Exactly, enter my point that you either need to restore a DC in each domain or repopulate the groups. Is it me or are we saying the same thing over and over? Are you just not happy with the language I used to say it?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, March 24, 2004 3:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users I know - and that GC won't containt the DNs of the domain local groups of the other domains, that the users were a member of. I think this is the key that I'm trying to get accross. You can get the DNs of the groups for your own domain and the UGs of other domains when you're restoring a GC - but not of the DLGs in the other domains! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Mittwoch, 24. M�rz 2004 20:39 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users >From my procedure: 5) Identify groups that the users affected are a member of 6) Boot DC in to ds restore mode; mark affected groups from step 5 as Authoritative That need be dome across the domain boundary. Another option: obtain from backups or the restored dc (like if it is a gc?) DN of all groups users were a member of. Turn that around and repopulate groups in each domain naming context. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, March 24, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users Totally agree that you need to know what you're doing, otherwise you're easily screwed. And as mentioned before, I specifically state that the "don't need to do anything else" procedure is only safe in a single domain forest and when all memberships are "LVR-enabled". It's certainly not appropriate for multi-domain forests. But even your procedure won't help much to recover the lost links in Domain Local Groups of the other NCs as the references to these groups are usually lost (unless the tombstone record didn't make it to the other NCs => which could deliberately be the case with a hotsite/lagsite approach). As such I've been working on a nice tool with some other HP folks, which will collect all links in a forest for easy recovery after an authoritative restore. It will also help to ensure that all memberships have been LVR-enabled in 2003 FFL forests (simply by re-adding all members to the groups they belong to - could obviously also be done by a simple script). Nevertheless, it will work for both Win2000 and Win2003 forests as it doesn't rely on LVR. So although I'm not saying your procedure is bad, I have to say it's not complete. At least not for multi-domain forests. My recommendation is to either implement hotsites/lagsite (which besides saving you from needing to do a system-state restore, will also not require to disable inbound replication etc.) and/or think about deploying a tool that backups the links from the other domains of a forest. This could be as simple as a daily LDIF dump of at least the domain local groups of every domain, or a good online recovery tool for AD (although I know only of one that does domain local group link-collection), or the HP tool I've mentioned above (when it's finally ready). /Guido -----Original Message----- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 24. M�rz 2004 18:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users I see, so you were just covering a single NC condition. Ok, your logic is correct, but the caveats are complex. Many users think they have no group memberships across the NC boundry when they do, but that's neither here nor there. I would recommend my procedure as a safe guard. Further, it isn't always clear if your memberships have been LVR-enabled. As such, unless you know you've done this, your procedure is risky. I still recommend mine. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, March 24, 2004 10:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users Eric, there is quite a lot of things, that LVR changes. When activated, it extends the link-table on each DC with a couple of columns, including one that records the DeletionTime of a link. This is used to "deactivate" links (in our case group-memberships) when the corresponding object is deleted. This is similar to the creation of the tombstone of a member object itself, since the link is not removed from the link-table right away. Just like for tombstones, the garbage collection process was extended to cleanup these deactivated links after the tombstone lifetime expires. The main addition though, which changes the recovery procedures for Win2003, is the fact that the deactivated links are "revived" when the previously deleted objects are authoritatively restored - basically the link's DeletionTime column is removed. There is obviously some additional logic that differentiates between a link that was removed simply by removing an existing user from a group, vs. the deletion of the user object in the database - I assume that this is where back-links of the authoritatively restored object comes into play (on the DC, that the user is restored on). The sad thing is, that the link-revival process is only authoritative for it's own domain, i.e. it's own NC => this means that even if an authoritative restore was performed on a GC and all the links to UGs in any part of the forest could be revived locally on that DC/GC, the links to UGs from the other domains won't replicate back to the authoritative domain (which hold the writable NC of the UG), as the respective DCs don't replicate any changes back from GCs of another domain. This is normal behaviour though, as a writable NC will only allow outbound replication to the read-only NCs that make up the PAS of a GC. Prior to RTM version of 2003, the UG links of other domains were actually revived along with any group links in the own domain, causing quite chaotic situations in a restore scenario => depending on your AD site-configuration and DC placement, the revived UG links could replicate out to all other GCs, except if these were hosted on DCs of the authoritative domain. The result was that after an authoritative restore your UG memberships in the forest were totally out of sync, depending on which GC you connected to... But this was fixed in RTM, after we (I) made Microsoft aware of this issue => for better consistency, if a restore takes place on a GC, the links for objects in other NCs are not revived at all now. Needless to say, that you'd be stuck anyways with recovering the links/memberships in the domain local groups of those other domains in your multi-domain forest, so you have to take care of handling the correct re-population of those groups no matter what you do. In Summary: the link-revival feature in LVR will allow you to restore objects within a single-domain forest just fine (not only group-links, but also other important links such as managedObjects and directReports) - but the cross-domain issues in a multi-domain forest remain to require special attention. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Mittwoch, 24. M�rz 2004 13:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users Guido, you said: If you are running Win2003 AD at Win2003 FFL (in a single dom-forest), then you don't have to take any special precautions, as the group-memberships will be "revived" with the authoritative restore of your users (as you've just deleted users, not groups). Where did you get this from? With LVR we still don't construct the forward link if the back link is received so your comment here is not one that is clear to me. Until we do reconstruct that forward link, I believe you do still need to worry about this condition. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, March 24, 2004 3:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users the procedures are different depending on your AD infrastructure - and as also pointed out by Eric, multi-domain forests have particular challenges, mostly related to users being in groups in the other domains of the forest (e.g. Universal Groups or Domain Local Groups). If you're in a single domain forest, the recovery is typically easier, as you don't have these cross-domain issues. However, the steps below really relate to a Win2000 AD recovery and to Win2003 AD, when NOT running at Win2003 forest functional level (which is where Link-Value replication is enabled). If you are running Win2003 AD at Win2003 FFL (in a single dom-forest), then you don't have to take any special precautions, as the group-memberships will be "revived" with the authoritative restore of your users (as you've just deleted users, not groups). Realize, that this only works for the group-memberships, which have been populated AFTER LVR has been enabled (i.e. you've switched to 2003 FFL) - so, if you previously had Win2000 and upgraded to 2003, then most of the group-memberships can't be revived since the extra data added by LVR will not exist on the entries added when running Win2000 AD. In this case, you'll also have to repopulate the group-memberships... You can find more information on this delecate topic in this whitepaper, which I co-authored with Aelita: http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active_Dir ectory_Recovery.pdf /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Mittwoch, 24. M�rz 2004 05:46 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users It's not that simple. To perform an authoritative restore of an OU full of users, here's a rough step by step: 1) System state restore of a DC; mark OU full of users authoritative (IE mark the subtree authoritative) 2) Boot DC on to private network 3) Disable inbound replication on the DC (repadmin can do this for you) 4) put DC back on to production network; let users replicate out 5) Identify groups that the users affected are a member of 6) Boot DC in to ds restore mode; mark affected groups from step 5 as authoritative 7) Boot DC back to normal mode 8) enable inbound replication The other option is to repopulate the groups with the affected users rather than marking the groups authoritative. This approach is particularly advantageous if you have groups that span the domain boundary. If you want to repopulate the groups rather than restore them send me a note offline and I can help you with that. The same procedure would be followed for computers should the computer accounts be members of groups above and beyond their primary group membership. If they are just in the primary group they just need to restore the computer account. Group restores don't need anything like this either (except for nested group memberships). If anyone is unclear as to why you need the double auth restore or auth restore + repopulation just holler. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Tuesday, March 23, 2004 7:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users Yep. Try to do an Authoritative Restore of the OU -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 6:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users This is not really terrible. Especially since you have a good backup. http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241594 pay close attention to the "Restore a Subtree" part. If you don't understand any part of it, ask here again. Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of David Wentworth Sent: Tue 3/23/2004 4:08 PM To: [EMAIL PROTECTED] Cc: David Wentworth Subject: [ActiveDir] Accidentally deleted OU with lots of users Folks, I really screwed up this time. I meant to delete a user object but accidentally deleted the OU and all the users. How can I get it all back? The backup ran last night and I think I can restore all of the Active Directory, but I really don't want to roll back everything to where it was last night. I just want the OU back. Please help. Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
