Enable Active Directory Object Restore With Windows Server 2008 R2

The Active Directory Recycle Bin in Windows Server 2008 R2 by Jonathan Medd : http://www.simple-talk.com/sysadmin/exchange/the-active-directory-recycle-bin-in-windows-server-2008-r2/

Since Active Directory was included as part of Window Server 2000, administrators have often asked for  a simple way to roll back mistakes, whether that is the incorrect deletion of the wrong user account to the accidental removal of thousands of objects by deleting an OU. Before the release of Windows Server 2008 R2 there were a number of ways using built-in or third-party methods to restore Active Directory objects, but typically they were not as quick or complete as say retrieving a deleted email or file.

Microsoft has included with their release of Windows Server 2008 R2 the facility, under the correct conditions, to enable a Recycle Bin for Active Directory and allow simple restoration of objects which have been erroneously removed. In this article we will briefly cover some of the options prior to 2008 R2 and then examine how to enable the new Recycle Bin and restore objects from it.

Pre-Windows Server 2008 R2

The 2008 R2 Recycle Bin for Active Directory is a great motivating point for upgrading your forest and domain(s) to the latest version, but this is not always a quick process in many enterprises so it is worth knowing what options are available prior to this version. Like many things it’s a lot better to examine and plan for possible resolutions before a significant mistake happens that you need to deal with. Retrieving Active Directory objects typically falls into two available categories, authoritative restore from a backup or tombstone reanimation.

Authoritative Restore

The Microsoft KB article 840001(http://support.microsoft.com/kb/840001) details how to perform the restoration of a user account using a system state backup of a domain controller. Typically, you would use a global catalog so that you can also restore all group membership information.

Tombstone Reanimation

The above article also details how to recover an account when you don’t have a system state backup by using tombstone reanimation which was introduced with Windows Server 2003 – you can retrieve objects from the Deleted Objects container where they are kept after deletion until their tombstone period expires. Obviously regular system state backups of Active Directory are critical for your full disaster recovery procedures, but taking advantage of tombstone reanimation means you can get objects back quicker than having to go through the full authoritative restore process.

You could use the procedure in the article which utilises the ldp.exe tool, but there are other methods around which you may find simpler.

The drawback with tombstone reanimation is that because most of the object’s attributes are removed at the time of the object’s deletion, a restored object using this method requires many properties of the account, such as address fields and group membership, to be manually repopulated. Whilst this is obviously preferable to re-creating an account from scratch it does not make for a quick overall process. However, you will at least get back the objectGUID and objectSid attributes which means there would be no need to re-configure a user’s workstation profile.

The original release of Windows Server 2008 introduced snapshot backups for Active Directory. You can take point-in-time snapshots of your Active Directory with the NTDSUTIL command line utility which utilizes Volume Shadow Copy to provide a snapshot. It is then possible to mount this snapshot using different ports on the same domain controller as the live Active Directory database and use standard tools to compare the two. This could really make the tombstone reanimation a lot simpler because after restoring the object you could view two versions of Active Directory Users and Computers side by side and view the properties of the restored object from a previous time, so making it simpler to repopulate properties.

The Directory Service Comparison Tool (http://lindstrom.nullsession.com/?page_id=11) takes advantage of these snapshots and makes the repopulation process more streamlined.

For those with Microsoft Exchange messaging environments, once you have the Active Directory account back, you can use the Reconnect Mailbox feature within Exchange to tie the restored account back up with the mailbox. This is of course providing you have a similar tombstone retention period for mailboxes that you do for AD accounts.

Active Directory Recycle Bin

The real reason you decided to read this article though was not so that we could spend time going over all the possible options for how you can piece together restored AD objects, but rather to find out how the Recycle Bin is going to make your life as an Active Directory administrator easier without necessarily the need for these different tools. The key differences from previous versions of Windows Server are that by default you get all of the attributes back and the tools to use are PowerShell cmdlets, which are quickly becoming a more essential part of every Windows administrator’s standard toolkit.

Firstly though the Active Directory Recycle Bin is not enabled by default and has certain domain and forest wide requirements before it can be enabled.

  • Firstly, all domain controllers within the Active Directory forest must be running Windows Server 2008 R2.
  • Secondly, the functional level of the Active Directory forest must be Windows Server 2008 R2.

Naturally organizations are typically cautious when upgrading Active Directory and these types of infrastructure projects don’t tend to happen quickly, but the Recycle Bin could be one of the features which gives you more weight behind a decision. You should also be aware though that enabling the Recycle Bin is a onetime only move, there’s no easy way to disable it again, so careful consideration of this decision must be taken.

It’s worth noting that if you are making a fresh forest install of Windows Server 2008 R2 the Active Directory schema will already include all of the necessary attributes for the Recycle Bin to function. If however you are upgrading your domain controllers from previous versions of Windows Server then you will need to run the well known procedure of adprep /forestprep and adprep /domainprep (for each domain) and possibly adprep /domainprep /gpprep (for Group Policy preparation)

before you can introduce Windows Server 2008 R2 domain controllers into the environment.

So let’s go ahead and run through all the steps we need to get the Recycle Bin enabled. Firstly, ensure that all of your domain controllers are running Windows Server 2008 R2 and then we need to use PowerShell; the great news with Windows Server 2008 R2 is that version 2 of PowerShell is installed by default and is placed directly on your taskbar.

After you have installed Active Directory Domain Services the Active Directory specific cmdlets are available to use via a module; modules essentially are the evolution of snapins from version 1 of PowerShell. To access these cmdlets you can either open the Active Directory specific version of the PowerShell console from the Administrative Programs menu, or the method I would prefer, use the Import-Module cmdlet. (Tip: You could add the below expression to your PowerShell profile so that the cmdlets are available every time you open PowerShell)

PS> Import-Module activedirectory

Once complete all of the Active Directory cmdlets will be at your fingertips. As previously discussed we now need to get the functional level of the forest up to the level of Windows Server 2008 R2. The most common way to do this previously was through Active Directory Domains and Trusts.

Now though we can do this through PowerShell. The Get-ADForest cmdlet will return information about your forest and the Set-ADForestMode cmdlet will enable you to raise the current functional level – since it is such a significant change to your environment you will be prompted to confirm that you wish to go ahead.

PS> Get-ADForest | Set-ADForestMode –ForestMode Windows2008R2Forest

Now that our forest is at the correct functional level we can enable the Recycle Bin, to do so we use the Enable-ADOptionalFeature cmdlet. This must be either run on the DC with the Domain Naming Master FSMO role or directed at that server with the –server parameter. Again you will be prompted to confirm your command since the action is irreversible.

PS> Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -target ‘test.local’

Continue reading

Upgrading your Active Directory to Windows Server 2008

Ways to migrate

As shown last time upgrading your Windows Server 2003 Active Directory environment to Windows Server 2008 can be done in three distinct ways:

  • In-place upgrading
    Windows Server 2003 and Windows Server 2003 R2 can both be upgraded in-place to Windows Server 2008
  • Transitioning
    Migrating this way means adding Windows Server 2008 Domain Controllers to your existing Active Directory environment. �
  • Restructuring
    A third way to go from Windows Server 2003 Domain Controllers to Windows Server 2008 Domain Controllers is restructuring your Active Directory environment. This involves moving all your resources from one (Windows Server 2003) domain to a new and fresh (Windows Server 2008) domain. Tools like the Active Directory Migration Tool (ADMT) are priceless in these kind of migrations.

Reasons to upgrade in-place

In-place upgrading is the path of the least investment. You can simply reuse your existing Windows Server 2003 and Windows Server 2003 R2 Domain Controllers as Windows Server 2008 Domain Controllers.

Just like transitioning In-place upgrading means you get to keep your current Active Directory lay-out, contents, group policies and schema.

In-place upgrading is good when:

  • You worked hard to get your Active Directory in the shape it’s in.
  • Your servers are in tip-top shape.
  • There’s really no budget to buy new servers.

Be sure your current Windows Server 2003 Domain Controllers will last another three to five years when you intend to upgrade them in-place. Transitioning isn’t really any harder compared to in-place upgrading. So if you’re going to do either, please make sure you’re not heading for double work . It would be sad to see you upgrade Domain Controllers now and see you transition in a year from now, while you could’ve easily transitioned in the first place.

Remember: You’re the one with the advantage in negotiations when your boss wants you to go to Windows Server 2008 and really doesn’t want to buy new servers.

Reasons not to upgrade in-place

While I can find two main reasons to perform in-place upgrades, I can find a lot of reasons not to perform them: (and choose another migration path)

  • Your servers do not meet the required patchlevel for in-place upgrading
    (The Windows Server 2003 patchlevel should be at least Service Pack 1)
  • You want to upgrade across architectures (between x86, x64 and/or Itanium)
  • You’re running Windows Small Business Server 2003 or Windows Small Business Server 2003 R2 (upgrade scenarios for Small Business Server are uncertain at this moment)
  • You want to switch Windows Server edition (to obtain clustering for instance)
    • Standard Edition can be upgraded to both Standard and Enterprise Edition
    • Enterprise Edition can be upgraded to Enterprise Edition only
    • Datacenter Edition can be upgraded to Datacenter Edition only
  • You want your Windows Server 2008 Domain Controllers to be Server Core installations of Windows Server 2008. Upgrading to Server Core is not possible
  • Your Windows Server 2003 Domain Controllers are equipped with a boot drive which has less than 14062 MB of free space (solution here ) or your your Windows Server 2003 Domain Controllers do not meet the Windows Server 2008 (recommended) System requirements .
  • Applications on your existing Domain Controllers are not tested with or certified for usage on Windows Server 2008.
  • Applications or installed components on your Windows Server 2003 have known problems when upgrading in-place to Windows Server 2008. PowerShell and thus Exchange Server 2007 are such programs!

If these considerations leave you with an undesirable outcome (for instance you wanted to migrate from 32bit Domain Controllers to 64bit Domain Controllers) choose to transition your Windows Server Active Directory environment to Windows Server 2008 .

Continue reading

Active Directory Maximum Limits

Maximum Number of Objects

Each domain controller in an Active Directory forest can create a little bit less than 2.15 billion objects during its lifetime.

Each Active Directory domain controller has a unique identifier that is specific to the individual domain controller. These identifiers, which are called Distinguished Name Tags (DNTs), are not replicated or otherwise visible to other domain controllers. The range of values for DNTs is from 0 through 2,147,483,393 (231 minus 255). As objects are created on a domain controller, a unique value is used. A DNT is not reused when an object is deleted. Therefore, domain controllers are limited to creating approximately 2 billion objects (including objects that are created through replication). This limit applies to the aggregate of all objects from all partitions (domain NC, configuration, schema, and any application directory partitions) that are hosted on the domain controller.

Because new domain controllers start with low initial DNT values (typically, anywhere from 100 up to 2,000), it may be possible to work around the domain controller lifetime creation limit—assuming, of course, that the domain is currently maintaining less than 2 billion objects. For example, if the lifetime creation limit is reached because approximately 2 billion objects are created, but 500 million objects are removed from the domain (for example, deleted and then permanently removed from the database through the garbage collection process), installing a new domain controller and allowing it to replicate the remaining objects from the existing domain controllers is a potential workaround. However, it is important that the new domain controller receives the objects through replication and that such domain controllers not be promoted with the Install from Media (IFM) option. Domain controllers that are installed with IFM inherit the DNT values from the domain controller that was used to create the IFM backup.

At the database level, the error that occurs when the DNT limit is reached is “Error: Add: Operations Error. <1> Server error: 000020EF: SvcErr: DSID-0208044C, problem 5012 (DIR_ERROR), data -1076.”

Continue reading