Tips and Tricks

Active Directory Single Object Restore

When you accidentally delete an Active Directory object, can you bring it back without performing an authoritative restore on the entire directory? This tip shares a little known service built right into AD that you'll want to know about.

It’s unfortunate, in a way, that Microsoft didn’t build a Recycle Bin into Active Directory Users and Computers. Actually, if it had, it would probably constitute a security risk we could all live without. Still, it would be convenient for those times when you accidentally delete an AD object—like a user account.

Keep in mind how an AD object deletion works: The domain controller (DC) on which you deleted it doesn’t actually remove the object. Instead, it tombstones it, effectively putting a big red “X” on it. That tombstone replicates throughout the domain until all the DCs have the object marked as deleted. The object can’t be undeleted at that point, and it’ll go away permanently after about 60 days. There’s no “undo” in AD Users and Computers, either, and thanks to AD’s efficient replication, you can’t even quickly rip the DC’s network cable out of the hub—once it gets back on the LAN, that tombstone’s going to be replicated.

Does that mean you have to perform an authoritative restore of the entire directory, potentially undoing other recent additions, changes and deletions? Not at all. Although nobody makes a big deal of it, Microsoft built a perfectly serviceable single-object restore capability right into AD.

Getting Authoritative, One Object at a Time
You’ll obviously need a recent backup that contains the object you want to restore. This should be a standard System State backup from any DC in your domain. You’ll need to perform the single-object restore on the same DC used to make the backup. Once the prerequisites are covered, restart the DC in question into its Directory Services Restore Mode. Log in using the appropriate administrative credentials, and then run the Ntdsutil utility. Then, type “authoritative restore” and press Enter.

Here’s the tough part: You’ve got to tell Ntdsutil the exact Fully Qualified Domain Name (FQDN) of the object you want to restore. For example, you might enter:

restore subtree “cn=John Doe,ou=Operations,dc=mycompany, dc=com”

to restore a user named John Doe, whose user account was in the Operations organizational unit of the my company.com domain. You could type:

restore subtree “ou=Operations,dc=mycompany,dc=com”

to restore the entire Operations OU.

Things get a bit trickier if you want to restore a group. Before doing so, make sure that every user who’s supposed to be a member of the group is present in the domain, restoring users first if necessary. Then (and only then) can you restore the group.

Once you’re done restoring objects, restart the DC. It’ll start replicating the change to the other DCs in the domain; before you know it, your mistake will be a thing of the past. The magic is in the way AD performs authoritative restores. Remember the tombstone that got put onto the object when you deleted it? That tombstone caused the object’s internal version number to increment on the DC that processed the deletion. That higher version number, in turn, is what caused the other DCs on the domain to replicate the tombstone—they had an older version of the object and simply wanted to upgrade. When you performed the authoritative restore, however, the object’s version number was incremented by several hundred, making it the latest and greatest thing in the domain. Every DC will latch onto the upgraded object, effectively erasing the tombstone and bringing the object back from the dead.

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus
Upcoming Events

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.