[Restore Deleted Objects In Active Directory Database Using Tombstone Reanimation (LDP.EXE)

[Kody Coste]

Every 12 hours, each domain controller starts a garbage collection process. (This can be changed by setting a new value for the garbageCollPeriod attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC= object.) This garbage collection scans all of the tombstones on the DC and physically deletes any that are older than the tombstone lifetime.

For preparation to restore the deleted object, you have to install Windows Server 2003 Support Tools. From the Windows Server 2003 Installation CD, it is located on \SUPPORT\TOOLS\SUPTOOLS.MSI
You do not need to follow this step, if using Windows Server 2008.

Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

DOWNLOAD ✪ https://t.co/LHzRV3ECYM

The result of restoring deleted objects using Tombstone Reanimation procedure is not perfect. You will restore a disabled account with all attributes has been stripped. You have to set the password and enable the account.

If you want to have a successful restore including all attributes of the user, you should consider to do Authoritative Restore that need you to restore from backup. and you can not restore the active directory database from backup without restarting to Active Directory Restore Mode.

Active Directory (AD) is a directory service created by Microsoft for Windows domain networks. It is involved in centralized domain management and stores information about objects on the network. When an object in AD is deleted, it is not immediately removed from the database. Instead, it becomes what is known as a 'tombstoned' object. This is a soft-delete state where the object is marked for deletion but retained in the database for a specific period, known as the tombstone lifetime, which by default is 60 or 180 days, depending on the version of Windows Server being used.

Tombstoned objects are crucial for ensuring that deletions are replicated across the entire domain. However, there may be scenarios where you need to recover these objects. This process is often referred to as 'reanimation' or 'authoritative restore.'

Reanimating a tombstoned object involves restoring it to a usable state. This is done using either the LDP.exe tool provided by Microsoft or PowerShell cmdlets. Here are the general steps to reanimate a tombstoned object:

If you're looking to streamline your Active Directory management and need professional assistance, you might want to hire .NET Active Directory developers who are well-versed in directory services and can handle complex scenarios involving tombstoned objects and their reanimation.

Handling tombstoned objects in Active Directory is a delicate process that requires a good understanding of the inner workings of AD. Whether you choose to use the LDP.exe tool or PowerShell, it's important to follow best practices and consider the implications of restoring objects. With the right approach, you can effectively manage tombstoned objects and ensure the resilience and consistency of your directory services.

Sr. IT PRO, mais de 18 anos atuando em TI , Owner da Absolut IT, Consultoria Especializada e Parceira Microsoft. MTAC - Multi-Platform Technical Audience Contributor, Trainer Microsoft - MCT, MCSE, MCSA Windows Server e Office 365, MCA: Azure Administrator, MCITP Enterprise, Server, Lync e Virtualization Admin, Especialista em Tecnologias Microsoft.

The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.

By using the Active Directory database mounting tool, you can examine any changes that are made to data that is stored in Active Directory Domain Services (AD DS). For example, if an object is accidentally modified, you can use the Active Directory database mounting tool to examine the changes and help you better decide how to correct them if necessary.

Although the Active Directory database mounting tool does not recover deleted objects by itself, it helps streamline the process for recovering objects that have been accidentally deleted. Before the Windows Server 2008 operating system, when objects or organizational units (OUs) were accidentally deleted, the only way to determine exactly which objects were deleted was to restore data from backups. This approach had two drawbacks:

The purpose of the Active Directory database mounting tool is to expose AD DS data that is stored in snapshots or backups online. Administrators can then compare data in snapshots or backups that are taken at different points in time, which in turn helps them to make better decisions about which data to restore, without incurring service downtime.

The Active Directory database mounting tool makes it possible for deleted AD DS or Active Directory Lightweight Directory Services (AD LDS) data to be preserved in the form of snapshots of AD DS that are taken by the Volume Shadow Copy Service (VSS). The tool does not actually recover the deleted objects and containers. The administrator must perform data recovery as a subsequent step.

You can use a Lightweight Directory Access Protocol (LDAP) tool such as Ldp.exe, which is a tool that is built into Windows Server 2008, to view the data that is exposed in the snapshots. This data is read-only data. By default, only members of the Domain Admins and Enterprise Admins groups are allowed to view the snapshots because they contain sensitive AD DS data.

Safeguard the AD DS snapshots from unauthorized access just as you protect backups of AD DS. A malicious user who has access to the snapshots can use them to reveal sensitive data that might be stored in AD DS. For example, a malicious user might copy AD DS snapshots from forest A to forest B, and then use Domain Admin or Enterprise Admin credentials from forest B to examine the data. Use encryption or other data security precautions with AD DS snapshots to help mitigate the chance of unauthorized access to AD DS snapshots.

If you have some idea which OU or objects were deleted, you can look up the deleted objects in the snapshots and record the attributes and back-links that belonged to the deleted objects. Reanimate these objects by using the tombstone reanimation feature. Then, manually repopulate these objects with the stripped attributes and back-links as identified in the snapshots.

Although you must manually recreate the stripped attributes and back links, the Active Directory database mounting tool makes it possible for you to recreate deleted objects and their back-links without restarting the domain controller in Directory Services Restore Mode. You can also use the tool to look up aspects of previous configurations of AD DS as well, such as permissions that were in effect.

Windows Server 2008 R2 introduced an optional feature to include a recycle bin for Active Directory to simplify the restoration of accidentally deleted objects compared to prior native capabilities. Before the 2008 R2 recycle bin Administrators had the following options though they have certain limitations.

Prior to the release of the Windows 2008 R2 Recycle Bin for Active Directory recovering objects was possible using one of two basic methods, authoritative restore from a backup or tombstone reanimation.

Microsoft introduced the Windows Server 2008 R2 recycle bin as an optional feature to improve upon the prior recovery processes. The new recovery option extended upon the tombstone reanimation feature to include all attribute data with restored objects. The 2008 R2 Recycle Bin does not have its own graphical user interface. Administrators can use PowerShell Cmdlets or ldp.exe to perform recovery operations. The feature is not enabled by default and there must be some domain and forest level prerequisites configured prior to enabling the feature. It also changes the way object deletions work.

The Windows 2008 R2 Recycle Bin offers much better protection than any of the prior native methods for the restoration of objects. To utilize the recycle bin, organizations must upgrade both their AD and Exchange environments to the latest versions and functional levels and must have working knowledge of the AD processes and PowerShell Cmdlets. For organizations looking for a more automated, repeatable and risk adverse method for restoration of both AD and GPO objects, or those companies also requiring advanced "undo" capabilities, a third party solution such as the BeyondTrust PowerBroker Auditor offers unparalleled benefits that include the following.

The most common method is to enable the AD Recycle Bin feature supported on domain controllers based on Windows Server 2008 R2 and later. For more information on this feature including how to enable it and restore objects, see Active Directory Recycle Bin Step-by-Step Guide.

If this method isn't available to you, the following three methods can be used. In all three methods, you authoritatively restore the deleted objects, and then you restore group membership information for the deleted security principals. When you restore a deleted object, you must restore the former values of the member and memberOf attributes in the affected security principal.

Recovering deleted objects in Active directory can be simplified by enabling the AD Recycle Bin feature supported on domain controllers based on Windows Server 2008 R2 and later. For more information on this feature including how to enable it and restore objects, see Active Directory Recycle Bin Step-by-Step Guide.

Methods 1 and 2 provide a better experience for domain users and administrators. These methods preserve the additions to security groups that were made between the time of the last system state backup and the time the deletion occurred. In method 3, you don't make individual adjustments to security principals. Instead, you roll back security group memberships to their state at the time of the last backup.

795a8134c1