Active Directory Domain Services Recovery in Win Server 2008 R2

by Marcin Policht

Active Directory is one of the primary infrastructure components of many Windows environments. Its resiliency and recoverability are inherently linked to operational continuity. Issues affecting its availability translate into monetary losses. Since Microsoft introduced this technology, it has continually improved native restore capabilities, most recently in Windows Server 2008 R2.

More on Active Directory

Active Directory constitutes one of the primary infrastructure components of the majority of Windows-based business environments. Effectively, its resiliency and recoverability are inherently linked to operational continuity and any issues affecting its availability translate into monetary losses. Since the introduction of this technology (coinciding with the release of Windows 2000 Server platform), Microsoft has been continually improving its native restore capabilities.

In this article, we will present options that are included in Windows Server 2008 R2.

First, some context: Active Directory is implemented as a distributed database hosted on one or more domain controllers. Its content consists of objects and their attributes (as well as metadata defining characteristics of each of them) grouped into partitions, which collectively represent an entity called a forest. Taking into account this hierarchical structure, it is possible to approach the subject of recovery from the point of view of its scope. More specifically, we can identify the following scenarios that qualify as Active Directory recovery:

  • Restoring an object (or more specifically, attributes of which that object is comprised)
  • Restoring a single container (containing multiple objects and, potentially, other containers)
  • Restoring a domain (which can apply to a single- or multi-domain forest)
  • Restoring a multi-domain forest

Prior to Windows Server 2008 R2, you had, in essence, two options when recovering deleted objects. The first, by far more common, involved authoritatively restoring them from backup (as described in the Technet article Performing an Authoritative Restore of Deleted AD DS Objects). The procedure required rebooting one of domain controllers in Directory Services Restore Mode (assuming that you had multiple domain controllers in the same domain -- otherwise, any restore is automatically considered authoritative), restoring its System State backup taken prior to the deletion, and using ntdsutil.exe command-line utility to mark the newly restored object as authoritative (ensuring that they would replicate outbound to all other domain controllers in the same domain).

Unfortunately, it is typically also necessary to account for the fact that a restored object might include back-link attributes (most commonly, memberOf attribute of a user object, which represents its group membership) that are counterparts of forward-link attributes. In this case, it would be taking the form of the member attribute of a group. Since only the latter is replicated, while the former is simply evaluated locally on each domain controller, restoring a single object will re-establish forward links corresponding to its back-links only on the domain controller where the restore is carried out, without replicating them out. This holds as long as group objects included in the System State restore are not marked as authoritative. Thus, the forward attributes might be either retained or overwritten, depending on whether group membership changes took place since the backup was taken. The problem is even more severe in pre-Windows Server 2003 domains, where the member attribute does not take advantage of the Linked Value Replication (LVR) but instead it is implemented as single-valued rather than multi-valued.

To remediate this issue, once you authoritatively restore a user object, you must also authoritatively restore relevant forward links (representing membership of that user in Active Directory groups). Fortunately, starting with Windows Server 2003 Service Pack 1, ntdsutil.exe automatically recovers group membership in the local domain (including universal groups if the restore is performed on a global catalog) as part of the authoritative restore process. It also generates a pair of supplemental files to assist with any auxiliary changes. The first of them (in the .ldf format) must be imported (via the Ldifde command-line utility) manually on the recovery domain controller if the restored user was a member of pre-LVR groups. The second one, implemented as a text file, comes into play if the user was a member of domain local or universal groups in other domains in the same forest. If so, you must convert it to ldf format on a domain controller in each of these domains by following procedure described in the Active Directory Operations Guide, and subsequently import the resulting file using Ldifde utility.

The other of legacy options that facilitate recovery of Active Directory objects takes advantage of the fact that their deletion does not take effect immediately. Instead, objects are marked for deletion (tombstoned) by setting their isDeleted attribute to TRUE, moved to CN=Deleted Objects container in their partition (with exception of server objects), stripped of most of their attributes (by default, only mandatory ones are preserved), and retained for the period dictated by the value of tombstoneLifetime attribute residing in the CN=Directory Service,CN=Windows NT,CN=Services container of the configuration partition of the forest. This also determines the useful shelf life of a System State backup of Active Directory domain controllers. As a result, it is possible to retrieve these objects by following the procedure described in the Technet article Reanimating Active Directory Tombstone Objects. Unfortunately, the outcome is typically less than satisfactory since the recovered object is missing most of its attributes, including its group membership.

Starting with Windows Server 2008, this particular drawback of the tombstone reanimation procedure can be relatively easily remediated by taking advantage of the Active Directory snapshots. In addition, that operating system brings modifications in the way native backup is implemented. System State backup option is no longer available via a graphical interface but requires use of the wbadmin command-line utility with start systemstatebackup switch. Similarly, it is restored by executing wbadmin start systemstaterecovery. As in the past, to perform an authoritative restore, you must carry out this procedure after restarting the domain controller in Directory Services Restore Mode.

Page 2: Restoring Deleted Objects in Windows Server 2008 R2

Follow ServerWatch on Twitter

More on Active Directory

Restoring Deleted Objects in Windows Server 2008 R2

Truly revolutionary changes in regard to restoring deleted objects are introduced in Windows Server 2008 R2 thanks to the feature known as Active Directory Recycle Bin. This new functionality eliminates the most significant disadvantages associated with traditional recovery procedures described above -- namely, the need to restart a domain controller in Directory Services Restore Mode during authoritative restores and dealing with missing attributes following tombstone reanimation. However, to take advantage of its benefits, you must first raise the forest functional level of Windows Server 2008 R2 such that all domain controllers in the forest must be running Windows Server 2008 R2 operating system and then enable it. In addition, while it is possible to roll back the first step of this process because unlike in earlier version of Windows, you are allowed to lower the functional level to Windows Server 2008, the second one invalidates this option. This makes the change irreversible.

Enabling Active Directory Recycle Bin alters the implementation of object deletion process. Rather than following the traditional mechanism that resulted in stripping non-mandatory attributes, objects moved to CN=Deleted Objects container retain all of them for the duration of the deleted object lifetime. Once that period passes, these objects become recycled (it is also possible to initiate this action manually), which roughly corresponds to the pre-AD Recycle Bin deleted status. However, unlike in pre-Windows Server 2008 R2 implementations, such objects cannot be recovered through tombstone reanimation, and they should not be authoritatively restored. They remain in this state until the recycled object lifetime expires. At that point, the garbage collection process removes them from Active Directory database. Extending the retention period and preserving all attributes while at the deleted stage is bound to contribute to its increased size. The duration of these two consecutive periods is controlled by Active Directory attributes msDS-deletedObjectLifetime and tombstoneLifetime. Both reside in the CN=Directory Service,CN=Windows NT,CN=Services container of the Configuration partition. If the first one is not explicitly configured, it takes on the value assigned to tombstoneLifetime, which defaults to 180 days. The smaller of the two determines the useful shelf life of a System State backup of Active Directory domain controllers.

It is important to realize that enabling Active Directory Recycle Bin changes the state of all of its tombstoned objects to recycled. It also introduces a learning curve, since there are no native GUI-based utilities dedicated to managing deleted objects. However, it is possible to recover deleted objects using ldp.exe. There are also several third-party tools that fill that void, such as PowerGUI-based Active Directory Recycle Bin PowerPack or ADRecycleBin from Overall Solutions.

Instead, Microsoft developed a number of PowerShell cmdlets that provide relevant functionality. For details regarding their syntax, refer to the Technet-based Active Directory Recycle Bin Step-by-Step Guide. The majority of administrative tasks (such as deleting objects, viewing deleted objects, viewing deactivated links, viewing tombstones, recovering deleted objects or recycling deleted objects) can be delegated. In addition, you should not treat the AD Recycle Bin as a substitute for valid backups of your domain controllers.

Recovery of deleted Active Directory containers that host objects and child containers can be performed using authoritative restore (as described in Active Directory Operations Guide) or by taking advantage of Recycle Bin capabilities (assuming, of course, this features has been enabled). In case of the latter, keep in mind that the restore process should be carried out starting from the top of the deleted hierarchy. An example documenting this approach can be found in Restoring multiple, deleted Active Directory objects section of Active Directory Recycle Bin Step-by-Step Guide.

Active Directory domain and forest recovery are considerably more complex topics since they typically extend beyond the scope of Directory Services. While Microsoft offers some assistance in this area (e.g., the Planning for Active Directory Forest Recovery guide published in the TechNet Library), you should consider creating your own detailed disaster recovery documentation that takes into account all relevant infrastructure dependencies specific to your environment. In addition, keep in mind that some components viewed as inherently tied to Active Directory (e.g., Group Policies or Sysvol shares hosted on domain controllers) warrant their own backup and restore strategy since they are not recoverable via the methods described above.

Follow ServerWatch on Twitter

This article was originally published on Friday Nov 5th 2010
Mobile Site | Full Site