Bayt.com

Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

If you have deleted some objects from ad accidentally, how you can recover the deleted objects in ad ?

Windows Server Active Directory Disaster Recovery
user-image
Question added by Syed Asgar Mahmood Zaidi , Senior System Engineer , Royal Hospital
Date Posted: 2013/10/04
Upvote (1) Views (15) Followers (2) Answers (6) Report Question
Write an Answer
Register now or log in to answer.
JAYENDRA PARMAR
by JAYENDRA PARMAR , Support Engineers , Dunia finance LLC

 

Hi all

  • Method1: Restore the deleted user accounts, and then add the restored users back to their groups by using the Ntdsutil.exe command-line tool (Microsoft Windows Server2003 with Service Pack1 [SP1] only)
  • Method2: Restore the deleted user accounts, and then add the restored users back to their groups
  • Method3: Authoritatively restore the deleted user accounts and the deleted users' security groups two times.

Please follow the link for more information.. I hope that should helpfull to you.

http://support.microsoft.com/kb/840001

Adeel Ilyas Hinjrah
by Adeel Ilyas Hinjrah , Sr. Infrastructure Engineer , Malomatia

In case of server2003 and server2008 things are a bit complicaed. Every deleted object is no actually deleted from AD, infect it remains there and only "is deleted" attribute is enabled. After a certain time it is physically deleted from AD. So you can recover these objects within certain time using low level AD tools or third party products.

In case of server2008 R2 you have an extra feature of AD recycle bin. If you have enabled it, you can recover deleted objects from AD recycle bin.

Deleted user
by Deleted user

In Windows2K3 AD environment you get two options1. Authoritative Restore2. Non Authoritative Restore.

Choose option as per your requirement. This operation needs Server reboot and booting in Active Directory Restore mode and it needs NTDS Util to perform the restore.

Deleted user
by Deleted user

Follow this steps:-

  1. Open Ldp.exe from an elevated command prompt. Open a command prompt (Cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.

  2. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.

  3. On the Options menu, click Controls.

  4. In the Controls dialog box, expand the Load Predefined drop-down list, click Return Deleted Objects, and then click OK.

  5. In the console tree, navigate to the CN=Deleted Objects container.

  6. Locate and right-click the deleted Active Directory object that you want to restore, and then click Modify.

  7. In the Modify dialog box:

    1. In Edit Entry Attribute, type isDeleted.
    2. Leave the Values box empty.
    3. Under Operation, click Delete, and then click Enter.
    4. In Edit Entry Attribute, type distinguishedName.
    5. In Values, type the original distinguished name (also known as DN) of this Active Directory object.
    6. Under Operation, click Replace.
    7. Make sure that the Extended check box is selected, click Enter, and then click Run

Ref:- microsoft.com

Muhammad Anzar
by Muhammad Anzar , DevOps/DevSecOps Architect , Confidential

Good question.

Active Directory Recycle bin feature using for avoiding accedential deleting. We can restore the objects from AD recycle bin.

 

 

Syed Asgar Mahmood Zaidi
by Syed Asgar Mahmood Zaidi , Senior System Engineer , Royal Hospital

thanks  lijo antony &  Adeel Ilyas Hinjrah you both are correct. that certain time is called tombstoned period,  The length of time tombstoned objects remain in the directory service before being deleted is either60 days for Windows2000/2003 Active Directory, or180 days for Windows Server2003 SP1 Active Directory (by default).

 

Write Your Answer
More Questions Like This