Be sure to ensure that at least one test user is in a dlg, gg, ug and at least one dlg across the NC boundary. That gives you the full taste of the problem. ;)
You should find that the GC in the domain shows you UGs that the user is in, but not the DLG across the NC boundary. To restore that you either need to auth restore that group in the other NC or repopulate the user in to the group (which is why I said what I did in my original post). I still don't understand Guido's gripe with my wording though so I'm curious to hear back on that. :) ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users Guido, The configs I have been testing with since Eric's post are as follows. One Forest. 4 domains. One Domain has 2 DCs, one has 3 DCs, the other 2 have 1 DC. All DCs are GCs. In one of the Production environment restores I had personally done, I know for a fact that the OU was fat-fingered on a Friday and the culprit did not fess up until the following Tuesday (the Moday was a holliday). The LIVE environment also contained multiple DCs in multiple child domains in one forest. The tests I've been doing since yesterday have been rapid-fire deletion/look/restore/look tests. I have not really let it sit for long enough to verify that the deletion have actually happened across the Forest. So, I admit they've been somewhat flawed. So, I just "ooooooop!" a bunch of OU and container objects now. I will report back tomorrow with my finding. It's not that I don't believe or trust you and Eric, I'm just the curious type who likes to undersand the "why" of any "how". Also, I hate to think that I've been misunderstanding this for so long. Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wed 3/24/2004 9:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users Deji, you'll have to go into more details of your test setup. Does multi-DC mean more than one DC in the forest (which could also be one per domain), or does it mean each domain has more than one DC in your lab? You won't see some of the issues with just one DC per domain. Also, are these DCs hosting GCs or not? Big difference. Rgd. the groups in other domains => are this Universal Groups, or Domain Local groups? Restoring the users on a GC will also bring back the UGs on THAT DC - so you may not see the real effects of the restore - but look on the other DC in your domain... If you only have a few objects in your OU, you will also not see some of the group/user issues, as all objects can replicate in one batch - some issues only come with larger numbers of objects. At last, do you allow enought time for replication of the tombstones after deleting the OU? Especially to the GC of the other domains (if the other domain doesn't have a GC you'd have to wait for the Infrastructure Master to become active...). If you don't give enough time (which again depends on your site-setup), your test may not be realistic. How much time is enough? You just have to ensure that your deleted OU is also replicated to the other domain (can easily be looked at via ADSIedit) and that you no longer see the respective user objects in the other domain's groups. Then perform your restore - and tell us the results. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Mittwoch, 24. M�rz 2004 17:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users I confess my lack of understanding of this procedure. I've used the procedure I posted many times in restoring deleted objects (including OUs). Since you posted this yesterday, I've been scratching my head and hacking OUs on my test domains and restoring them following the procedures I posted and the restore "seems" to be fine to me w/o any issue. This is a multi-Domain, Win2K SP4, multi-DC, single-forest config. Some users in the hacked OUs belong to groups in other Domains, and I still see them belonging to those groups and able to access resources ACL'ed through those Groups. So, obviously I am missing something important. I know to listen to you, so I am really interested in the explanations behind the repopulation part of the equation. Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Eric Fleischman Sent: Tue 3/23/2004 8:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users It's not that simple. To perform an authoritative restore of an OU full of users, here's a rough step by step: 1) System state restore of a DC; mark OU full of users authoritative (IE mark the subtree authoritative) 2) Boot DC on to private network 3) Disable inbound replication on the DC (repadmin can do this for you) 4) put DC back on to production network; let users replicate out 5) Identify groups that the users affected are a member of 6) Boot DC in to ds restore mode; mark affected groups from step 5 as authoritative 7) Boot DC back to normal mode 8) enable inbound replication The other option is to repopulate the groups with the affected users rather than marking the groups authoritative. This approach is particularly advantageous if you have groups that span the domain boundary. If you want to repopulate the groups rather than restore them send me a note offline and I can help you with that. The same procedure would be followed for computers should the computer accounts be members of groups above and beyond their primary group membership. If they are just in the primary group they just need to restore the computer account. Group restores don't need anything like this either (except for nested group memberships). If anyone is unclear as to why you need the double auth restore or auth restore + repopulation just holler. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Tuesday, March 23, 2004 7:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users Yep. Try to do an Authoritative Restore of the OU -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 6:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accidentally deleted OU with lots of users This is not really terrible. Especially since you have a good backup. http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241594 pay close attention to the "Restore a Subtree" part. If you don't understand any part of it, ask here again. Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of David Wentworth Sent: Tue 3/23/2004 4:08 PM To: [EMAIL PROTECTED] Cc: David Wentworth Subject: [ActiveDir] Accidentally deleted OU with lots of users Folks, I really screwed up this time. I meant to delete a user object but accidentally deleted the OU and all the users. How can I get it all back? The backup ran last night and I think I can restore all of the Active Directory, but I really don't want to roll back everything to where it was last night. I just want the OU back. Please help. Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
