Professional Documents
Culture Documents
Contents
1. Introduction
2. Active Directory Components
3. Possible Active Directory Disasters
4. Recovery of User, Group and Organization Unit
a. Authoritative Restore
b. Non-Authoritative Restore
c. Reanimation of objects from Tomb stone
5. Recovery of Global Catalog
6. Seizing of FSMO roles
7. SYSVOL Recovery (DFS based and FRS based)
8. Recreate default GPOs
9. Recovery of DNS
10. Recover Application partition of Active Directory
11. Schema and Forest Recovery
12. Recover forest from unrecoverable state
Introduction
In this article, we will cover what are the Active Directory components, what can go wrong with them,
and what are best practices that can be followed to recover from any disaster.
Best Practices:
1. Backup Active Directory database every week or at least backup once within tombstone period.
2. Create an isolated AD Site that is assigned to a subnet not associated with any user, workstation
or server subnet. Place a domain controller from each domain on this site and set the replication
interval to 7 days.
This Active Directory site may be used to authoritatively restore any accidently deleted
object without restoring from backups
Since replication interval is high, there is possibility that you will be aware of accidently
deleted objects before they get replicated to isolated Active Directory site.
Title Details
Forest Root Domain SARVESH.LOCAL
Child Domains CHILDA.SARVESH.LOCAL & CHILDB.SARVESH.LOCAL
Root Domain Controllers DC01.SARVESH.LOCAL
ChildA Domain Controllers DC02.ChildA.Sarvesh.local & DC03.ChildA.Sarvesh.local
ChildB Domain Controllers DC04.ChildB.Sarvesh.local & DC05.ChildB.Sarvesh.local
A. Is there a writable domain controller that has not received replication packets?
B. Was the item deleted before or after tombstone period?
C. When was the most recent Active Directory backup taken?
If there is a Domain Controller that has not received deletion updates then:
First Execute:
Let us assume user Joe got deleted and it needs to be authoritatively restored from domain controller
that has not received replication packets
1. Stop ADDS Service (for Windows 2008 and above domain controllers)
Execute
In below example, I have set some attributes for Mark like Title, Description, Manager and have added it
to 3 groups: G_DomainLocal, G_Global and G_Universal. We will now delete Joe, restore it from
Tombstone and confirm that these attributes and group membership will NOT get restored.
So, we have noted down some of the attributes and deleted the user from Active Directory.
Have a look at the attributes. Description, Manager, Title and group membership have not been
restored. However, SID of the object after recovery is same.
Please note that Restored Object will be in disabled state and you would need to enable the object
before attempting to login.
Suggestion: It is always recommended to restore object from Backup or use DSAMAIN to mount the
previous backup to see the older state of Active Directory object being restored. You may note down the
group membership and add users to required groups later once object is restored.
Scenario: We have Sales OU with three groups (Domain Local, Global and Universal) and a user account.
Let us delete the OU and restore it from backup
1. Perform Non-authoritative Restore of Active Directory
2. Authoritative Restore the OU:
Restore subtree “OU=Sales,DC=Sarvesh,DC=local”
You would notice change in USN numbers of OU and all objects in the OU, making them Authoritative in
the domain and for other domain controllers in domain to receive changes
Perform Non-Authoritative Restore:
Assume that Active Directory object has been deleted and has replicated to all domain controllers in the
domain. The object has also been removed from Tombstone or you must restore all attributes from the
backup. Perform the below steps:
1. Restart Domain Controller in Directory Services Restore Mode and login with DSRM Password
2. Perform Restoration of System State to original location
3. At this time, do not restart the Domain Controller
4. Go to command prompt, and run NTDSUTIL
5. Type: activate instance NTDS to activate current NTDS database
6. Type: authoritative restore
7. And type restore object <DN> to restore the object
Recovery of Global Catalog:
Global Catalog contains writable copy of its own domain and read only copy of other domains in the
forest. It contains only few attributes that are commonly used, referred as Partial Attribute Set.
Application like Exchange uses Global Catalog to identify users in forest and to resolve group
membership across forest.
Think of a scenario, where you have resolved lingering objects issue across domains and Global Catalog
information for other domains is corrupted. Thereby resulting in bad results to Active Directory or
Exchange Server. Corrupted Global Catalog may result in email delivery failure for recipients in the local
forest.
Scenario – ChildA.Sarvesh.local has two domain controllers DC02 and DC03, and ChildB.Sarvesh.local has
two domain controllers DC04 and DC05. All of them are Global Catalog Servers.
DC02 goes offline and comes online after the tombstone lifetime. Thereby, it will show deleted objects
of ChildA as active and enabled, and its Global Catalog will show ChildB’s deleted items as active. This
would result in Active Directory inconsistency across domain controllers.
If Strict replication is enabled, then there will be good of Active Directory replication errors and if Strict
Replication is disabled, it would result in lingering objects.
We now need to rebuild the Global Catalog of ChildB domain on DC02, which is a domain controller for
ChildA.
Recovery:
First:
Disable Outbound Replication, because we need to ensure that while we delete the Global Catalog
information from DC02 to rebuild, it should not replicate this to other domain controllers in Active
Directory forest.
** It is extremely critical to disable the Outbound replication, before rebuilding Global Catalog
Repadmin /rehost <DC Name> <Naming Context of domain> <Good DC of domain containing writable
copy>
Rehosting is used to drop the read only copy of other domain in the forest and rebuilding it from the
domain controller containing writable copy of the partition.
Once rehosting is done. Enable Outbound replication.
It is now recommended to use LDP.exe to query LDAP and Global Catalog to verify that Lingering objects
are removed from Global Catalog
Run NTDSUTIL
Type: Roles
Type: Connections
Type: Connect to server localhost
Type: Seize PDC (to seize PDC Emulator role)
Type: Seize naming master (to seize domain naming master)
Type: Seize Infrastructure master (to seize Infrastructure master role)
Type: Seize Schema master (to seize Schema master role)
Type: Seize RID master (to seize RID Master role)
In case domain controller that previously held any of the roles comes online, please ensure that you
SYSVOL Recovery:
FRS vs. DFS
Active Directory Domain that are pre-Windows 2008 Domain functional level use FRS to replicate
SYSVOl. Domains that are upgraded from Windows 2003 to Windows 2008 and have updated Domain
Functional Level to 2008 needs to go through FRS to DFS migration for SYSVOL contents.
Domains that are installed with Windows 2008 as Function Level, use DFS based SYSVOL replication
natively.
Recovery of DFS based SYSVOL:
How to perform Non-Authoritative restore of SYSVOL from other replication partners:
1. Login to Domain Controller that needs to replicate fresh copy of SYSVOL contents
2. Launch ADSIEDIT.msc
This would trigger replication of SYSVOL from other partners using FRS.
Note: Please ensure that Active Replication across forest is normal before fixing SYSVOL replication
issue.
Please look at event logs, replication logs and directory services logs before attempting SYSVOL recovery
Dcgpofix /target:both
Recovery of DNS
Active Directory Integrated zones can be stored in 4 places:
Run dnscmd /enumzones to see which Active Directory partition stores the DNS zone:
Use below command to change the Directory partition of domain
Run NTDSUTIL
If you have made any changes to Schema using some custom application or there is malfunction in
Schema updates then restoring from backup and re-promoting all DCs is the only option left.
3. We suggest to keep Schema Admins group empty, add the service or administrator account to
Schema Admins group when necessary. This would reduce Schema modification chances even
by mistake
In this case only option left is to restore every domain in the forest from backup and re-promote all
other DCs in the forest. This needs to be done with extreme care as any change that are made after
backup will be lost.
Please ensure that Active Directory forest backup (i.e. backup of each domain) is taken before
performing any major activity and roll back steps are clearly defined and tested.
-o-