Guido, you said: If you are running Win2003 AD at Win2003 FFL (in a single dom-forest), then you don't have to take any special precautions, as the group-memberships will be "revived" with the authoritative restore of your users (as you've just deleted users, not groups).
Where did you get this from? With LVR we still don't construct the forward link if the back link is received so your comment here is not one that is clear to me. Until we do reconstruct that forward link, I believe you do still need to worry about this condition. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, March 24, 2004 3:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users the procedures are different depending on your AD infrastructure - and as also pointed out by Eric, multi-domain forests have particular challenges, mostly related to users being in groups in the other domains of the forest (e.g. Universal Groups or Domain Local Groups). If you're in a single domain forest, the recovery is typically easier, as you don't have these cross-domain issues. However, the steps below really relate to a Win2000 AD recovery and to Win2003 AD, when NOT running at Win2003 forest functional level (which is where Link-Value replication is enabled). If you are running Win2003 AD at Win2003 FFL (in a single dom-forest), then you don't have to take any special precautions, as the group-memberships will be "revived" with the authoritative restore of your users (as you've just deleted users, not groups). Realize, that this only works for the group-memberships, which have been populated AFTER LVR has been enabled (i.e. you've switched to 2003 FFL) - so, if you previously had Win2000 and upgraded to 2003, then most of the group-memberships can't be revived since the extra data added by LVR will not exist on the entries added when running Win2000 AD. In this case, you'll also have to repopulate the group-memberships... You can find more information on this delecate topic in this whitepaper, which I co-authored with Aelita: http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active_Dir ectory_Recovery.pdf /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Mittwoch, 24. M�rz 2004 05:46 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users It's not that simple. To perform an authoritative restore of an OU full of users, here's a rough step by step: 1) System state restore of a DC; mark OU full of users authoritative (IE mark the subtree authoritative) 2) Boot DC on to private network 3) Disable inbound replication on the DC (repadmin can do this for you) 4) put DC back on to production network; let users replicate out 5) Identify groups that the users affected are a member of 6) Boot DC in to ds restore mode; mark affected groups from step 5 as authoritative 7) Boot DC back to normal mode 8) enable inbound replication The other option is to repopulate the groups with the affected users rather than marking the groups authoritative. This approach is particularly advantageous if you have groups that span the domain boundary. If you want to repopulate the groups rather than restore them send me a note offline and I can help you with that. The same procedure would be followed for computers should the computer accounts be members of groups above and beyond their primary group membership. If they are just in the primary group they just need to restore the computer account. Group restores don't need anything like this either (except for nested group memberships). If anyone is unclear as to why you need the double auth restore or auth restore + repopulation just holler. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Tuesday, March 23, 2004 7:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users Yep. Try to do an Authoritative Restore of the OU -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 6:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users This is not really terrible. Especially since you have a good backup. http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241594 pay close attention to the "Restore a Subtree" part. If you don't understand any part of it, ask here again. Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of David Wentworth Sent: Tue 3/23/2004 4:08 PM To: [EMAIL PROTECTED] Cc: David Wentworth Subject: [ActiveDir] Accidentally deleted OU with lots of users Folks, I really screwed up this time. I meant to delete a user object but accidentally deleted the OU and all the users. How can I get it all back? The backup ran last night and I think I can restore all of the Active Directory, but I really don't want to roll back everything to where it was last night. I just want the OU back. Please help. Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
