Oops, we accidently deleted an OU
was the title of a high priority call that came in this morning. Now I knew that this client's infrastructure was connected by high-speed links so there was no chance of recovering the OU from a remote domain controller.
Being a MCSE I of course know the text-book solution to this, an authoritve restore and a lot of work with NTDSUtil. Not a job I was in the mood for this morning. So, after alerting the storage group to keep the tapes on hand I started looking for alternatives.
A quick google turned up KB article 840001 which outlines the procedure but I figured that by now there would be alternatives. The client's domain controllers weren't on SP1 yet so method 1 was out.
Reading that did remind me that objects that are deleted from Active Directory are not actually gone. Instead they are marked for deletion (tombstoned) but they are retained in active directory. I also read that it is possible with the LDP utility (ldp.exe from the support tools) to restore these objects. However using LDP for this is a rather time consuming process because you're manually editing properties for each object. So I figured someone else must have come across this already and that person would probably have written a clever little script for this tedious task.
Some more googling and I came across ADrestore from sysinternals. Now every admin knows that sysinternals makes excellent freeware so I figured I'd give that a shot.
Fired it up with adrestore -r laptops to restore the OU that was missing. OU restored in 3 seconds! Looked good so I did an adrestore -r nl-ams-lt to start restoring the computer accounts that were in the deleted ou. No luck! All the records had their LastKnownParent set to the Deleted Objects context.
Back to google and I quickly found Quest Software's Object Restore for Active Directory (registration required) which is a tool that does more or less the same only with a GUI. I noticed that the laptops OU was still listed as deleted. I restored it with that tool and tried to restore the computer accounts. Object restore crashed on me! So back to the command line and adrestore. This time the adrestore -r nl-ams-lt listed a lot of laptops with the correct lastKnownParent. Bingo! I quickly restored the 94 computer accounts and activated them.
Writing this I suspect that the admin who deleted the OU in the first place probably tried to save something by recreating the OU and that I restored that empty OU first.
Conclusion, to recover from an "oops" situation there are other options than booting in restore mode and messing with NTDSUtil.
Edit: This whole process would have worked a lot better if I'd remembered that unless you're in AD restore mode you can't restore passwords. So I had the computer accounts back but no passwords. Took a lot of tedious work with authorive restores to get that sorted.
The process I described here worked for me, however it may not work for you. Therefore this information is provided "as-is" with no warranty whatsoever. When working with Active Directory at this level the potential to do serious damage is great so be carefull and consider getting someone who knows what he/she is doing to assist you!
No comments:
Post a Comment