To be clear, they don't "mimic" tombstone reanimation, they probably leverage it. Tombstone reanimation should probably be thought of as a powerful API applications can leverage, not a solution itself. Through tombstone reanimation one can bring an object back to life with properties that could not otherwise be restored (SID, GUID) such that you can repopulate other attributes as you see fit. This is not to say repopulation is trivial.....think about linked values in other NCs in the forest.....but it is doable. The approach some apps might take (I'm speculating, I have not written one) is to sync out of the forest data the user wishes to be able to restore, then upon deletion they can use tombstone reanimation then recreate the lost data. ldifde can do *most* of what you want, so long as you wrap it up right. Some of the caveats that come to mind: 1) One may need to touch many naming contexts so as to properly restore the object to the original state 2) Secret data need be considered, if it is lost 3) sIDHistory need be added through a method other than ldif (DsAddSidHistory) But think through what needs to be done....if you delete user1 then restore that user, you don't want to just restore that user....you also want to "touch" the forward links which point to that user and recreate them too. That implies your ldif export can't be used as is but rather you need to parse out the appropriate forward links and recreate them, not the objects which they are attached to. My $0.02, just some offhanded thoughts. ~Eric
________________________________ From: [EMAIL PROTECTED] on behalf of Bryan Zink Sent: Fri 12/3/2004 2:44 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Restore AD I've seen third party "recovery" consoles that mimic tombstone reanimation. They do this by maintaining a recent copy of all the attributes of all user/group objects. As far as specific products, why not try something simple like making an LDIFDE or CSVDE dump of your user and group objects part of a nightly system state backup? The biggest issue with recovering SIDs is making sure your tombstone lifetime is sufficiently long enough to cover a deletion that occurred "a long time ago". ----- Original Message ----- From: "Shawn Hayes" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 03, 2004 2:01 PM Subject: [ActiveDir] Restore AD Why is it that MS hasn't added a deleted Security Principal retention for AD much like Exchange Server's deleted mailbox retention? Wouldn't that greatly simply recovering from small mishaps? I am not talking about the tombstone feature with Windows 2003 AD where you still have to manually recover Group Membership when recovering an account, but something actually intelligent and useful that would restore Group Membership when restoring accounts. Shit, recover a Group from Deleted Security Principal retention and have it add the back links to the memberof attribute of the users that were members of the Group before the Group was deleted. Recover an OU and it restores Security Principals and Members and Memberof attributes of all Security Principals within the OU. Anybody heard of something like this coming down the pike? Shawn Hayes MCSE (2003, 2000, NT) Messaging Systems Engineer City of Virginia Beach (757) 219-2057 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
