Transcript John Craddock Infrastructure & Security Architect XTSeminars Ltd Session Code: SIA402 Agenda Deleting and recovering directory objects How objects are stored Incoming and outgoing linked-attributes Authoritative restore Enabling.

John Craddock
Infrastructure & Security Architect
XTSeminars Ltd
Session Code: SIA402
Agenda
Deleting and recovering directory objects
How objects are stored
Incoming and outgoing linked-attributes
Authoritative restore
Enabling the Recycle Bin
Live, deleted and recycled objects
Recovering deleted objects from the Recycle Bin
Once Upon a Time
Deleted object
Stripped of assets
Live Object
No online way back
Only option for recovery was
an Authoritative Restore
Why is the deleted object is retained in the
database?
So that the deletion can replicate to other DCs
Significant Events
2003 SKU
Re-animation
of deleted objects
2003 Forest
Linked-value
replication
2008 R2 Forest
Recycle Bin
can be enabled
Object Deletion
Majority of attributes deleted
Live
object
Delete
Tombstone
object
Offline authoritative restore
Garbage
collection
X
Purged from
directory
Tombstone lifetime (180 days)
The object is moved to the deleted objects
container
Referred to as a tombstone
isDeleted attribute is set TRUE
The majority of attribute values are removed
Attributes can be retained by setting their searchFlags
property
Object Deletion (continued)
The RDN of the object is changed to a "deletemangled RDN”
The mangled RDN includes the GUID of the object
Guarantees the mangle RDN is unique within the Deleted
Objects container
There is no hierarchy in the container
Linked-attribute values (references) to and from
the object are deleted
Not controlled by searchFlags
Tombstone Lifetime
The object remains as a tombstone object for
the Tombstone Lifetime (TSL = 180 days)
After this period the Garbage Collection service
purges the object from the database
Backups older than the TSL cannot be used
This prevents objects that where deliberately
deleted being reintroduced
Object Storage
DNT
PDNT
NCDNT
instanceType
RDN
4024
1788
1788
4
Demo
4025
4024
1788
4
London Users
4026
4024
1788
4
Berlin Users
4027
4024
1788
4
Groups
4028
4027
1788
4
G1
4029
4027
1788
4
G2
4030
4027
1788
4
G3
4031
4025
1788
4
Debbie
4032
4025
1788
4
Dave
If an object is moved the PDNT for the record is
updated, the record never moves in the DB
Viewing the Database
No DN
Name of operational attribute
Required attributes for operation
Dumpdatabase: dumps text version of
the database in the NTDS directory
dumpdatabase is an operational (RootDSE)
attribute
Working with Deleted Objects
To view deleted objects requires
an LDAP control
Can select the control in LDP
Windows 2008 R2 PowerShell with AD module
Get-ADObject –LDAPFilter {} –IncludeDeletedObjects
Reanimating an Object
Using LDP, in one operation you must
Remove the isDeleted attribute
Replace distinguishedName attribute with a new
value
Use ADRestore from the Sysinternals tools
Create own utility
Restored User Object
Most attributes missing, including the password
All inbound linked attribute values missing
For example, group membership
All outbound linked attribute values missing
For example, attribute containing link to manager
Could repopulate missing values from mounted
directory snapshot
Microsoft solution is an authoritative restore
Restoring linked attribute values can be
problematic
Object References
One object can reference another either as a
direct reference or using a linked-attribute
reference
With a direct reference the attribute on one
object reference the DN of another object
Direct References
Debbie
secretary
Dave
4032
DNT: 4031
secretary
Valya
4033
DNT: 4032
DNT: 4033
Show in UI as DN, stored as a DNT
If Dave is deleted
Incoming references remain
Outgoing references remain
Provided the attribute that holds the reference is
retained on logical deletion
Linked Attributes
Linked attributes consist of a forward-link and
back-link pair
The forward link can be populated and the back
link is calculated
Forward links may be single-valued or multi-valued
Back links are always multi-valued
Each linked pair is identified by the linkID
property of an attribute
Forward linkIDs are even (n) and for each forward
link the associated back-link is an odd number
(n+1)
Single To Multi-Valued
John
Nicola
manager
Nicola
Link Table (simplified)
Forward
Maria
manager
Peter
Tom
manager
Nicola
John
Maria
Tom
Back
Nicola
Peter
Nicola
Reports
Peter
Reports
An entry is created in a link table when a value is
added to the manager attribute
The link tables are constructed on each DC and hold
the DNT values
19
Multi-Valued To Multi-Valued
John
G1
member
John ;Maria
Link Table (simplified)
Forward
G2
member
Maria
G3
member
Maria;John
G1
G2
G3
G3
G1
Back
John
Maria
Maria
John
Maria
MemberOf
Maria
MemberOf
Delete Maria
John
Nicola
manager
Nicola
Link Table (simplified)
Forward
Maria
manager
Peter
Tom
manager
Nicola
John
Maria
Tom
Back
Nicola
Peter
Nicola
Reports
Peter
Reports
All outbound linked-attribute values are removed
Delete Maria (continued)
John
G1
member
John ;Maria
Link Table (simplified)
Forward
G2
member
Maria
G3
member
Maria;John
G1
G2
G3
G3
G1
Back
John
Maria
Maria
John
Maria
MemberOf
Maria
MemberOf
All Inbound linked-attribute values are removed
Restoring Linked Attributes
Manually restore all
forward link references
Manually restore all attribute values
Reanimated
object
Alternative to online reanimation
Authoritative restore
Third party solution
Authoritatively Restoring Maria
Options
Boot into DS Restore Mode on a DC that has not
received the replicated deletion of Maria
A lag-site may have been created for this
Boot a DC into DS restore mode
Restore AD from back-up
In DS Restore Mode mark Maria as authoritative
Use ntdsutil
Restart the domain controller
How successful will you be?
On the authoritatively restored DC
The Maria is completely recovered including all
entries for incoming and outgoing linked-attributes
Maria is a member of groups G1, G2 and G3
Maria’s manager attribute refers to Peter
All of Maria’s attributes are marked as authoritative
and will replicate to the other DCs in the domain
The incoming linked-attribute values may or
may not replicate
It depends on the current forest functional level
and the level when Maria was added to the groups
Linked-Value replication
Replicates that G1 has Maria as a member
Maria
G1
DNT: 1000
1000
2000
1000
4567
Maria
G1
8657
AUTH
DNT: 2000
DC1 Maria authoritatively restored
7654
DNT: 8657
AUTH
DNT: 7654
DC2
Windows 2003 forest functionality introduced
linked-value replication
Replication metadata is attached to each entry in
the link tables
When Maria is restored all incoming linked-values
are marked as authoritative in the link table
No Linked Value Replication
Prior to 2003 forest functionality replication
metadata existed on the attribute and not the
individual links
To restore Marias group membership one option
was to authoritatively restore all groups that she
belonged to
If Maria was added to some groups before and
after linked-value replication was enabled
During an authoritative restore of Maria, some links
would replicate others wouldn’t
Partial Solution
LDF Produced During Authoritative Restore
# CN=G1,OU=Groups,OU=Demo,DC=example,DC=com
# dn: <GUID=4ec2d1b7-354b-4f17-9a6b-c567888bcf24>
dn:: PEdVSUQ9NGVjMmQxYjctMzU0Yi00ZjE3LTlhNmItYzU2Nzg4OGJjZjI0Pg==
# Base64 encoded: <GUID=4ec2d1b7-354b-4f17-9a6b-c567888bcf24>
changetype: modify
delete: member
# CN=Maria,OU=Berlin Users,OU=Demo,DC=example,DC=com
# member: <GUID=6a677bde-f83e-49a5-b5fb-eb074a2899b7>
member:: PEdVSUQ9NmE2NzdiZGUtZjgzZS00OWE1LWI1ZmItZWIwNzRhMjg5OWI3Pg==
-
# CN=G1,OU=Groups,OU=Demo,DC=example,DC=com
# dn: <GUID=4ec2d1b7-354b-4f17-9a6b-c567888bcf24>
dn:: PEdVSUQ9NGVjMmQxYjctMzU0Yi00ZjE3LTlhNmItYzU2Nzg4OGJjZjI0Pg==
changetype: modify
add: member
# CN=Maria,OU=Berlin Users,OU=Demo,DC=example,DC=com
# member: <GUID=6a677bde-f83e-49a5-b5fb-eb074a2899b7>
member:: PEdVSUQ9NmE2NzdiZGUtZjgzZS00OWE1LWI1ZmItZWIwNzRhMjg5OWI3Pg==
-
Recycle Bin Enabled
All attributes retained
Live
object
Delete
Deleted
object
Deleted object lifetime (180 days)
Online undelete
Garbage
collection
Recycled
object
Garbage
collection
Tombstone lifetime (180 days)
X
Purged from
directory
Recycle Bin for AD
Requires 2008 R2 Forest functionality
PowerShell driven
Enable-ADOptionalFeature ‘Recycle Bin Feature’ –
Scope ForestOrConfigurationSet –Target ‘forest’
Once enabled cannot be disabled
Get-ADObject –LDAPFilter {} –IncludeDeletedObjects
Restore-ADObject –Identity <id>
Parent object must be restored in advance of child
object
Restores all attributes including linked attributes
Object Deletion
All attributes retained
Live
object
Delete
Deleted
object
Online undelete
The object is moved to the deleted objects
container
Referred to as a deleted object
isDeleted attribute is set TRUE
isRecycled attribute not present
lastKnownparent set
msDS-LastknownRDN set
Object Deletion (continued)
The RDN of the object is changed to a "deletemangled RDN”
All attribute values with the exception
objectCategory and sAMAccountType are
retained
If the object is undeleted these are automatically
restored from the defaultObjectCategory and
userAccountControl attributes
Object Deletion (continued)
Linked-attribute values (references) to and from
the object are retained
Not visible to LDAP with out special control
The object remains as a deleted object for the
Deleted Object Lifetime (DOL = 180 days)
After this period the Garbage Collection service
converts the object to a Recycled Object
Recycled Object
Similar characteristics to a pre-recycle bin
tombstone object
The majority of attribute values are removed
Linked-attribute values (references) to and from the
object are deleted
isRecycled set TRUE
A recycled object cannot be reanimated
Retained to allow replication to occur
Lifetimes
Recycled object remains for the Tombstone
Lifetime (TSL = 180 days)
After this period the Garbage Collection service
purges the object from the directory
The DOL and TSL values are held in attributes of
the “cn=Directory Service, cn=windows NT,
cn=Services, cn=configuration, dc=<your forest>
DOL in msDS-deletedObjectLifetime attribute
TSL in tombstoneLifetime attribute
Other Thoughts
Backups are valid for max of smallest value of
DOL or TSL
Best practice recommendation DOL = TSL
Anticipated database growth 5-10%
On deletion, regulatory compliance may not
allow retained of full copy of deleted object
Permanently delete with
Get-Adobject –LDAPFilter {} –IncludeDeletedObjects |
Remove-ADObject
Restoring Objects
Locate objects using the appropriate filter
Pipe the results into Restore-ADObject
Many ingenious filters can be constructed
Restore uses with particular job title, description etc
Restore use deleted after a certain date
$Event = New-Object Datetime(2009, 11, 5, 9,0,0)
Get-ADObject –filter ‘whenChanged –gt $event –and isDeleted
–eq $true’ -includeDeletedObjects |Restore-ADObjects
Hierarchy Required
You cannot restore an object if the parent
container does not exist
Restore-ADObject
Can restore to alternate name and path
Microsoft provides a script to aid restoring a
hierarchy of objects
http://technet.microsoft.com/enus/library/dd379504(WS.10).aspx
And Now
Live Object
Thanks for coming
Have a good trip back
Complete an evaluation
on CommNet and enter to
win an Xbox 360 Elite!
Summary
Deleting and recovering directory objects
How objects are stored
Incoming and outgoing linked-attributes
Authoritative restore
Enabling the Recycle Bin
Live, deleted and recycled objects
Recovering deleted objects from the Recycle Bin
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
Related Content
Breakout Sessions:
SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2
Recycle Bin
SVR317 Managing Windows Server 2008 R2 and Windows 7 with Windows PowerShell
V2
Interactive Theater Sessions :
SIA02-IS Active Directory: What's New in R2
Hands-on Labs:
WSV03-HOL Advanced Windows PowerShell Scripting
WSV20-HOL Windows Server 2008 R2: What's New in Microsoft Active Directory
My Sessions at TechEd
Breakout Sessions:
SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008
R2 Recycle Bin
SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition
Technologies
SVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together
Interactive Theater Sessions:
SVR08-IS End-to-End Remote Connectivity with DirectAccess
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.