Okay just a quick scenario.. If the deletion has been replicated (I'm fat, running to the nearest DC would be a pain :)
Would adrestore.exe does the job of restoring all these objects? Although as far as I know when object is deleted and still within tombstoned period, lots of attributes are not stored and cannot be retrieved back - but.. will it work? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, August 12, 2005 7:41 AM To: [email protected] Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Please don't forget to do insert these steps: 2.5 reboot the DC back to normal mode 2.7 give a chance for the auth restore to replicate out (not necessary, just a good idea) I'm so glad Guido wrote up the below, I had something 1/2 written up, but I couldn't remember any of the details ... Cheers, Brett On Fri, 12 Aug 2005, Grillenmeier, Guido wrote: > hopefully you have another Win2003 DC with SP1 => a non-SP1 2003 DC > would require you to perform more manual steps during the restore. As > you're still in mixed mode, none of your links are LVR (which means they > won't be revived on a non-SP1 DC and ofcourse not on a Win2000 DC) > > 1. so boot another SP1 DC into DS Restore mode > 2. use ntdsutil.exe to auth restore that user's object > => with SP1, this step will create an LDIF file that will allow to > restore the groups etc. > it will be called > "ar_<date>-<time>_links_<fully.qualified.domain.name>.ldf" > (e.g. ar_20050725-145850_links_child1.root.net.ldf) and contain > something similar to this: > > dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net > changetype: modify > delete: member > member: > CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net > - > > dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net > changetype: modify > add: member > member: > CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net > - > > dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net > changetype: modify > delete: manager > manager: > CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net > - > > dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net > changetype: modify > add: manager > manager: > CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net > - > > If you have multiple domain, you may get more than one file (depends on > group-memberships of user and if you are doing the auth restore on a DC > or GC - you should choose a GC if you have more than one domain). All > you need to do after reboot is take that file and execute an LDIF import > command (on a DC that corresponds to the file's domain): > > Ldifde -i -k -f ar_<date>-<time>_links_<fully.qualified.domain.name>.ldf > e.g. Ldifde -i -k -f ar_20050725-145850_links_child1.root.net.ldf > > /Guido > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan > Sent: Freitag, 12. August 2005 01:35 > To: [email protected] > Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? > > OK This is what I was looking for, this site didn't actually have a > chance to repl out the delete so I just push back the 'good' state? > > So, if I understand I am supposed to: > > 1. reboot a good DC into DS Restore mode > 2. use ntdsutil.exe to auth restore that user's object. > 3. use ldifde to restore the links (not sure about this step...any more > info?) > > Bring my mistake DC back online, it tries to replicate, hits the Auth > Restore, and the delete gets tossed, my mistake is rectified, and no one > is the wiser... > > Yes? > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Thursday, August 11, 2005 2:56 PM > To: [email protected] > Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? > > I agree completely - that is the attraction of the lag sites - I have > something in which I can push a change back out from a time delayed > replica to where the object sill exists. > > And I agree as well - if there is a DC that has the object required - by > all means, repl it back out authoritatively. > > Rick > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Thursday, August 11, 2005 3:31 PM > To: [email protected] > Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? > > Hmmm, maybe I misunderstoood ... > > I understood he has a user deleted on some DCs, but not on others. He > doesn't want the user deleted. He can then just take a DC with the > user, auth restore the user, let that replicate out. Yes, the delete > change will try to replicate out, but when it hits the auth restore the > delete operation will essentially be tossed. > > I mean this is the whole attraction to hot sites is it not? Am I missing > something? > > Cheers, > BrettSh > > On Thu, 11 Aug 2005, Rick Kingslan wrote: > > > Brett, > > > > How is this going to help him get the DC back online that he yanked > > the cable on? As soon as that system is plugged back in, it's going > > to repl > out > > the change, no? > > > > Rick > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > > Sent: Thursday, August 11, 2005 1:54 PM > > To: [email protected] > > Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? > > > > > > Well you're lucky that you yanked the network cable in time, now you > > don't have to do a system state restore to get the user back ... > > > > Find a DC where the user still exists in a pristine condition, all the > > > mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use > > ntdsutil.exe to auth restore just that user's object. > > > > You may (probably will) also have to restore links to that user, at > > this point it'd be nice if you were running on Win2k3 SP1, but if not > > it is still accomplishable. > > > > For Win2k3 Sp1, after auth restoring the user, there should be some > > ldf > > file(s) that will allow you to restore the links. Simply use ldifde, > > to apply these files to the appropriate DCs (up to one ldf per > domain). > > > > For pre this latest generation (which is more likely, because you > > could yank the net cable in time), you may have to find the objects > > that are linked to the user, and restore them yourself. You can do > > this by performing an LDAP operation that deletes and re-sets the > > links to that user. > > > > BTW, there is a more extensive KB article you might find useful: > > http://support.microsoft.com/?kbid=840001 > > > > Cheers, > > BrettSh > > > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > > > On Thu, 11 Aug 2005, Shadow Roldan wrote: > > > > > So I did a bad thing, I deleted a user at a different site and > > > marked his mailbox for deletion > > > > > > Immediately recognizing my mistake I *ran* to the server room and > > > yanked the network cable of the dc I was connected to. > > > > > > For now, none of the changes have replicated. > > > > > > I want to bring this machine back online, but I don't want those > > > changes to go through > > > > > > How would you make this happen? > > > > > > Thanks guys > > > > > > > > > > > > S > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
