Recovering deleted items in active directory
Active Directory also known as AD is one of the most essential administrative tools released by Microsoft. Active Directory is said to be a hierarchical Database and it holds information regarding network objects such as user, servers, groups, clients etc. Many tasks such as creating, moving, editing, managing and deleting variety of objects are performed using Active Directory.
Deleting an Item in active directory:
An item is not erased immediately in active directory if a deletion is performed. Active Directory has a built in replication model to contain the sensitivity of an object deletion. The tool used to identify that an object was scheduled to be deleted is known as tombstone. Tombstone is an attribute whose ‘IsDeleted’ property is changed into ‘True’ in order to indicate that deleted status of an object but it is not erased from the directory. The AD service moves all the tombstone objects to Deleted Object directory which are later removed by Garbage Collection Process automatically. The default runtime of process for garbage collection is every twelve hours. The tombstone time was 60 days in Windows Server 2000 and Windows Server 2003 AD. However, the time was increased to 180 days later in Windows Server 2003 Service Pack1/SP2 and Windows Server 2008 Active Directories.
Restoring Deleted Items:
In the process of changing an object into tombstone state the linked attributes are also removed and they are required to be restored as well while restoring the object. The process of recovering an object from tombstone state is also known as reanimation. The reanimation process is performed through the built-in features of Active Directory or Freeware applications.
Restoration with ADRestore.net (freeware):
ADRestore is a very widely used GUI freeware for restoring deleted Active Directory objects. It is a freeware and includes the following features:
- Domain Controller targeting
- Browsing tombstone objects
- Preview of tombstone attributes
Restoration with Quest Software:
Quest if another widely used third party application used for reanimation of deleted objects in active directory. Its main features include recovery of the accidentally removed objects without rebooting a domain controller. Further to this, it also allows viewing objects in tombstone state and reanimating them using Microsoft’s new reanimation interface for Windows Server 2003 and Windows Server 2008. Quest is free for the first 6 months and it requires registration after 6 months period.
Restoration with Microsoft ADRestore:
Microsoft has renamed Sysinternals to Microsoft ADRestore which is a freeware application. One of the main features of Microsoft ADRestore is restoration of selective tombstone objects. Microsoft ADRestore also offers command-line interface that provides efficient solution to the administrators in order to restore objects in active directory.
Restoration with LDP.EXE:
LDP.EXE is a built-in program in Microsoft Active Directory and is used to restore the deleted objects manually. It is a mix of Graphical User Interface and command line since there are several parameters to be updated in different attributes. Using LDP.EXE is a very complex and a time consuming procedure hence System Administrators prefer to restore files using simple Graphical User Interface applications and freeware.
Recovering from a backup:
Backup of the database is used in case the tombstone time period is lapsed and the garbage collection process has permanently removed the object. The Domain Controllers need to be shut down in order to perform backup and restore the deleted objects by using NTBACKUP program. Reanimation, therefore, is preferred to avoid the down time of the Domain Controllers and Active Directory.