Restore Delete Items

The Native Solution
If this has happened to you, here’s a glimpse of the process you’re forced to undertake:
• Step1: Locate a Domain Controller that is also a Global Catalog (GC) and disconnect
this server from the network.
• Step 2: Reboot the server into Directory Services Restore Mode and login using that
server’s unique DSRM password. On servers previous to Windows Server 2008, this
can be done by repeatedly pressing the F8 key during the boot cycle to bring
forward the boot menu. The process changes in Windows Server 2008, requiring
you to run the MSCONFIG utility before rebooting. Once launched, navigate to the
Boot tab and under the Boot Options selection box, choose to reboot into Safe boot |
Active Directory repair.
• Step 3: Restore the AD database—also known as a System State Restore—to the
Domain Controller from a recent backup before the deletion event. This nonauthoritative
restore will not actually restore any deleted objects. It only enables old
objects that have been deleted to be selectively (authoritatively) restored in the next
step.
• Step 4: Perform an authoritative restore on the object or objects that have been
deleted. This involves launching the NTDSUTIL tool with the command ntdsutil
“authoritative restore”. Then, restore the specific object with the command restore
subtree <objectDn>. The value for <objectDN> will be the distinguished name (DN) of
the object or container that was deleted.
Step 5: Reconnect the Domain Controller to the network and reboot it back into
normal mode. Ensure that the restored object or objects replicate correctly to all
Domain Controllers in the domain.
• Step 6: As the Domain Controller reboots, it will create a series of .LDF files. These
files include the necessary “back‐link” information, which can be used to restore the
groups of which the deleted object was a member. Restore those back‐links for each
object using the command ldifde –i –k –f <ldfFile>. The file name structure of these
.LDF files will resemble ar_<date><
time>_links_<domainName>.ldf.

This process appears relatively trivial until you realize one piece of missing information. To
properly restore a deleted object in Step 4, you must know the DN of that object. Thus, in
order to know its DN, you must first know which objects were deleted. If an entire OU of
objects was deleted, you’ll need to know each of the objects to individually restore. For a
large swath of deleted objects, this process can be complex to the point of absurdity

This text is ownership of www.quest.com (c) 2009

Bibliography
1. Tackling Active Directory’s Four Biggest Challenges
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License