Recovering virtualized Active Directory deleted objects from tombstone objects

We continue to publish articles on backup and recovery after virtualized Active Directory failures. The previous article dealt with restoring the entire domain controller. However, system administrators are much more likely to encounter requests to restore individual Active Directory objects. Therefore, today we will consider the restoration of virtualized Active Directory objects from tombstone in systems with forest functional mode not higher than Windows Server 2008. In principle, now they are quite rare, but somewhere they are probably still used somewhere. Newer systems and features such as Active Directory Recycle Bin will be discussed in the next article.

Active Directory Object Lifecycle

So why is it so important to understand how systems of earlier versions function? Because modern logic and familiar functionality are not applicable in these cases. Before the advent of Windows Server 2008 R2, the life cycle of Active Directory objects was as follows:

Deleting an Active Directory object does not physically delete it — this is what happens:

1. Active Directory hides the remote object by changing the isDeleted attribute value to TRUE .
2. Then, most object attributes are reset, and the object itself is renamed and moved to a special container (CN = Deleted Objects). From this point on, the object receives the status of “tombstone”, and standard Active Directory tools are not aware of its existence.
3. The object is in this special state for a specified period (60 days in Windows Server 2000/2003 and 180 days in Windows 2003 SP1 / 2008). This is done to ensure successful replication of data in the system.
4. At the end of the allotted time of existence in the “tombstone” state, a special process is called (the so-called garbage collector ), which physically removes the object from the database.

And here the question arises: if the "tombstone" object is not physically deleted for some time, is it possible to restore it? In short - you can. Although such a mechanism for deleting objects was not intended for use as a temporary recycle bin, and deleted objects were not supposed to be restored, it is technically possible. Further I will tell how it can be made.

Restore Active Directory objects using the LDP utility

LDP ( LDP.exe ) —a time-tested program created by Active Directory developers. It looks pretty simple, but it has many features that allow you to fully manage Active Directory objects. Its disadvantage is that it takes a lot of time to master the functionality of the program, and the interface is not very modern and clear.
Note: This article is not a complete LDP guide. To learn how to work with the program, I recommend using the LDP manual .

So, to restore the “tombstone” object using LDP, you need to do the following:

1. Run the program ( Start - Run - ldp )
2. Connect it to a domain controller ( Connection - Connect .. ). Use to connect the data of the corresponding account (administrator of the enterprise or domain). ( Connection - Bind .. )
3. Find the desired object in the container of deleted objects. You will need to learn how to use different search and filter settings ( Browse - Search ).
4. In the “ Controls ” dialog box, select the “ return deleted objects ” option and click the “ check in ” button to add an object identifier for this option to the Active Control list.
5. Then save the settings and run the query to find the deleted object.
6. Restore the “tombstone” object using a wizard ( Browse - Modify ) to find the object by the distinguishedName parameter (DN) and remove the isDeleted value while renaming the object.
7. As a result, the object will be restored, and it can be seen through the tool for viewing users and computers in Active Directory.

The figure below shows a typical search example that I performed to find tombstone objects in my test domain:

In addition to the above, some features of such restoration of tombstone objects should be remembered. For example, some attributes (for example, group membership) that were deleted during the initial deletion will not be restored, which could potentially cause you problems.

Using Veeam Explorer for Microsoft Active Directory

As an alternative, you can use Veeam solutions, in particular, Veeam Explorer for Active Directory . This program will allow you to perform recovery much easier and faster. In doing so, it solves many of the problems of recovering tombstone objects — for example, losing the account password and many important attributes, such as the user's first and last name. However, this recovery option is not suitable for all scenarios - you first need to conduct preliminary training. Namely: to use Veeam Explorer for Active Directory , you must have a backup copy of the domain controller where the object was deleted. Today we are considering a virtualized controller whose backup was created using Veeam Backup & Replication.

So, if you are lucky enough to be the administrator of a virtual domain controller with the functional mode of a Windows Server 2003 or Windows Server 2008 domain forest, you can use the following procedure:

1. Make sure that you have a backup copy of the domain controller and that when it was created, data processing was taken into account taking into account the state of the applications (why this is important, mentioned in the first article of the series) - that is, the option Guest Processing> Enable was selected for the backup task application-aware processing .

1. If you need to restore a deleted object, go to the backup of the domain controller, right-click and select Restore application items> Microsoft Active Directory objects ... ( Microsoft Active Directory objects ) to start the recovery and run Veeam Explorer for Active Directory .

1. Find the container you need and turn on the Compare all objects and Show changed objects only options. This will set up pre-filtering: Veeam Explorer compares the data in the backup with the current DC state and displays only the changed objects. View the status of objects and find those with which it is designated as Tombstone .

1. The desired object (s) can be restored to the work environment or exported as an .lde file.

1. When restoring a user account at one of the steps in the wizard, you will be prompted to specify the password restore options . You can choose from the following options:

• restore account with old password ( Restore password )
• set a new password manually
• do a restore without a password ( Do not restore password )

Restoring the old password will reduce the burden on the administrator and make the account recovery process completely invisible to the user. Imagine that at night, as a result of a failure, an entire unit (OU) with hundreds of users disappeared, and it needs to be restored. In the morning, upon entering the system, all employees will be asked to change their password, and they, of course, will start asking questions. Naturally, if possible, it is better to avoid such a situation.

Given the above, it is clear that Veeam Explorer for Microsoft Active Directory offers a relatively simple way to restore tombstone objects to Active Directory. If you are working in a suitable system, I recommend to pay attention to this product.

For today, perhaps, everything. In the next article in this series, we will compare the capabilities of the Active Directory recycle bin with other ways to restore objects.

Useful links:

• An article on Habré about backing up domain controllers using Veeam
• Article on Habré about restoring a domain controller from a backup using Veeam
• Veeam Endpoint Backup FREE 1.5 Review
• Microsoft TechNet Magazine article on working with LDP (in English)