Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | hollie-hawkins |
View: | 217 times |
Download: | 1 times |
Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin, Undeletion and ReanimationPresented by Mark [email protected]
SESSION CODE: SIA306
Who's The Guy Presenting?Working with computers since 1972Written 32 books on OS/2, PC repair, Windows 3.1/95/98 troubleshooting, Windows NT 3.1 through Windows Server 2008 R2 setup, support and troubleshooting, several million copies soldColumnist for Windows IT Pro Magazine , BYTE, Compute!, AI Expert, OS/2 Professional, over a thousand articlesSpeak at many Windows conferencesConsult and teach about WindowsDirectory Services MVP
AgendaWhat the AD Recycle Bin (ADRB) can do, and what you need to use it"Where The Dead Things Are:" life after deletionSeeing deleted objects with LDP, PowerShell and adrestorePre R2 FFL: Reanimation with LDP and adrestoreHow AD Recycle Bin (ADRB) worksEnabling ADRBUndeleting with LDP, adrestore and PowerShellA GUI for ADRBRecursive Undeletes: Undeleting OUs (and OUs inside OUs…)
What's the Deal? Who Cares About the AD Recycle Bin (ADRB)?
So we've deleted a user, a couple of users, or perhaps a whole OU full of usersWe need to undelete themThere has always been the "standard" way
Reboot the DC in DSRMRestore the ADUse NTDSUTIL to mark items as "authoritatively restored"Reboot the DC in normal mode
Problems With the Traditional ApproachThat works fine, except for the "take the DC offline" part
It can take a significant amount of time to reboot a DC in large organizations and heck, there may be paperwork !Why reboot any machine if it can be avoided?Access to backups may be a dicey matter
So some sort of online AD object restore would be very attractive to manyAs AD has matured, MS has slowly built in better and better support for online restores, so let's talk about it
Deletion, Through the YearsIn Windows 2000, the death of an object was very nearly a final thing; undeletion was complicated, and offered no help in re-joining groupsThings got better in 2003, with "tombstone reanimation" support, which partially undeleted accounts, but left most attributes and group memberships gone, gone, goneWith 2008 R2, you can undelete a deleted item, but requires 2008 R2 FFLSo, again: pre-R2 FFL, we reanimate; post-R2 FFL, we can undelete
Where The Dead Things AreDeletion, Pre-AD Recycle Bin
Deleted Stuff "Goes to Limbo"
You're used to seeing some set of folders in Active Directory Users and ComputersBut you probably know that if you click View / Advanced Features, you see moreWell, there's even more that you still can't see, including an important folder named "Deleted Objects"So let's look at what your AD contains, versus what it shows you
CN=Builtin,DC=Bigfirm,DC=Com
DC=Bigfirm,DC=Com
CN=Computers,DC=Bigfirm,DC=Com
OU=Domain Controllers,DC=Bigfirm,DC=Com
CN=Foreign Security Principals,DC=Bigfirm,DC=Com
CN=Managed Service Accounts,DC=Bigfirm,DC=Com
CN=Mark,CN=Users,DC=Bigfirm,DC=ComCN=Users,DC=Bigfirm,DC=Com
What ADUC Shows You
OU
CN=Builtin,DC=Bigfirm,DC=Com
DC=Bigfirm,DC=Com
CN=Computers,DC=Bigfirm,DC=Com
OU=Domain Controllers,DC=Bigfirm,DC=Com
CN=Foreign Security Principals,DC=Bigfirm,DC=Com
CN=LostAndFound,DC=Bigfirm,DC=Com
CN=Managed Service Accounts,DC=Bigfirm,DC=Com
OU
CN=Mark,CN=Users,DC=Bigfirm,DC=Com
CN=Program Data,DC=Bigfirm,DC=ComCN=System,DC=Bigfirm,DC=ComCN=Users,DC=Bigfirm,DC=Com
ADUC with View /Advanced Features, ADSIEDIT or LDP( = "new stuff")
CN=Builtin,DC=Bigfirm,DC=Com
DC=Bigfirm,DC=Com
CN=Computers,DC=Bigfirm,DC=Com
OU=Domain Controllers,DC=Bigfirm,DC=Com
CN=Foreign Security Principals,DC=Bigfirm,DC=Com
CN=LostAndFound,DC=Bigfirm,DC=Com
CN=Managed Service Accounts,DC=Bigfirm,DC=Com
CN=Mark,CN=Users,DC=Bigfirm,DC=Com
CN=Program Data,DC=Bigfirm,DC=ComCN=System,DC=Bigfirm,DC=ComCN=Users,DC=Bigfirm,DC=Com
CN=Deleted Objects,DC=Bigfirm,DC=Com
What LDP (an admin tool we'll meet soon) shows, when equipped with the right "LDAP Control"
OU
When We Delete Objects, AD…Creates and sets new attribute isDeleted to TrueRemoves attributes (as directed by the schema and yes, that could be changed); keeps objectClass, objectGUID, objectSID, sAMAccountName (and others) -- but almost everything else (names, attribs) is goneChanges distinguished name (DN) from something like cn=mark,cn=users,dc=bigfirm,dc=com to a longer "mangled" name containing the objectGUID (example coming)Moves AD object in a container called "Deleted Objects"Calls the object a "tombstone"For example:
CN=Builtin,DC=Bigfirm,DC=Com
DC=Bigfirm,DC=Com
CN=Computers,DC=Bigfirm,DC=Com
OU=Domain Controllers,DC=Bigfirm,DC=Com
CN=Foreign Security Principals,DC=Bigfirm,DC=Com
CN=LostAndFound,DC=Bigfirm,DC=Com
CN=Managed Service Accounts,DC=Bigfirm,DC=Com
CN=Mark,CN=Users,DC=Bigfirm,DC=Com
CN=Program Data,DC=Bigfirm,DC=ComCN=System,DC=Bigfirm,DC=ComCN=Users,DC=Bigfirm,DC=Com
CN=Deleted Objects,DC=Bigfirm,DC=Com
Now, suppose someone wants to delete Mark…
Let's say that Mark has an objectGUID value of 6e2971d91 (and yes, that GUID is way too small, but it's just an example)
OU
OU=Domain Controllers,DC=Bigfirm,DC=Com
CN=Foreign Security Principals,DC=Bigfirm,DC=Com
CN=LostAndFound,DC=Bigfirm,DC=Com
CN=Managed Service Accounts,DC=Bigfirm,DC=ComCN=Program Data,DC=Bigfirm,DC=ComCN=System,DC=Bigfirm,DC=ComCN=Users,DC=Bigfirm,DC=Com
CN=Builtin,DC=Bigfirm,DC=Com
DC=Bigfirm,DC=Com
CN=Computers,DC=Bigfirm,DC=Com
CN=Deleted Objects,DC=Bigfirm,DC=Com
After deletion…
New place! CN=Mark\0ADEL:6e2971d91,CN=Deleted Objects,DC=Bigfirm,DC=ComNew name!
OU
When You're Gone, No One Remembers Your (Real) Name
An account with a DN of cn=mark,cn=users,dc=bigfirm,dc=com who has an objectGUID of be0fc7f6-a308-47a2-824a-99d9120774c8 would becomecn=mark\0ADEL:be0fc7f6-a308-47a2-824a-99d9120774c8,cn=Deleted Objects,dc=bigfirm,dc=com(More specifically, built as RDN (the attribute named "name" in AD), "\0ADEL:," the objectGuid, and "cn=Deleted Objects," and the domain name
Viewing Deleted Objects
Seeing Your AD's Deleted ObjectsThree tools:
ldp.exe (which is in Support Tools for 2003 R2 and earlier, and in-the-box for Server 2008 and 2008 R2)AD PowerShell cmdlets (which is in-the-box for 2008 R2 but can be retrofitted to any DC with at least 2003 SP2… see my Newsletter #86 at my site www.minasi.com for the step by steps; requires no new DCs but does require at least one Windows 7 workstation)Sysinternals' adrestore.exe
Using LDP to See Deleted ObjectsStart LDP.exe Starts out with a very simple interface and, in truth, doesn't always refresh correctly – so don't be shy about double-clicking some object in the left-hand pane to get it to refresh
LDP Initial Window
Next, click Connection / Connect, which lets you tell LDP which server you'd like to connect to. You can punch in a DC name but just clicking "OK" will do the job.
LDP After ConnectionYou're now connected to a particular DC, but you aren't really logged into the directory service yet, even if you're logged on as an enterprise admin. To "log onto the DS," you "bind" to the DS by clicking Connection / Bind and then probably just clicking OK. If, however, you need to proffer different credentials, choose the "Bind with credentials" option, fill in the creds and click OK
You're Bound…The right-hand pane may show-----------0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}Authenticated as: 'BIGFIRM\Administrator'.But that's what good news looks like, believe it or not – it basically says, "we're happy with how he/she's already logged on"Next, click Options / Controls
Removing the VeilWe're about to ask LDP to show us my domain bigfirm.com, but by default LDP spares us the macabre view of The Dead Things. We are, however, made of tougher stuff than that, so we'll tell it that we can handle the truth by clicking the drop-down labeled "Load Predefined" and choose "Return deleted objects," as you see in the lower right-hand part of the dialog at left. Then click "OK" to return to LDP.Just be sure that the "Active Controls" field contains 1.2.840.113556.1.4.417.
Now Let's Look at BIGFIRMFrom LDP, click View / TreeFill in your domain's LDAP name, as seen here, and click OKIn the left-hand pane, the domain appears with a plus next to it; click to open
LDP Domain View Click on "Deleted Objects," and, well, nothing happens. There's another LDP quirk – any time you want examine something in the left-hand pane, doubleclick it and it'll appear in the right-hand pane. If I do that and then double click a deleted user "mark," it looks like this:
Deletion, Up Close
We Could Undelete, But Not Yet…We could "undelete" the account from LDP even with Server 2003, and I'll show you how in a momentBut let's leave that for a moment and see how to view deleted objects in a different way, using the R2 PowerShell AD cmdletsStart up PowerShell on an equipped system from an elevated command prompt with two commands, powershell and import-module activedirectory
PowerShell Startup
Seeing Deleted Objects in PoSHThe basic PowerShell command to see deleted stuff looks likeget-adobject –filter * -includedeletedobjectsAnd you can shorten it toget-adobject –f * -incBut that will show you every item in the whole AD, deleted or not; this shows just the deleted stuff:get-adobject -inc -filter {isDeleted –eq $true} If there are no items that match the search, you'll get an error message
Seeing Deleted Objects in PoSHAnother way to see just the deletes:get-adobject -inc –f * -searchbase "cn=Deleted Objects, dc=bigfirm,dc=com"Or use just the –filter command and match the samaccountname (which is, recall, one of the few things not wiped out by the deletion):get-adobject –f {samaccountname –eq "mark"} –incYet another:get-adobject -inc -f {name -like "*DEL:*"}And anotherget-adobject –inc –f {isDeleted –eq $true}(You probably would not want to see all of the dead things in a real domain)
get-adobject –inc Example
The Third WayThe Sysinternals guys have a nice command-line tool called "adrestore.exe"I'll show it to you later, but wanted to mention it now before moving to the next topicIn pre-ADRB worlds, it's great for simple reanimations, as we'll see
Tombstone Timeouthow long before it's gone forever?
And Once Tombstoned…AD doesn't physically delete the tombstone immediately; in fact, Wally's tombstone stays around for six months to a year before AD scrubs it out of the databaseThat's because AD can't safely delete Wally's record until every DC knows that Wally's gone – that is, until every DC contains a tombstone for WallyReason: once DC1 gets a tombstone for Wally, it knows that Wally is no longer around, and blocks various conditions which might cause Wally to re-appear because DC6 (which doesn't know that Wally's gone) tries to send out Wally-relevant updates to DC1
Eventually, AD Deletes TombstonesIn the perfect world, AD would physically delete Wally's tombstone as soon as every DC knows that every other DC has a Wally tombstoneBut in a practical sense, that's not easy to do, as not every DC is running and connected to other DCs at every momentSo Microsoft's compromise was to cause AD to delete a tombstone after it has existed for some fixed period of timeThat was 60 days on 2000 and 2003 RTM-based ADs, 180 days thereafter
Seeing Your Tombstone PeriodFrom a PowerShell prompt, type(get-adobject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=bigfirm,dc=com" -properties "tombstonelifetime").tombstonelifetimeValue returned is (surprisingly) in days
The Final Delete: Garbage CollectionOnce a given DC notices that its local copy of the AD database contains one or more tombstones that are expired, then it's safe to physically delete themAD checks for and deletes expired tombstones twice a day during its "garbage collection" periodSo be careful when you reboot your DCs, as you don't want them doing garbage collection first thing in the morning while everyone's trying to log on!
Reanimating Tombstones
bringin' them back to life… both before and after ADRB
Getting Deleted Objects BackYou can't undelete things right-out-of-the-box with 2008 R2, as you'll see soon – it's not even possible until you're at 2008 R2 forest functional levelSo let's talk for a moment about restoring deleted objects before the AD Recycle Bin (ADRB) is functionalUses a 2003 feature called "tombstone reanimation"(And the main value is that we'll use the same procedures to undelete when ADRB gets enabled!)
Tombstone Reanimation OverviewJust restores the account; almost everything else – group memberships, office info, names, etc – must be repopulatedNot fun at all but only online recovery option even with 08 R2 pre-ADRB but, again, once you've got ADRB, this isn't a problemKB 840001 covers details
Reanimating a Tombstone with LDPStart LDP, connect, bind, enable control as before:
Start LDPConnection / Connect / fill in DC name / OKConnection / Bind / OK (or enter credentials)Options / Controls enter "1.2.840.113556.1.4.417" in "Object Identifier," OK
Reanimating a Tombstone: LDPOpen Deleted Objects as before:
View / TreeEnter domain name, like dc=bigfirm,dc=com, OK (or use the drop-down, which is pre-populated with useful distinguished names)Open the Deleted Objects container: in the left-hand pane, click the domain name, then click the "plus" sign next to it, then double-click the "Deleted Objects" container and it'll show the deleted objects Right-click on the item to undelete, choose Modify
LDP Reanimate StrategyWe've got to do two things to make AD reanimate this tombstone (or completely undelete, in ADRB):
Completely delete the isDeleted attributeFix the distinguished name from the "0ADEL:" mess to some value that no longer leaves it in Deleted Objects
And we've got to do them both simultaneously, which we can do with LDP
Things to Modify in LDP
Reanimating with LDP (1)
In the Modify dialog box, create the "delete isDeleted" command by• type "isDeleted" in the "Attribute: field inside the "Edit Entry" group•Click the "Delete" radio button in the "Operation" group•Click Enter to queue it•Check the "Extended" check box so that LDP knows to use the "let me see deleted stuff" control
Reanimating with LDP
Now, the first command's in the queue; time for the second.•In "Edit Entry," change "Attribute:" to "distinguishedName"•Enter a new DN in "values:"•In "Operation," click "Replace" as we're not wiping out the DN, we're replacing it•Then click Enter to get it queued in the "Entry List" field
Reanimating with LDP
With both commands queued in "Entry List," double-check that you remembered to check "Extended" and then click Run…… and your account's returned! (but disabled)
Reanimating With AdrestoreFind it at www.sysinternals.com; it's a CLI toolLooks like adrestore [searchstring] [-r]Run adrestore and it shows all deleted objectsRun adrestore –r and shows all deleted objects and asks if it can reanimate themRun adrestore mark –r and it will show just the deleted objects whose name contains "mark" and it will ask if it can reanimate them
So It's Undeleted, But…Again, the account is back, meaning that its SID hasn't changed (and so you needn't muck with permissions on resources), but it's forgotten most of its attributes, group memberships and everything elseAgain, the account is deactivatedSo it's time to repopulate those fields, which isn't much fun…… and why Microsoft built ADRB
AD Recycle Bin Requirements and Setup
How R2's AD Recycle Bin WorksFirst, enable the ADRB featureThen, delete an AD object and it enters the "deleted state"You now have 180 days (by default) to un-delete it, much as we did with reanimationThen it enters "recycled state," which is much like the old tombstone phase, but that cannot be brought back to life, even with reanimation, and it's 180 days by defaultAfter that, it's scavenged and actually wiped from the AD database during garbage collectionYou can change either of the "180 day" periods
AD Recycle Bin Requirements2008 R2 Forest Functional Level (not just DFL)2008 FFL's not enough, though -- you've got to enable the feature, and once you do, you can only undelete things deleted after you've enabled the featureIncomprehensibly, the way to turn on ADRB is a long ugly PowerShell string rather than a check box in some GUI
Getting To 2008R2 FFLThere's the usual stuff, of courseBut if you're using PowerShell, you needn't GUI around to raise the FFL:get-adforest | set-adforestmode -forestmode windows2008R2Forest –confirm:$false, orset-adforestmode –identity netbiosname windows2008R2Forest –confirm:$false
Enabling AD Recycle BinThe command looks like thisEnable-ADOptionalFeature -Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service, CN=Windows NT,CN=Services, CN=Configuration, DC=bigfirm,DC=com" -Scope ForestorConfigurationSet -Target "bigfirm.com" –confirm:$falseChange the colored stuff to match your forest's name; need only do the above command once
Enabling AD Recycle Bin
If That Seems Ugly…We're going to meet a GUI for it soonOr Bing "Restoring object from the Active Directory Recycle Bin using AD Powershell " for an interesting other approach with a string of PowerShell commands
Undeleting With Tools We've SeenAt this point, you already know two ways to undelete an AD object, now that you've got the AD Recycle Bin enabled:
LDPAdrestore
Both work exactly the same under ADRB as they did when reanimating, but you get the benefit of restored groups, attributes etc that AD Recycle Bin offersFor extended automation power, though, it's worth learning the PowerShell AD undelete command
Undeleting AD Objects with PoSHThe new PowerShell cmdlet for this is "restore-adobject"If you know the object's current distinguished name or its objectGUID, you can just plug that right in, as inrestore-adobject dbc3a389-2ce8-4ae7-a377-fde26203efcb, orrestore-adobject "CN=mark\0ADEL:9b16ae67-6a84-4687-ba6c-eddeb69e9dcd,CN=Deleted Objects,DC=bigfirm,DC=com"Wait, don't run away, there's a better way!
Using restore-adobjectBest bet is to use the get-adobject command with the –inc option and a filter of some kind, then pipe that into restore-adobject, likeget-adobject –f {samaccountname –eq "mark"} –inc | restore-adobjectTo use wild cards in get-adobject, replace "-eq"with "-like" as in this:get-adobject –inc –f {samaccountname –like "mar*"} | restore-adobjectBut always double-check…
Testing ItIt's always a good idea to just run the get-adobject –inc –filter command first, look at the output and then tack the restore-adobject command onYou can also add "-whatif" to the restore-adobject command to just see what it would have done, without changing anything
Examples
Going Further-newname lets you specify a new DN (and thereby a new location besides the old parent location)-target lets you specify a new location for the undeleted object-partition lets you specify a partition besides the default, which is either the domain itself or the domain of whatever you specified when you gave the command an objectGUID or a DN-passthru causes the cmdlet to return the undeleted object when done, putting the newly-undeleted object in the pipeline
Container "Gotcha"Suppose you have deleted an OU inside an OU inside an OU, with a user Jane in itYou try to undelete Jane, but she lived in an OU that's still deleted… what happens?restore-adobject failsWorkaround: use –newname or –target to give her a place to goThe bad news is that there is no "-recurse" switch for restore-adobject
Partial AnswerInasmuch as we have LastKnownParent, we could at least say to only restore the dead things from OU such-and-suchBasically we're saying, "get all AD things that are dead and whose parent container was a given OU"get-adobject -inc -f {(isDeleted -eq $true) -and (LastKnownParent -eq "OU=TPs,dc=Bigfirm,dc=Com")}
Microsoft WorkaroundSearch "Active Directory Recycle Bin Step-By-Step" Appendix BIt's at http://technet.microsoft.com/en-us/library/dd379504(WS.10).aspxPresents a PowerShell script that does recursive restoresThe PowerGUI tool attempts to do it as welladrestore can't handle it unfortunately
Permanent Object DeletionRecall that "tombstoned" objects (i.e., those more than 180 days since deletion) cannot be recycled This lets us add a new capability – immediate permanent object deletionDelete, then delete it again from the Deleted Objects containerGet-ADObject –f {<whatever>} –IncludeDeletedObjects | Remove-ADObjectOf course, it's not truly irrevocable and permanent; if you have a system state backup, then the original object undelete methods will work fine
No Vampires Here!
A GUI for ADRBPowerGUI Free from PowerShell MVPs at www.powergui.orgInstall PowerGUIAdd the ADRB PowerPak at http://www.powergui.org/entry.jspa?externalID=2461&categoryID=46Start up the PowerGUI console
PowerGUI Opening screen
Click File / PowerPack Management…
Install Module
Click Import…, navigate to ADRB PowerPackClick OKClick Close
PowerGUI AD Recycle Bin UI
Thank You!I hope this was useful and that you'll try out some reanimation and/or undeletionI'm at [email protected], audio learning tools, free newsletters and expert forum there alsoDon't forget the evaluations pleaseEnjoy the rest of the show!
Track Resources
Learn more about our solutions:
http://www.microsoft.com/forefront
Try our products:http://www.microsoft.com/forefront/trial
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
JUNE 7-10, 2010 | NEW ORLEANS, LA