Looking for a good AD restore utility

5 Mar 2006 4:33 AM

Spin

Experts,

I am looking for a good AD restore utility for whenever one of my junior
admins does something stupid like delete an OU.

--
Spin

5 Mar 2006 11:06 AM

Paul Williams [MVP]

www.sysinternals.com have a free utility. I think Joe does too --
www.joeware.net

Quest and NetIQ also have such products.

(as you can see I can't remember the names of any of them ;-)

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

5 Mar 2006 8:54 PM

Jorge de Almeida Pinto [MVP]

After you delete an object it will become a tombstone in AD within the
deleted objects container. When an object is deleted values from all
attributes from the object will be stripped and removed (except for system
attributes like "objectGUID", "objectSid", "distinguishedName",
"nTSecurityDescriptor" and "uSNChanged" which are preserved on the
tombstone) (On W2K3 SP1 DCs, the "sIDHistory" attribute is also preserved)
The tombstone is preserved for the period of the tombstone lifetime which is
for:
Fresh install of AD with W2K DCs (all SPs): 60 days
Upgrading AD with W2K DCs to W2K3 DCs: 60 days
Upgrading AD with W2K DCs to W2K3 SP1 DCs: 60 days
Fresh install of AD with W2K3 DCs (all SPs): 60 days
Upgrading AD with W2K3 DCs to W2K3 SP1 DCs: 60 days
Fresh install of AD with W2K3 SP1 DCs (all SPs): 180 days

In both W2K and W2K3 AD you can perform an authoritative restore of the
object using a system state backup that still contains the object and is not
older than the period of the tombstone lifetime . Doing it this way will
restore the object and its attributes.
Using a W2K3 SP1 DC/GC makes it easier when restoring forward links (e.g.
group memberships)
For more info see: MS-KBQ840001

Only in W2K3 AD you can reanimate the tombstone to a live object again. Free
third party utilities (e.g. sysinternals, quest, joeware) exist that do not
repopulate the
attribtues and non-free third party utilities (e.g. Netpro RestoreADmin and
Quest
Recovery Manager) are available that can undelete/reanimate and repopulate
the attributes

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------

-----------------------------------------------------------------------------

Show quoteHide quote

"Spin" <S***@spin.com> wrote in message
news:46v7uqFd2iqeU1@individual.net...
> Experts,
>
> I am looking for a good AD restore utility for whenever one of my junior
> admins does something stupid like delete an OU.
>
> --
> Spin
>
>

6 Mar 2006 6:23 PM

Pravin

Hi Jorge,

Thank you for good information about "Tombstone"

Regards,
Pravin Ebenezer

17 Mar 2006 4:22 PM

Jerry G

Spin,

Check this out for yur backup and restore, as it will also address the
delegation issue you were having:

www.scriptlogic.com/products/activeadmin

Active Administrator has a built in object level level backup and
restore function that can alert you of such events, and allow you to
quickly and easily restore deleted objects, groups or OUs. You have
very granular control over which attributes you want to restore, and it
will even restore user passwords if you want. In the case you
described here, AA would recover the entire OU instantly, maintaining
all group memberships and security. You can even archive your Group
Policy history to run historical comparison reports, or roll GPOs back
to any previous state. Active Administrator is a true AD management
solution right out of the box, and is priced at a fraction of the cost
of solutions offered by Quest or NetIQ who require you to complete the
solution set in modules. Check it out!

Jerry