Active Directory User and Group Restore
**
Step 1
Determine if the deletion has already replicated to all of your Global Catalog DC's. If there is a latent GC/DC that has not processed any part of the deletion, then disconnect it from the network or disable inbound replication with the repadmin.exe command. (repadmin /options dc_name +DISABLE_INBOUND_REPL)
If there isn't a latent DC, then you will have to find a recent system state backup from a GC/DC from the domain where the deletion occurred.
Step 2
Reboot the recovery DC into DS restore mode and perform an authoritative restore (or if you did not find a latent DC, restore the system state and then perform the authoritative restore)
Step 3
If you did not have to restore the system state, reboot normally. Reboot with the network cable disconnected if you did restore the system state, and then disable inbound replication with the repadmin command.
Initiate outbound replication to all dc's in the domain (and gc's in the forest) with the repadmin /syncall command:
repadmin /syncall dc_name /d /e /P YourDomainDN (such as dc=microsoft,dc=com)
/d: identifies servers by distinguished name in messages.
/e: Enterprise; includes partners in all sites.
/P Pushes changes outward from the home server.
*Here is where you have to be careful, and why it is important to fully understand all of the commands that you run in a production environment.
Some documentation states to use the /A option as well with the repadmin command. The /A option tells repadmin to synchronize all directory partitions that are held on the server. This would be fine to use in a small environment, but probably not a good idea if you have a lot of DC's, or have DC's with slow WAN links. If you are just restoring users and groups then we just need to synchronize the domain partition.
Step 4
Wait for end to end replication to occur, and then proceed with fixing up group membership:
(here it gets a little tricky)
If all groups are LVR enabled then group membership was corrected when you issued the authoritative restore command. Information on LVR is available at the bottom of this post.
Method 1: If you performed the authoritative restore on a DC with 2003 SP1 then it created one or more ldif files that you can import with ldifde.exe to correct group membership. (ldifde -i -k -f filename.ldf -s Recovery_DCname)
* Be sure to specify the -s option along with the name of the name of the recovery dc name or it may connect to another DC and the command will fail.
Method 2: If this is a Windows 2000 DC or a Server 2003 DC without SP1 then you need to correct group membership manually. We have a utility called groupadd.exe that can aid you using this method.
Method 3: If you don't mind rolling back group membership to the time that the system state was created, you can boot back into DS restore mode and issue another authoritative restore command. (here you need to issue the command against the container that your groups exist in)
Step 5
Outbound replicate again via repadmin, and then re-enable inbound replication.
repadmin /options dc_name -DISABLE_INBOUND_REPL
Finally perform another system state backup, and you are done.
---------------------------------------------------------------------------------
If for some reason you do not have a good system state backup or a latent dc, you can manually "undelete" individual users on Server 2003.
There are steps in KB 840001 describing how this is done with ldp.exe, but alternatively you can use adrestore.exe.
Please note that only a limited set of attributes are restored with the user:
SID, ObjectGUID, LastKnownParent, SAMAccountName
Beginning with SP1, SidHistory is also retained.
Information on LVR (Linked Value Replication)
---------------------------------------------------------------------------------
The following information was taken from a Server 2003 class I attended. I couldn't find a good online source for it.
"In Windows 2000, the smallest unit of data that can be replicated is an attribute. In the case of multi-valued attributes, such as the "member" attribute on a group, a change to one value of the multi-value prompts replication of the entire attribute including all of the unchanged values as well" With LVR enabled groups only changes made to the individual values of multi-valued attributes get replicated.
LVR is enabled on the switch to Windows Server 2003 Forest functional mode or 2003 Interim mode.
"Existing groups are not immediately converted to LVR. Instead, the groups are converted only as group membership changes. Individual members are added or deleted using LVR, and the old style attribute is no longer replicated. When new groups are created, all new members are stored and replicated using LVR "
In order to determine if LVR is enabled use the following repadmin command: repadmin /bind %servername% then check to see if "Linked_Value_Replication" states "Yes"
**
Step 1
Determine if the deletion has already replicated to all of your Global Catalog DC's. If there is a latent GC/DC that has not processed any part of the deletion, then disconnect it from the network or disable inbound replication with the repadmin.exe command. (repadmin /options dc_name +DISABLE_INBOUND_REPL)
If there isn't a latent DC, then you will have to find a recent system state backup from a GC/DC from the domain where the deletion occurred.
Step 2
Reboot the recovery DC into DS restore mode and perform an authoritative restore (or if you did not find a latent DC, restore the system state and then perform the authoritative restore)
Step 3
If you did not have to restore the system state, reboot normally. Reboot with the network cable disconnected if you did restore the system state, and then disable inbound replication with the repadmin command.
Initiate outbound replication to all dc's in the domain (and gc's in the forest) with the repadmin /syncall command:
repadmin /syncall dc_name /d /e /P YourDomainDN (such as dc=microsoft,dc=com)
/d: identifies servers by distinguished name in messages.
/e: Enterprise; includes partners in all sites.
/P Pushes changes outward from the home server.
*Here is where you have to be careful, and why it is important to fully understand all of the commands that you run in a production environment.
Some documentation states to use the /A option as well with the repadmin command. The /A option tells repadmin to synchronize all directory partitions that are held on the server. This would be fine to use in a small environment, but probably not a good idea if you have a lot of DC's, or have DC's with slow WAN links. If you are just restoring users and groups then we just need to synchronize the domain partition.
Step 4
Wait for end to end replication to occur, and then proceed with fixing up group membership:
(here it gets a little tricky)
If all groups are LVR enabled then group membership was corrected when you issued the authoritative restore command. Information on LVR is available at the bottom of this post.
Method 1: If you performed the authoritative restore on a DC with 2003 SP1 then it created one or more ldif files that you can import with ldifde.exe to correct group membership. (ldifde -i -k -f filename.ldf -s Recovery_DCname)
* Be sure to specify the -s option along with the name of the name of the recovery dc name or it may connect to another DC and the command will fail.
Method 2: If this is a Windows 2000 DC or a Server 2003 DC without SP1 then you need to correct group membership manually. We have a utility called groupadd.exe that can aid you using this method.
Method 3: If you don't mind rolling back group membership to the time that the system state was created, you can boot back into DS restore mode and issue another authoritative restore command. (here you need to issue the command against the container that your groups exist in)
Step 5
Outbound replicate again via repadmin, and then re-enable inbound replication.
repadmin /options dc_name -DISABLE_INBOUND_REPL
Finally perform another system state backup, and you are done.
---------------------------------------------------------------------------------
If for some reason you do not have a good system state backup or a latent dc, you can manually "undelete" individual users on Server 2003.
There are steps in KB 840001 describing how this is done with ldp.exe, but alternatively you can use adrestore.exe.
Please note that only a limited set of attributes are restored with the user:
SID, ObjectGUID, LastKnownParent, SAMAccountName
Beginning with SP1, SidHistory is also retained.
Information on LVR (Linked Value Replication)
---------------------------------------------------------------------------------
The following information was taken from a Server 2003 class I attended. I couldn't find a good online source for it.
"In Windows 2000, the smallest unit of data that can be replicated is an attribute. In the case of multi-valued attributes, such as the "member" attribute on a group, a change to one value of the multi-value prompts replication of the entire attribute including all of the unchanged values as well" With LVR enabled groups only changes made to the individual values of multi-valued attributes get replicated.
LVR is enabled on the switch to Windows Server 2003 Forest functional mode or 2003 Interim mode.
"Existing groups are not immediately converted to LVR. Instead, the groups are converted only as group membership changes. Individual members are added or deleted using LVR, and the old style attribute is no longer replicated. When new groups are created, all new members are stored and replicated using LVR "
In order to determine if LVR is enabled use the following repadmin command: repadmin /bind %servername% then check to see if "Linked_Value_Replication" states "Yes"
**
Comments