presented by mark minasi [email protected] session code: sia306

Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin, Undeletion and ReanimationPresented by Mark [email protected]

SESSION CODE: SIA306

Who's The Guy Presenting?Working with computers since 1972Written 32 books on OS/2, PC repair, Windows 3.1/95/98 troubleshooting, Windows NT 3.1 through Windows Server 2008 R2 setup, support and troubleshooting, several million copies soldColumnist for Windows IT Pro Magazine , BYTE, Compute!, AI Expert, OS/2 Professional, over a thousand articlesSpeak at many Windows conferencesConsult and teach about WindowsDirectory Services MVP

AgendaWhat the AD Recycle Bin (ADRB) can do, and what you need to use it"Where The Dead Things Are:" life after deletionSeeing deleted objects with LDP, PowerShell and adrestorePre R2 FFL: Reanimation with LDP and adrestoreHow AD Recycle Bin (ADRB) worksEnabling ADRBUndeleting with LDP, adrestore and PowerShellA GUI for ADRBRecursive Undeletes: Undeleting OUs (and OUs inside OUs…)

What's the Deal? Who Cares About the AD Recycle Bin (ADRB)?

So we've deleted a user, a couple of users, or perhaps a whole OU full of usersWe need to undelete themThere has always been the "standard" way

Reboot the DC in DSRMRestore the ADUse NTDSUTIL to mark items as "authoritatively restored"Reboot the DC in normal mode

Problems With the Traditional ApproachThat works fine, except for the "take the DC offline" part

It can take a significant amount of time to reboot a DC in large organizations and heck, there may be paperwork !Why reboot any machine if it can be avoided?Access to backups may be a dicey matter

So some sort of online AD object restore would be very attractive to manyAs AD has matured, MS has slowly built in better and better support for online restores, so let's talk about it

Deletion, Through the YearsIn Windows 2000, the death of an object was very nearly a final thing; undeletion was complicated, and offered no help in re-joining groupsThings got better in 2003, with "tombstone reanimation" support, which partially undeleted accounts, but left most attributes and group memberships gone, gone, goneWith 2008 R2, you can undelete a deleted item, but requires 2008 R2 FFLSo, again: pre-R2 FFL, we reanimate; post-R2 FFL, we can undelete

Where The Dead Things AreDeletion, Pre-AD Recycle Bin

Deleted Stuff "Goes to Limbo"

You're used to seeing some set of folders in Active Directory Users and ComputersBut you probably know that if you click View / Advanced Features, you see moreWell, there's even more that you still can't see, including an important folder named "Deleted Objects"So let's look at what your AD contains, versus what it shows you

CN=Builtin,DC=Bigfirm,DC=Com

DC=Bigfirm,DC=Com

CN=Computers,DC=Bigfirm,DC=Com

OU=Domain Controllers,DC=Bigfirm,DC=Com

CN=Foreign Security Principals,DC=Bigfirm,DC=Com

CN=Managed Service Accounts,DC=Bigfirm,DC=Com

CN=Mark,CN=Users,DC=Bigfirm,DC=ComCN=Users,DC=Bigfirm,DC=Com

What ADUC Shows You

OU


DC=Bigfirm,DC=Com




CN=LostAndFound,DC=Bigfirm,DC=Com


OU

CN=Mark,CN=Users,DC=Bigfirm,DC=Com

CN=Program Data,DC=Bigfirm,DC=ComCN=System,DC=Bigfirm,DC=ComCN=Users,DC=Bigfirm,DC=Com

ADUC with View /Advanced Features, ADSIEDIT or LDP( = "new stuff")


DC=Bigfirm,DC=Com








CN=Deleted Objects,DC=Bigfirm,DC=Com

What LDP (an admin tool we'll meet soon) shows, when equipped with the right "LDAP Control"

OU

When We Delete Objects, AD…Creates and sets new attribute isDeleted to TrueRemoves attributes (as directed by the schema and yes, that could be changed); keeps objectClass, objectGUID, objectSID, sAMAccountName (and others) -- but almost everything else (names, attribs) is goneChanges distinguished name (DN) from something like cn=mark,cn=users,dc=bigfirm,dc=com to a longer "mangled" name containing the objectGUID (example coming)Moves AD object in a container called "Deleted Objects"Calls the object a "tombstone"For example:


DC=Bigfirm,DC=Com









Now, suppose someone wants to delete Mark…

Let's say that Mark has an objectGUID value of 6e2971d91 (and yes, that GUID is way too small, but it's just an example)

OU




CN=Managed Service Accounts,DC=Bigfirm,DC=ComCN=Program Data,DC=Bigfirm,DC=ComCN=System,DC=Bigfirm,DC=ComCN=Users,DC=Bigfirm,DC=Com


DC=Bigfirm,DC=Com



After deletion…

New place! CN=Mark\0ADEL:6e2971d91,CN=Deleted Objects,DC=Bigfirm,DC=ComNew name!

OU

When You're Gone, No One Remembers Your (Real) Name

An account with a DN of cn=mark,cn=users,dc=bigfirm,dc=com who has an objectGUID of be0fc7f6-a308-47a2-824a-99d9120774c8 would becomecn=mark\0ADEL:be0fc7f6-a308-47a2-824a-99d9120774c8,cn=Deleted Objects,dc=bigfirm,dc=com(More specifically, built as RDN (the attribute named "name" in AD), "\0ADEL:," the objectGuid, and "cn=Deleted Objects," and the domain name

Viewing Deleted Objects

Seeing Your AD's Deleted ObjectsThree tools:

ldp.exe (which is in Support Tools for 2003 R2 and earlier, and in-the-box for Server 2008 and 2008 R2)AD PowerShell cmdlets (which is in-the-box for 2008 R2 but can be retrofitted to any DC with at least 2003 SP2… see my Newsletter #86 at my site www.minasi.com for the step by steps; requires no new DCs but does require at least one Windows 7 workstation)Sysinternals' adrestore.exe

Using LDP to See Deleted ObjectsStart LDP.exe Starts out with a very simple interface and, in truth, doesn't always refresh correctly – so don't be shy about double-clicking some object in the left-hand pane to get it to refresh

LDP Initial Window

Next, click Connection / Connect, which lets you tell LDP which server you'd like to connect to. You can punch in a DC name but just clicking "OK" will do the job.

LDP After ConnectionYou're now connected to a particular DC, but you aren't really logged into the directory service yet, even if you're logged on as an enterprise admin. To "log onto the DS," you "bind" to the DS by clicking Connection / Bind and then probably just clicking OK. If, however, you need to proffer different credentials, choose the "Bind with credentials" option, fill in the creds and click OK

You're Bound…The right-hand pane may show-----------0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3

{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}Authenticated as: 'BIGFIRM\Administrator'.But that's what good news looks like, believe it or not – it basically says, "we're happy with how he/she's already logged on"Next, click Options / Controls

Removing the VeilWe're about to ask LDP to show us my domain bigfirm.com, but by default LDP spares us the macabre view of The Dead Things. We are, however, made of tougher stuff than that, so we'll tell it that we can handle the truth by clicking the drop-down labeled "Load Predefined" and choose "Return deleted objects," as you see in the lower right-hand part of the dialog at left. Then click "OK" to return to LDP.Just be sure that the "Active Controls" field contains 1.2.840.113556.1.4.417.

Now Let's Look at BIGFIRMFrom LDP, click View / TreeFill in your domain's LDAP name, as seen here, and click OKIn the left-hand pane, the domain appears with a plus next to it; click to open

LDP Domain View Click on "Deleted Objects," and, well, nothing happens. There's another LDP quirk – any time you want examine something in the left-hand pane, doubleclick it and it'll appear in the right-hand pane. If I do that and then double click a deleted user "mark," it looks like this:

Deletion, Up Close

We Could Undelete, But Not Yet…We could "undelete" the account from LDP even with Server 2003, and I'll show you how in a momentBut let's leave that for a moment and see how to view deleted objects in a different way, using the R2 PowerShell AD cmdletsStart up PowerShell on an equipped system from an elevated command prompt with two commands, powershell and import-module activedirectory

PowerShell Startup

Seeing Deleted Objects in PoSHThe basic PowerShell command to see deleted stuff looks likeget-adobject –filter * -includedeletedobjectsAnd you can shorten it toget-adobject –f * -incBut that will show you every item in the whole AD, deleted or not; this shows just the deleted stuff:get-adobject -inc -filter {isDeleted –eq $true} If there are no items that match the search, you'll get an error message

Seeing Deleted Objects in PoSHAnother way to see just the deletes:get-adobject -inc –f * -searchbase "cn=Deleted Objects, dc=bigfirm,dc=com"Or use just the –filter command and match the samaccountname (which is, recall, one of the few things not wiped out by the deletion):get-adobject –f {samaccountname –eq "mark"} –incYet another:get-adobject -inc -f {name -like "*DEL:*"}And anotherget-adobject –inc –f {isDeleted –eq $true}(You probably would not want to see all of the dead things in a real domain)

get-adobject –inc Example

The Third WayThe Sysinternals guys have a nice command-line tool called "adrestore.exe"I'll show it to you later, but wanted to mention it now before moving to the next topicIn pre-ADRB worlds, it's great for simple reanimations, as we'll see

Tombstone Timeouthow long before it's gone forever?

And Once Tombstoned…AD doesn't physically delete the tombstone immediately; in fact, Wally's tombstone stays around for six months to a year before AD scrubs it out of the databaseThat's because AD can't safely delete Wally's record until every DC knows that Wally's gone – that is, until every DC contains a tombstone for WallyReason: once DC1 gets a tombstone for Wally, it knows that Wally is no longer around, and blocks various conditions which might cause Wally to re-appear because DC6 (which doesn't know that Wally's gone) tries to send out Wally-relevant updates to DC1

Eventually, AD Deletes TombstonesIn the perfect world, AD would physically delete Wally's tombstone as soon as every DC knows that every other DC has a Wally tombstoneBut in a practical sense, that's not easy to do, as not every DC is running and connected to other DCs at every momentSo Microsoft's compromise was to cause AD to delete a tombstone after it has existed for some fixed period of timeThat was 60 days on 2000 and 2003 RTM-based ADs, 180 days thereafter

Seeing Your Tombstone PeriodFrom a PowerShell prompt, type(get-adobject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=bigfirm,dc=com" -properties "tombstonelifetime").tombstonelifetimeValue returned is (surprisingly) in days

The Final Delete: Garbage CollectionOnce a given DC notices that its local copy of the AD database contains one or more tombstones that are expired, then it's safe to physically delete themAD checks for and deletes expired tombstones twice a day during its "garbage collection" periodSo be careful when you reboot your DCs, as you don't want them doing garbage collection first thing in the morning while everyone's trying to log on!

Reanimating Tombstones

bringin' them back to life… both before and after ADRB

Getting Deleted Objects BackYou can't undelete things right-out-of-the-box with 2008 R2, as you'll see soon – it's not even possible until you're at 2008 R2 forest functional levelSo let's talk for a moment about restoring deleted objects before the AD Recycle Bin (ADRB) is functionalUses a 2003 feature called "tombstone reanimation"(And the main value is that we'll use the same procedures to undelete when ADRB gets enabled!)

Tombstone Reanimation OverviewJust restores the account; almost everything else – group memberships, office info, names, etc – must be repopulatedNot fun at all but only online recovery option even with 08 R2 pre-ADRB but, again, once you've got ADRB, this isn't a problemKB 840001 covers details

Reanimating a Tombstone with LDPStart LDP, connect, bind, enable control as before:

Start LDPConnection / Connect / fill in DC name / OKConnection / Bind / OK (or enter credentials)Options / Controls enter "1.2.840.113556.1.4.417" in "Object Identifier," OK

Reanimating a Tombstone: LDPOpen Deleted Objects as before:

View / TreeEnter domain name, like dc=bigfirm,dc=com, OK (or use the drop-down, which is pre-populated with useful distinguished names)Open the Deleted Objects container: in the left-hand pane, click the domain name, then click the "plus" sign next to it, then double-click the "Deleted Objects" container and it'll show the deleted objects Right-click on the item to undelete, choose Modify

LDP Reanimate StrategyWe've got to do two things to make AD reanimate this tombstone (or completely undelete, in ADRB):

Completely delete the isDeleted attributeFix the distinguished name from the "0ADEL:" mess to some value that no longer leaves it in Deleted Objects

And we've got to do them both simultaneously, which we can do with LDP

Things to Modify in LDP

Reanimating with LDP (1)

In the Modify dialog box, create the "delete isDeleted" command by• type "isDeleted" in the "Attribute: field inside the "Edit Entry" group•Click the "Delete" radio button in the "Operation" group•Click Enter to queue it•Check the "Extended" check box so that LDP knows to use the "let me see deleted stuff" control

Reanimating with LDP

Now, the first command's in the queue; time for the second.•In "Edit Entry," change "Attribute:" to "distinguishedName"•Enter a new DN in "values:"•In "Operation," click "Replace" as we're not wiping out the DN, we're replacing it•Then click Enter to get it queued in the "Entry List" field

Reanimating with LDP

With both commands queued in "Entry List," double-check that you remembered to check "Extended" and then click Run…… and your account's returned! (but disabled)

Reanimating With AdrestoreFind it at www.sysinternals.com; it's a CLI toolLooks like adrestore [searchstring] [-r]Run adrestore and it shows all deleted objectsRun adrestore –r and shows all deleted objects and asks if it can reanimate themRun adrestore mark –r and it will show just the deleted objects whose name contains "mark" and it will ask if it can reanimate them

So It's Undeleted, But…Again, the account is back, meaning that its SID hasn't changed (and so you needn't muck with permissions on resources), but it's forgotten most of its attributes, group memberships and everything elseAgain, the account is deactivatedSo it's time to repopulate those fields, which isn't much fun…… and why Microsoft built ADRB

AD Recycle Bin Requirements and Setup

How R2's AD Recycle Bin WorksFirst, enable the ADRB featureThen, delete an AD object and it enters the "deleted state"You now have 180 days (by default) to un-delete it, much as we did with reanimationThen it enters "recycled state," which is much like the old tombstone phase, but that cannot be brought back to life, even with reanimation, and it's 180 days by defaultAfter that, it's scavenged and actually wiped from the AD database during garbage collectionYou can change either of the "180 day" periods

AD Recycle Bin Requirements2008 R2 Forest Functional Level (not just DFL)2008 FFL's not enough, though -- you've got to enable the feature, and once you do, you can only undelete things deleted after you've enabled the featureIncomprehensibly, the way to turn on ADRB is a long ugly PowerShell string rather than a check box in some GUI

Getting To 2008R2 FFLThere's the usual stuff, of courseBut if you're using PowerShell, you needn't GUI around to raise the FFL:get-adforest | set-adforestmode -forestmode windows2008R2Forest –confirm:$false, orset-adforestmode –identity netbiosname windows2008R2Forest –confirm:$false

Enabling AD Recycle BinThe command looks like thisEnable-ADOptionalFeature -Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service, CN=Windows NT,CN=Services, CN=Configuration, DC=bigfirm,DC=com" -Scope ForestorConfigurationSet -Target "bigfirm.com" –confirm:$falseChange the colored stuff to match your forest's name; need only do the above command once

Enabling AD Recycle Bin

If That Seems Ugly…We're going to meet a GUI for it soonOr Bing "Restoring object from the Active Directory Recycle Bin using AD Powershell " for an interesting other approach with a string of PowerShell commands

Undeleting With Tools We've SeenAt this point, you already know two ways to undelete an AD object, now that you've got the AD Recycle Bin enabled:

LDPAdrestore

Both work exactly the same under ADRB as they did when reanimating, but you get the benefit of restored groups, attributes etc that AD Recycle Bin offersFor extended automation power, though, it's worth learning the PowerShell AD undelete command

Undeleting AD Objects with PoSHThe new PowerShell cmdlet for this is "restore-adobject"If you know the object's current distinguished name or its objectGUID, you can just plug that right in, as inrestore-adobject dbc3a389-2ce8-4ae7-a377-fde26203efcb, orrestore-adobject "CN=mark\0ADEL:9b16ae67-6a84-4687-ba6c-eddeb69e9dcd,CN=Deleted Objects,DC=bigfirm,DC=com"Wait, don't run away, there's a better way!

Using restore-adobjectBest bet is to use the get-adobject command with the –inc option and a filter of some kind, then pipe that into restore-adobject, likeget-adobject –f {samaccountname –eq "mark"} –inc | restore-adobjectTo use wild cards in get-adobject, replace "-eq"with "-like" as in this:get-adobject –inc –f {samaccountname –like "mar*"} | restore-adobjectBut always double-check…

Testing ItIt's always a good idea to just run the get-adobject –inc –filter command first, look at the output and then tack the restore-adobject command onYou can also add "-whatif" to the restore-adobject command to just see what it would have done, without changing anything

Examples

Going Further-newname lets you specify a new DN (and thereby a new location besides the old parent location)-target lets you specify a new location for the undeleted object-partition lets you specify a partition besides the default, which is either the domain itself or the domain of whatever you specified when you gave the command an objectGUID or a DN-passthru causes the cmdlet to return the undeleted object when done, putting the newly-undeleted object in the pipeline

Container "Gotcha"Suppose you have deleted an OU inside an OU inside an OU, with a user Jane in itYou try to undelete Jane, but she lived in an OU that's still deleted… what happens?restore-adobject failsWorkaround: use –newname or –target to give her a place to goThe bad news is that there is no "-recurse" switch for restore-adobject

Partial AnswerInasmuch as we have LastKnownParent, we could at least say to only restore the dead things from OU such-and-suchBasically we're saying, "get all AD things that are dead and whose parent container was a given OU"get-adobject -inc -f {(isDeleted -eq $true) -and (LastKnownParent -eq "OU=TPs,dc=Bigfirm,dc=Com")}

Microsoft WorkaroundSearch "Active Directory Recycle Bin Step-By-Step" Appendix BIt's at http://technet.microsoft.com/en-us/library/dd379504(WS.10).aspxPresents a PowerShell script that does recursive restoresThe PowerGUI tool attempts to do it as welladrestore can't handle it unfortunately

Permanent Object DeletionRecall that "tombstoned" objects (i.e., those more than 180 days since deletion) cannot be recycled This lets us add a new capability – immediate permanent object deletionDelete, then delete it again from the Deleted Objects containerGet-ADObject –f {<whatever>} –IncludeDeletedObjects | Remove-ADObjectOf course, it's not truly irrevocable and permanent; if you have a system state backup, then the original object undelete methods will work fine

No Vampires Here!

A GUI for ADRBPowerGUI Free from PowerShell MVPs at www.powergui.orgInstall PowerGUIAdd the ADRB PowerPak at http://www.powergui.org/entry.jspa?externalID=2461&categoryID=46Start up the PowerGUI console

PowerGUI Opening screen

Click File / PowerPack Management…

Install Module

Click Import…, navigate to ADRB PowerPackClick OKClick Close

PowerGUI AD Recycle Bin UI

Thank You!I hope this was useful and that you'll try out some reanimation and/or undeletionI'm at [email protected], audio learning tools, free newsletters and expert forum there alsoDon't forget the evaluations pleaseEnjoy the rest of the show!

Track Resources

Learn more about our solutions:

http://www.microsoft.com/forefront

Try our products:http://www.microsoft.com/forefront/trial

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://www.microsoft.com/teched

http://www.microsoft.com/learning

http://microsoft.com/technet

http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

https://mail.microsoft.com/owa/redir.aspx?C=adc4276acedf447ab646d268f1dab1a0&URL=http://northamerica.msteched.com/registration

https://mail.microsoft.com/owa/redir.aspx?C=adc4276acedf447ab646d268f1dab1a0&URL=http://northamerica.msteched.com/registration

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA

presented by mark minasi [email protected] session code: sia306

Documents

ok slide

bin slide

sia306 slide

adrb slide

disabled slide

example ou slide

entry list field slide

deleted stuff control