Hello all

I am running in a 2003 native mode AD forest. I have two DC that are running
windows 2008 and three that are running Windows 2003. I know i can take a
snap shot using ntdsutil of the AD database running on windows 2008 and
mount the database. I can also connect to the snap shot with ADUC after
running dsamain -dbpath -ldapport # Once I connect to the snapshot i can see
any delted users that were deleted after the snapshot was taken. Now how in
the heck can i restore this object? Am assuming i need a 3rd paryt tool for
this?

Most often snapshots are used to determine which backup could be used to
authoritatively restore a deleted object (keep in mind that they are not a
substitute for backups, which, incidentally, you can also mount using the
same dsamain utility) - eliminating this way the need to actually perform a
restore to make such determination.
As far as your question is concerned, you can actually undelete AD objects
(assuming that you perform this operation before the tombstone lifetime
interval passes) without resorting to restore (as described in painfully
detailed fashion in http://support.microsoft.com/kb/840001), however, such
objects retain only a handful of attributes (by default, only the mandatory
ones). So, potentially, you can recover deleted objects by combining
undeletion with populating missing attributes based on the info extracted
from a snapshot. This does not require third party utilities (LDIFDE will do
just fine - although you can also use any of AD admin utilities that allow
you to target specific port). The process is not straightforward (since it
essentially involves export/import) - so you might want to take advantage of
3rd party tools (e.g. Snapshot Recover Tool from
[url down], Directory Service Comparison
Tool from http://lindstrom.nullsession.com/?page_id=11, or Active Directory
Explorer from Sysinternals at
http://technet.microsoft.com/en-us/s.../bb963907.aspx)...

hth
Marcin

"skip" <shofmann> wrote in message
news:d3fa
[..]

Skip,

skip wrote:
> I am running in a 2003 native mode AD forest. I have two DC that are
> running windows 2008 and three that are running Windows 2003. I know i
> can take a snap shot using ntdsutil of the AD database running on
> windows 2008 and mount the database. I can also connect to the snap shot
> with ADUC after running dsamain -dbpath -ldapport # Once I connect to
> the snapshot i can see any delted users that were deleted after the
> snapshot was taken. Now how in the heck can i restore this object? Am
> assuming i need a 3rd paryt tool for this?

As Marcin already wrote, the snapshot is not a 100% backup solution. I
suspect it was never meant to be that. Although there are third party
tools that are capable of doing that, I wouldn't use the current
solution as a backup option. Use it as a point-in-time snapshot to be
able to refer to object and attribute value reference when needed or to
look up security that once was set. For actual backup however, I'd stick
with ntbackup or wbadmin (or any third party tool that is capable of
that - remember not to use imaging software).

Cheers,
Florian

In news:880F4446-37DD-43C7-BC9D-65DAAE85D3FA,
skip <shofmann>, posted the following:
> Hello all
>
> I am running in a 2003 native mode AD forest. I have two DC that are
> running windows 2008 and three that are running Windows 2003. I know
> i can take a snap shot using ntdsutil of the AD database running on
> windows 2008 and mount the database. I can also connect to the snap
> shot with ADUC after running dsamain -dbpath -ldapport # Once I
> connect to the snapshot i can see any delted users that were deleted
> after the snapshot was taken. Now how in the heck can i restore this
> object? Am assuming i need a 3rd paryt tool for this?

In addition, you can also take a look at ADRestore v1.1. I've used it twice
in the past to restore a deleted object without having to go through an AD
Authoritative Restore procedure.

AdRestore v1.1 By Mark Russinovich
http://technet.microsoft.com/en-us/s.../bb963906.aspx

Hello skip,

Have a look at this articles/tools:
http://lindstrom.nullsession.com/?page_id=11

http://blogs.technet.com/kenstcyr/ar...ting-tool.aspx

[url down]

http://technet.microsoft.com/en-us/l...09(WS.10).aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
[..]

you can still use the w2k3 solution (auth restore) or use the w2k8 solution

MS does not provide any tools to get info from the snapshot into the live
AD. The best available in the OS is LDIFDE. However free third party tools
are available to help you

see:
http://blogs.dirteam.com/blogs/jorge...ery-tools.aspx

Thanks guys for all the helpfull suggestions. I downloaded the DSCT tool
http://lindstrom.nullsession.com/?cat=7 and i was able to restore a deleted
object but i wasnt able to restore any of the attributes of the deleted
object, the object that was deleted was a user account that had a mailbox on
an exchange 2003 server, so not sure if this tool can restore msexchange
attributes?

I want to install Windows server backup on all my 2008 DC, so i can take
system state backups. All the DC have a raid 1 and a raid 5 array, the raid
5 has no data on it and the raid 1 is where the OS lives. I want to use the
raid 5 E:\ as the target for the system state backups. My question is what
type of backup must i do so i can do a system state restore or a bare metal
restore? and if i boot the DC into DSRM in order to do an authorative
restore of an object, can i point WBADMIN to the backup file ( is it a
..vhd?) that is stored on the E:\ and then do the restore of the deleted
object?

Many thanks
"Marcin" <marcin> wrote in message
news:1288
[..]

We have been built info on W2K8 backups (It is mostly complete), we push it
out to an external drive on our SAN. I would be willing to post the info if
you are interested.

Yes please that would be great.

Thanks again
"Paul Bergson [MVP-DS]" <pbbergs> wrote in message
news:1168
[..]

I will atempt to upload to my blog this evening. I will give you the link
after that

Here is the link:
http://blogs.dirteam.com/blogs/paulb...h-wbadmin.aspx

Thanks Paul for providing the link. Your process works for doing a bare
metal restore of the DC, but can i also use this procedure to perform an
authorative or non authorative restore of AD?

Also is the issue you are experiencing with NetBackup specific to Windows
2008 DC ?
"Paul Bergson [MVP-DS]" <pbbergs> wrote in message
news:4200
[..]

I believe you should be able to do a system state restore with this.
Although I haven't tried it.

I would attempt to read the vhd within backup assist. If you can read it
from there you should be able to so a restore as well.

no need to do a bare meta restore.

Just boot into DSRM and restore the SYSTEM STATE using WBADMIN.EXE (check
the help of it how). This is the non-auth part. After the restore is
finished DO NOT reboot the DC. From the command line start NTDSUTIL. Check
the help for next steps. That will be the auth. restore part

Yeah, I wasn't suggesting doing a BMR. Only providing info on details for
it.