Tips and Tricks
Active Directory Single Object Restore
When you accidentally delete an Active Directory object, can you bring it back without performing an authoritative restore on the entire directory? This tip shares a little known service built right into AD that you'll want to know about.
It’s unfortunate, in a way, that Microsoft didn’t build a Recycle Bin into Active Directory Users and Computers. Actually, if it had, it would probably constitute a security risk we could all live without. Still, it would be convenient for those times when you accidentally delete an AD object—like a user account.
Keep in mind how an AD object deletion works: The domain controller (DC) on which you deleted it doesn’t actually remove the object. Instead, it tombstones it, effectively putting a big red “X” on it. That tombstone replicates throughout the domain until all the DCs have the object marked as deleted. The object can’t be undeleted at that point, and it’ll go away permanently after about 60 days. There’s no “undo” in AD Users and Computers, either, and thanks to AD’s efficient replication, you can’t even quickly rip the DC’s network cable out of the hub—once it gets back on the LAN, that tombstone’s going to be replicated.
Does that mean you have to perform an authoritative restore of the entire directory, potentially undoing other recent additions, changes and deletions? Not at all. Although nobody makes a big deal of it, Microsoft built a perfectly serviceable single-object restore capability right into AD.
Getting Authoritative, One Object at a Time
You’ll obviously need a recent backup that contains the object you want
to restore. This should be a standard System State backup from any DC
in your domain. You’ll need to perform the single-object restore on the
same DC used to make the backup. Once the prerequisites are covered, restart
the DC in question into its Directory Services Restore Mode. Log in using
the appropriate administrative credentials, and then run the Ntdsutil
utility. Then, type “authoritative restore” and press Enter.
Here’s the tough part: You’ve got to tell Ntdsutil the exact Fully Qualified
Domain Name (FQDN) of the object you want to restore. For example, you
might enter:
restore subtree “cn=John Doe,ou=Operations,dc=mycompany,
dc=com”
to restore a user named John Doe, whose user account was in the Operations organizational unit of the my company.com domain. You could type:
restore subtree “ou=Operations,dc=mycompany,dc=com”
to restore the entire Operations OU.
Things get a bit trickier if you want to restore a group. Before doing so, make sure that every user who’s supposed to be a member of the group is present in the domain, restoring users first if necessary. Then (and only then) can you restore the group.
Once you’re done restoring objects, restart the DC. It’ll start replicating
the change to the other DCs in the domain; before you know it, your mistake
will be a thing of the past. The magic is in the way AD performs authoritative
restores. Remember the tombstone that got put onto the object when you
deleted it? That tombstone caused the object’s internal version number
to increment on the DC that processed the deletion. That higher version
number, in turn, is what caused the other DCs on the domain to replicate
the tombstone—they had an older version of the object and simply wanted
to upgrade. When you performed the authoritative restore, however, the
object’s version number was incremented by several hundred, making it
the latest and greatest thing in the domain. Every DC will latch onto
the upgraded object, effectively erasing the tombstone and bringing the
object back from the dead.
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.