values (references) to and from the object are deleted is. Recycled set TRUE A recycled object cannot be reanimated Retained to allow replication to occur

Lifetimes Recycled object remains for the Tombstone Lifetime (TSL = 180 days) After this period the Garbage Collection service purges the object from the directory The DOL and TSL values are held in attributes of the “cn=Directory Service, cn=windows NT, cn=Services, cn=configuration, dc=<your forest> DOL in ms. DS-deleted. Object. Lifetime attribute TSL in tombstone. Lifetime attribute

Other Thoughts Backups are valid for max of smallest value of DOL or TSL Best practice recommendation DOL = TSL Anticipated database growth 5 -10% On deletion, regulatory compliance may not allow retained of full copy of deleted object Permanently delete with Get-Adobject –LDAPFilter {} –Include. Deleted. Objects | Remove-ADObject

Restoring Objects Locate objects using the appropriate filter Pipe the results into Restore-ADObject Many ingenious filters can be constructed Restore uses with particular job title, description etc Restore use deleted after a certain date $Event = New-Object Datetime(2009, 11, 5, 9, 0, 0) Get-ADObject –filter ‘when. Changed –gt $event –and is. Deleted –eq $true’ -include. Deleted. Objects |Restore-ADObjects

Hierarchy Required You cannot restore an object if the parent container does not exist Restore-ADObject Can restore to alternate name and path Microsoft provides a script to aid restoring a hierarchy of objects http: //technet. microsoft. com/enus/library/dd 379504(WS. 10). aspx

And Now Live Object

Thanks for coming Have a good trip back

Complete an evaluation on Comm. Net and enter to win an Xbox 360 Elite!

Summary Deleting and recovering directory objects How objects are stored Incoming and outgoing linked-attributes Authoritative restore Enabling the Recycle Bin Live, deleted and recycled objects Recovering deleted objects from the Recycle Bin

Resources www. microsoft. com/teched www. microsoft. com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http: //microsoft. com/technet http: //microsoft. com/msdn Resources for IT Professionals Resources for Developers

Related Content Breakout Sessions: SIA 402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R 2 Recycle Bin SVR 317 Managing Windows Server 2008 R 2 and Windows 7 with Windows Power. Shell V 2 Interactive Theater Sessions : SIA 02 -IS Active Directory: What's New in R 2 Hands-on Labs: WSV 03 -HOL Advanced Windows Power. Shell Scripting WSV 20 -HOL Windows Server 2008 R 2: What's New in Microsoft Active Directory

My Sessions at Tech. Ed Breakout Sessions: SIA 319 What's Windows Server 2008 R 2 Going to Do for Your Active Directory? SIA 402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R 2 Recycle Bin SVR 401 Direct. Access Technical Drilldown, Part 1 of 2: IPv 6 and Transition Technologies SVR 402 Direct. Access Technical Drilldown, Part 2 of 2: Putting It All Together Interactive Theater Sessions: SVR 08 -IS End-to-End Remote Connectivity with Direct. Access

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U. S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.