More on Active Directory
Active Directory constitutes one of the primary infrastructure components of the majority of Windows-based business environments. Effectively, its resiliency and recoverability are inherently linked to operational continuity and any issues affecting its availability translate into monetary losses. Since the introduction of this technology (coinciding with the release of Windows 2000 Server platform), Microsoft has been continually improving its native restore capabilities.
In this article, we will present options that are included in Windows Server 2008 R2.
First, some context: Active Directory is implemented as a distributed database hosted on one or more domain controllers. Its content consists of objects and their attributes (as well as metadata defining characteristics of each of them) grouped into partitions, which collectively represent an entity called a forest. Taking into account this hierarchical structure, it is possible to approach the subject of recovery from the point of view of its scope. More specifically, we can identify the following scenarios that qualify as Active Directory recovery:
- Restoring an object (or more specifically, attributes of which that object is comprised)
- Restoring a single container (containing multiple objects and, potentially, other containers)
- Restoring a domain (which can apply to a single- or multi-domain forest)
- Restoring a multi-domain forest
Prior to Windows Server 2008 R2, you had, in essence, two options when recovering deleted objects. The first, by far more common, involved authoritatively restoring them from backup (as described in the Technet article Performing an Authoritative Restore of Deleted AD DS Objects). The procedure required rebooting one of domain controllers in Directory Services Restore Mode (assuming that you had multiple domain controllers in the same domain -- otherwise, any restore is automatically considered authoritative), restoring its System State backup taken prior to the deletion, and using ntdsutil.exe command-line utility to mark the newly restored object as authoritative (ensuring that they would replicate outbound to all other domain controllers in the same domain).
Unfortunately, it is typically also necessary to account for the fact that a restored object might include back-link attributes (most commonly, memberOf attribute of a user object, which represents its group membership) that are counterparts of forward-link attributes. In this case, it would be taking the form of the member attribute of a group. Since only the latter is replicated, while the former is simply evaluated locally on each domain controller, restoring a single object will re-establish forward links corresponding to its back-links only on the domain controller where the restore is carried out, without replicating them out. This holds as long as group objects included in the System State restore are not marked as authoritative. Thus, the forward attributes might be either retained or overwritten, depending on whether group membership changes took place since the backup was taken. The problem is even more severe in pre-Windows Server 2003 domains, where the member attribute does not take advantage of the Linked Value Replication (LVR) but instead it is implemented as single-valued rather than multi-valued.
To remediate this issue, once you authoritatively restore a user object, you must also authoritatively restore relevant forward links (representing membership of that user in Active Directory groups). Fortunately, starting with Windows Server 2003 Service Pack 1, ntdsutil.exe automatically recovers group membership in the local domain (including universal groups if the restore is performed on a global catalog) as part of the authoritative restore process. It also generates a pair of supplemental files to assist with any auxiliary changes. The first of them (in the .ldf format) must be imported (via the Ldifde command-line utility) manually on the recovery domain controller if the restored user was a member of pre-LVR groups. The second one, implemented as a text file, comes into play if the user was a member of domain local or universal groups in other domains in the same forest. If so, you must convert it to ldf format on a domain controller in each of these domains by following procedure described in the Active Directory Operations Guide, and subsequently import the resulting file using Ldifde utility.
The other of legacy options that facilitate recovery of Active Directory objects takes advantage of the fact that their deletion does not take effect immediately. Instead, objects are marked for deletion (tombstoned) by setting their isDeleted attribute to TRUE, moved to CN=Deleted Objects container in their partition (with exception of server objects), stripped of most of their attributes (by default, only mandatory ones are preserved), and retained for the period dictated by the value of tombstoneLifetime attribute residing in the CN=Directory Service,CN=Windows NT,CN=Services container of the configuration partition of the forest. This also determines the useful shelf life of a System State backup of Active Directory domain controllers. As a result, it is possible to retrieve these objects by following the procedure described in the Technet article Reanimating Active Directory Tombstone Objects. Unfortunately, the outcome is typically less than satisfactory since the recovered object is missing most of its attributes, including its group membership.
Starting with Windows Server 2008, this particular drawback of the tombstone reanimation procedure can be relatively easily remediated by taking advantage of the Active Directory snapshots. In addition, that operating system brings modifications in the way native backup is implemented. System State backup option is no longer available via a graphical interface but requires use of the wbadmin command-line utility with start systemstatebackup switch. Similarly, it is restored by executing wbadmin start systemstaterecovery. As in the past, to perform an authoritative restore, you must carry out this procedure after restarting the domain controller in Directory Services Restore Mode.