By using AdRestore.exe or ADRestore.NET, you can implement tombstone reanimation method to restore deleted objects from Active Directory database easily. So it basically do the same as using LDP in my previous post, Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)
AdRestore.exeFormerly Sysinternals and now Microsoft, Mark Russinovich has created a command-line freeware application called ADRestore. The tool enumerates all of the currently tombstoned objects in a domain and allows you to restore them selectively, and provides a convenient command-line interface for using the Active Directory reanimation functionality.
Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)
The result of restoring deleted objects using Tombstone Reanimation procedure is not perfect. You will restore a disabled account with all attributes has been stripped. You have to set the password and enable the account.
If you want to have a successful restore including all attributes of the user, you should consider to do Authoritative Restore that need you to restore from backup. and you can not restore the active directory database from backup without restarting to Active Directory Restore Mode.
If you don't have a valid backup, then you only have ability to retrieve some of their attributes (in essence - partial objects) through tombstone reanimation. (LDP) -deleted-objects-in-active-directory-database-using-tombstone-reanimation-ldp-exe/
Formerly Sysinternals and now Microsoft, Mark Russinovich has created a command-line freeware application called ADRestore. The tool enumerates all of the currently tombstoned objects in a domain and allows you to restore them selectively, and provides a convenient command-line interface for using the Active Directory reanimation functionality. If you run it from the command line you will be prompted to choose which object you want to restore, and since there could be quite a few tombstoned objects, this process might take some time as you answer NO to each and every prompt.To add a little selectivity to the restore operation, you can run ADRestore with a parameter to narrow down the search. For example:
Recovering deleted objects in Active directory can be simplified by enabling the AD Recycle Bin feature supported on domain controllers based on Windows Server 2008 R2 and later. For more information on this feature including how to enable it and restore objects, see Active Directory Recycle Bin Step-by-Step Guide.
If you're creating the recovery domain controller by using a system state backup, restore the most current system state backup that was made on the recovery domain controller that contains the deleted objects now.
Performing Authoritative Restore of Active Directory Objects -us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc... Opens a new windowTips for reanimating the deleted objects in active directory: -the-deleted-objects-of-active-directory.pdf Opens a new window
Death of an ObjectWhen an object is deleted, AD performs a variety of housekeeping tasks behind the scenes to turn the object into a tombstone. AD sets the object's isDeleted attribute to TRUE, which simplifies the distinction between tombstone objects and normal objects during a search. AD also moves the deleted object to the Deleted Objects container in the partition that contained the object before the deletion. (Each directory partition, including Windows 2003's new application partitions, holds a Deleted Objects container. The only exception is the Schema partition, which doesn't contain a Deleted Objects container because you can't delete objects from the schema.) AD hides these Deleted Objects containers by default, so to view them you must enable the Return Deleted Objects Lightweight Directory Access Protocol (LDAP) control as part of a search operation. (For more information about such operations, see the sidebar "Searching for Tombstones.")
AD renames the object, using an odd format. Generically, this format is OriginalName\0ADEL:ObjectGUID, where OriginalName is the object's original relative distinguished name (RDN), \0A is a null terminated character, and ObjectGUID is the object's original globally unique identifier (GUID). If I delete the object cn=rallen,ou=employees,dc=rallencorp,dc=com, for example, the resulting tombstone will have a distinguished name (DN) similar to CN=rallen\0ADEL:efc1ca9e-a5ec-4a29-97e1-c8013e538d2c,CN=Deleted Objects,DC=rallencorp,DC=com. One reason for using this format is that it guarantees uniqueness, even when multiple objects with the same RDN are deleted.
As if getting moved and renamed weren't bad enough for the lowly tombstone, AD also removes most of the original object's stored attributes. Because the object has been deleted, AD doesn't need to retain all the information originally stored with the object. Therefore, AD clears all but the essential attributes. You can identify a tombstone's retained attributes by using the Ldp tool (one of the Windows Support Tools) to query the schema for attributeSchema objects that have the eighth bit in the searchFlags attribute enabled.
For deleted objects on Windows 2003 DCs, AD populates the lastKnownParent attribute with the DN of the original object's container. AD stores tombstone objects directly under the Deleted Objects container, without maintaining the original objects' directory hierarchy, but you can use a tombstone's lastKnownParent attribute to identify the object's original location in the directory tree. This feature is available only in Windows 2003.
But don't get too excited yet. Tombstone objects are shells of their former selves, so restoring a tombstone doesn't restore the object to all of its former glory. Let's walk through the steps to restore a tombstone by using the Windows 2003 version of Ldp. (A Win2K version of Ldp is also available, but it lacks some of the functionality I describe in the following steps.)
From a physical perspective, the DSA is really the directory service component and the database layer resides within it. The reason for separating the two is that the database layer performs a vital abstraction. Without this abstraction, the physical database on the disk would not be protected from the applications the DSA interacts with. Furthermore, the object-based hierarchy used by Active Directory would not be possible. Why? Because the data store is in a single data file using a flat (record-based) structure, whereas the database layer is used to represent the flat file records as objects within a hierarchy of containers. Like a folder that can contain files and other folders, a container is simply a type of object that can contain other objects and other containers.
You can recover tombstoned objects using tombstone reanimation. However, attribute values that were removed are not recovered. This means the link-valued attributes, which include group memberships of user accounts, and the non-link-valued attributes are not recovered.
The ESE uses a garbage-collection process to clear out tombstoned objects after the tombstone lifetime has expired, and it performs automatic online defragmentation of the database after garbage collection. The interval at which garbage collection occurs is a factor of the value set for the garbageCollPeriod attribute and the tombstone lifetime. By default, garbage collection occurs every 12 hours. When there are more than 5,000 tombstoned objects to be garbage-collected, the ESE removes the first 5,000 tombstoned objects and then uses the CPU availability to determine if garbage collection can continue. If no other process is waiting for the CPU, garbage collection continues for up to the next 5,000 tombstoned objects whose tombstone lifetime has expired, and the CPU availability is again checked to determine if garbage collection can continue. This process continues until all the tombstoned objects whose tombstone lifetime has expired are deleted or another process needs access to the CPU.
When a delete request is processed for an object, the object is not immediately deleted. Instead, the object is stripped of most of its attributes and moved to the Deleted Objects container of the partition the object exists in. Deleted objects that have been moved to the Deleted Objects containers are referred to as tombstones. Tombstones remain in the Deleted Objects container for the length of the tombstone period. The default tombstone periods or lifetimes for new forests are documented in Table 4-7. Tombstoning an object allows the delete operation to replicate to all domain controllers holding a copy of the object. The process of undeleting an object in Active Directory is known as tombstone reanimation. 2ff7e9595c
Comments