Share via


ADDS Backup and Restoration

Read it & follow the snaps carefully before restoration .

Technet - Performing an Authoritative Restore of Active Directory Objects

AskDS - Best practices around Active Directory Authoritative Restores in Windows Server 2003 and 2008 

Backup

Installed WBADMIN from feathers & taking Backup Using WBADMIN.


Click Add Items


Select System state

Restoration

(Here non auth restoration needed to be done by DSRM mode)

DSRM : bcdedit /set safeboot dsrepair

Normal : bcdedit /deletevalue safeboot

a)Getting the backup version using the "wbadmin get versions" (If we have multiple backups in same location)

b) Restroing the backup using "wbadmin start systemstaterecovery".

Press Y for reboot & will do auth restore for an user account - DSRM Mode.


Press Enter !


Click Yes !

NTDSUTIL
Activate Instance "NTDS"
authoritative restore
restore object <"DN">

AD DS Backup and Restoration

Known Issues for AD DS Backup and Recovery

http://technet.microsoft.com/en-us/library/cc771139%28v=ws.10%29.aspx

AD DS Backup and Recovery Step-by-Step Guide


http://social.technet.microsoft.com/wiki/contents/articles/4979.adds-backup-and-restoration/%20http://technet.microsoft.com/en-us/library/cc771290%28v=ws.10%29.aspx

Windows Server 2012: Planning for Active Directory Forest Recovery

http://www.microsoft.com/en-us/download/details.aspx?id=16506

Powershell

How to check Active directory recycle bin enabled or not ?

Get-ADOptionalFeature -F 'name -like "Recycle Bin Feature"' | Select-Object EnabledScopes

Active directory recycle bin is disabled ,If above command output is empty.

How to restore the ActiveDirectory Objects

See the Tombstone
Get-ADObject -Filter {LastKnownparent -eq "OU=ADFS,DC=Contoso,DC=COM"} -IncludeDeletedObjects

 

Restore the Object
Get-ADObject -Filter {LastKnownparent -eq "OU=ADFS,DC=Contoso,DC=COM"} -IncludeDeletedObjects | Restore-ADObject -NewName bshwjt

See the deleted Objects From Active Directory Recycle BIN

##Prerequsites : 1. WIndows 2008 R2 DFL 2) Active Directory Recycle Bin

Get-ADObject –SearchBase “CN=Deleted Objects,DC=Contoso,DC=Com” –ldapFilter “(objectClass=*)” -includeDeletedObjects | FL *

_______________________________________________________________________________________________________________

Attributes Backup

How to manage our environment AD restoration without any downtime of any DC.
**
Best Practice:**

1.   Take valid group membership back daily basis(with script).

2.   Take all attributes backup daily(with script)..

3.   Use ADRESTORE.NET(free systeminternal tool) for restoring the deleted object.

Download ADRESTORE.NET

http://technet.microsoft.com/en-us/sysinternals/bb963906

Restore the Group membership from backup and compare the attr value.

Schedule the backup  off-business hrs.

____________________________________

Dsquery for all users & all attributes backup - Domain 

Dsquery * -limit 0 -filter "&(objectClass=User)(objectCategory=Person)" -attr * >> Domain_all_users_attrs.txt

How to Export the Deleted Objects using LDIFDE

  Ldifde –x –d “CN=Deleted Objects,DC=Contoso,DC=com” –f Del_obj.ldf && notepad       Del_obj.ldf  

Also See some proactive Steps Using Powershell

Active Directory Objects Restoration

________________________________________________________________________________________

Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.