Except in test scenarios I don't really see a major reason to not let the object keep a bunch of info as a tombstone. I doubt the object was deleted because the DIT was running out of room, and if it wasn't deleted because the DIT was running out of the room then you probably aren't going to hurt keeping all the attribs it will let you keep when you move to tombstone.
I'm visualizing a new attribute on the user objects called groupMemberships that has all of the DNS of all the groups the users are in. Of course this means a service is running somewhere keeping that up to date but heck, I would deal with maintaining that just to get the ease of being able to find that info easier in a large environment. Plus when the object was deleted, it could all be saved. Restoring it back would still involve work but at least all the info is in one directory in a nice handy way. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, July 09, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authoritative Restores I didn't yet do a comprehensive check against every possible attribute, however I do know that you can't include back-linked attributes in the tombstone (e.g. memberOf). This mainly causes issues for multi-domain environments and even single-domain, if Win2000 AD. Likely there are also some Exchange related attributes that you can't include in the tombstone object, but I've yet to run through all those tests. However, you'll definitely want to adjust the searchFlags of the Password and SIDhistory attributes so that these are includes in the tombstones, since you can't recover these via normal methods when using the tombstone-reanimation approach. Most of the other stuff can be re-gained from a dump of the user-data in to some other store. Ofcourse, when you do the normal Auth restore, you don't have to worry to adjust the search-flags, as you'll get the full object back - except for the links to objects in other domains (e.g. group-memberships) /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 9. Juli 2004 04:13 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authoritative Restores The page I know about at MS is http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/c hara cteristics_of_attributes.asp It tells you what the search flags are but doesn't talk about how to update the schema, but there are lots of other papers on doing that. It isn't rocket science, just scary. :o) Again, it is known that not all things will be retained even if you do this. What that list is, I don't think it is published unless Guido did a comprehensive check and published it. This is one of those things that MS should publish but doesn't because there are probably only 3 people that actually know and no one wants to piss those three off by making them write public docs. :o) So instead you will do it, find something that doesn't work, complain to MS and the answer will come back, of course that doesn't work you silly... MS is big on the we can't tell you what you could do wrong but will let you know when we see it philosophy. Anyway, the procedure to undelete the object can be found at http://support.microsoft.com/?kbid=840001 In the section called "How to manually undelete objects in a deleted object's container". Of course it is a bit easier to use my command line ADMOD tool to do the undelete and it will support undeleting masses of objects just as easily as one object. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, July 07, 2004 9:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authoritative Restores > I seem to remember that I talked with Microsoft Support about this awhile > back, and they indicated there was a way to force deleted objects to > retain additional attributes than those retained by default. 0x8 in searchFlags on the attribute in question in the schema. This is a forest-wide setting as it is a schema mod. I'm sure searching the website for something like 8 & schema & tombstone would yield a document that walks you through this if you'd like to try it in the lab. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Tuesday, July 06, 2004 11:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authoritative Restores I seem to remember that I talked with Microsoft Support about this awhile back, and they indicated there was a way to force deleted objects to retain additional attributes than those retained by default. Of course, this could result in a larger database since more data is retained. It would probably be something I'd want to test before implementing. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, July 06, 2004 4:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authoritative Restores Last I checked, the reanimate ability doesn't retain enough information to make this useful in all situations; if anyone can correct that information I'd be obliged (for ref: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/r esto ring_deleted_objects.asp?frame=true). Fine for some situations and possibly the one that Simon originally mentioned, but there are going to be many situations where that's not enough and it would be faster/easier to have a DC that doesn't replicate as often or that goes off-line on a regular basis. There was a discussion about this a while back on this list. Here's a link to a similar thread and there's a link in there to Guido's doc at Aelita. http://www.mail-archive.com/[EMAIL PROTECTED]/msg14517.html Al Mulnick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Tuesday, July 06, 2004 3:54 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Authoritative Restores I may be a bit off here but wanted to comment. 1. You can do an Auth restore without a non-auth restore in Simon's scenario. 2. If this is Win2k3 you could optionally re-animate the object from the deleted items, and we retain the SID as well as a few other key (relative) attributes (such as last parent) 3. I dont really see the value of the plan here, as if you KNOW you are going to delete an obejct that you should not delete ( since you had the foresight to replicate and take a DC offline) then why bother with this? It doesnt seem feasible to take this DC offline for every change operation in your domain. Best practices should be a proper backup schedule IMHO my .02 -steve ----- Original Message ----- From: "Rachui, Scott" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 06, 2004 7:22 AM Subject: RE: [ActiveDir] Authoritative Restores > I'm re-sending what I sent out last night, because it looks like it wasn't noticed. Here is the answer to your question: > > It's not possible to do an authoritative restore without first doing a non-authoritative restore. > > The process of an authoritative restore is simply marking a portion of the restored directory so that it's not overwritten by the backfill process. It does this by increasing the version of the objects that will be authoritatively restored. If you don't first run a non-authoritative restore, there is nothing to mark authoritative. > > And, from your description, it sounds like you are planning to authoritatively restore the entire directory, thus catching the one user that was deleted. Since you have to do an authoritative restore only after a non-authoritative restore, what you're suggesting will roll back the directory to the point of the last backup. > > If you want to backup your directory on a DC, and then bring it offline prior to deleting a single user account, that's fine. But if that user account is to be restored, you'll have to run a non-authoritative restore first. And if you select the entire directory of the offline DC to be authoritative, you'll not only be grabbing the account you want to restore, but you'll be rolling back the entire directory (and every change made in the directory) to the state of the last backup. > > This is why AD allows you to specify the OU or CN that you want to restore...so you don't un-do all of the other changes in the directory since the last backup. Only the ones that you genuinely want to un-do. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, July 06, 2004 7:44 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Authoritative Restores > > > This is how I would usually do it but I have a customer who wants to do > the DC shutdown thing as an extra step. I'm just wondering how valid a > technique this is? Think of it as an authoritative restore without ever > doing a system state backup or non-authoritative restore. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. > Sent: 06 July 2004 13:16 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Authoritative Restores > > > Why do you need to shut down the dc first? Instead do a backup of one > of the DCs. Delete the account. When problems arise, do an authorative > restore. Also, in this case an authorative restore can be avoided by > disabling the account instead of deleting it. > > Denny > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, July 06, 2004 7:49 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Authoritative Restores > > I'd appreciate some comments on this technique as a cheap and cheerful > disaster recovery plan for making minor changes to AD, e.g. deleting > user accounts. > > Make sure one DC is fully synchronised and then shut it down. Delete a > user account on another DC, deletion replicates everywhere. Oh no! That > user account was used as the service account for 300 SQL servers > worldwide. Bring the powered-down DC up in DS Restore mode. Do an > authoritative restore of the AD database (*without* first doing a > non-authoritative restore). Server reboots to normal mode, deleted user > account that still exists here is now marked as authoratative and > replicates back to the other DC's (Yes?) > > I've never before considered doing an authoritative restore without > doing a non-authoritative one beforehand so just want to check my logic > on this. > > Cheers, > Simon > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
