John Craddock Infrastructure & Security Architect XTSeminars Ltd Session Code: SIA402

Agenda Deleting and recovering directory objects How objects are stored Incoming and outgoing linked-attributes Authoritative restore Enabling the Recycle Bin Live, deleted and recycled objects Recovering deleted objects from the Recycle Bin

Once Upon a Time Why is the deleted object is retained in the database? So that the deletion can replicate to other DCs No online way back Only option for recovery was an Authoritative Restore Live Object Deleted object Stripped of assets

Significant Events 2003 SKU Re-animation of deleted objects 2003 Forest Linked-value replication 2008 R2 Forest Recycle Bin can be enabled

Object Deletion The object is moved to the deleted objects container Referred to as a tombstone isDeleted attribute is set TRUE The majority of attribute values are removed Attributes can be retained by setting their searchFlags property Live object Tombstone object DeleteDelete Majority of attributes deleted Garbage collection X Purged from directory Tombstone lifetime (180 days) Offline authoritative restore

Object Deletion (continued) The RDN of the object is changed to a "delete- mangled RDN” The mangled RDN includes the GUID of the object Guarantees the mangle RDN is unique within the Deleted Objects container There is no hierarchy in the container Linked-attribute values (references) to and from the object are deleted Not controlled by searchFlags

Tombstone Lifetime The object remains as a tombstone object for the Tombstone Lifetime (TSL = 180 days) After this period the Garbage Collection service purges the object from the database Backups older than the TSL cannot be used This prevents objects that where deliberately deleted being reintroduced

searchFlags The feature is enabled if the bit is set to “1” Preserve this attribute on logical deletion (tombstoned) Member of ANR set Copy attribute when object is copied (user account copy) Index over container and attribute Index over attribute Bit 0 Bit 1 Bit 2 Bit Bit 4 16 Bit 5 Bit 6 Bit Tuple Index Confidential Bit Don’t audit Bit Don’t replicate to RODC 2008 Bit 3

Object Storage If an object is moved the PDNT for the record is updated, the record never moves in the DB DNTPDNTNCDNTinstanceTypeRDN Demo London Users Berlin Users Groups G G G Debbie Dave

Viewing the Database dumpdatabase is an operational (RootDSE) attribute No DN Required attributes for operation Name of operational attribute Dumpdatabase: dumps text version of the database in the NTDS directory

Working with Deleted Objects To view deleted objects requires an LDAP control Can select the control in LDP Windows 2008 R2 PowerShell with AD module Get-ADObject –LDAPFilter {} –IncludeDeletedObjects

Reanimating an Object Using LDP, in one operation you must Remove the isDeleted attribute Replace distinguishedName attribute with a new value Use ADRestore from the Sysinternals tools Create own utility

Restored User Object Most attributes missing, including the password All inbound linked attribute values missing For example, group membership All outbound linked attribute values missing For example, attribute containing link to manager Could repopulate missing values from mounted directory snapshot Microsoft solution is an authoritative restore Restoring linked attribute values can be problematic

Object References One object can reference another either as a direct reference or using a linked-attribute reference With a direct reference the attribute on one object reference the DN of another object

Direct References If Dave is deleted Incoming references remain Outgoing references remain Provided the attribute that holds the reference is retained on logical deletion DNT: 4031 secretary Debbie DNT: 4032 secretary DNT: DaveValya Show in UI as DN, stored as a DNT

Linked Attributes Linked attributes consist of a forward-link and back-link pair The forward link can be populated and the back link is calculated Forward links may be single-valued or multi-valued Back links are always multi-valued Each linked pair is identified by the linkID property of an attribute Forward linkIDs are even (n) and for each forward link the associated back-link is an odd number (n+1)

Single To Multi-Valued An entry is created in a link table when a value is added to the manager attribute The link tables are constructed on each DC and hold the DNT values 19 Nicola John Reports Peter Reports manager Maria manager Tom manager Nicola John Nicola Peter Maria Link Table (simplified) TomNicola

Multi-Valued To Multi-Valued John G1 MemberOf Maria MemberOf member G2 member G3 member John G1 John Maria G2 Maria G3 ;John G3 John ;Maria G1Maria Link Table (simplified)

Delete Maria All outbound linked-attribute values are removed Nicola John Reports Peter Reports manager Maria manager Tom manager Nicola John Nicola Peter Maria Link Table (simplified) TomNicola

Delete Maria (continued) John G1 MemberOf Maria MemberOf member G2 member G3 member John G1 John Maria G2 Maria G3 ;John G3 John ;Maria G1Maria Link Table (simplified) All Inbound linked-attribute values are removed

Restoring Linked Attributes Alternative to online reanimation Authoritative restore Third party solution Reanimated object Manually restore all attribute values Manually restore all forward link references

Authoritatively Restoring Maria Options Boot into DS Restore Mode on a DC that has not received the replicated deletion of Maria A lag-site may have been created for this Boot a DC into DS restore mode Restore AD from back-up In DS Restore Mode mark Maria as authoritative Use ntdsutil Restart the domain controller

How successful will you be? On the authoritatively restored DC The Maria is completely recovered including all entries for incoming and outgoing linked-attributes Maria is a member of groups G1, G2 and G3 Maria’s manager attribute refers to Peter All of Maria’s attributes are marked as authoritative and will replicate to the other DCs in the domain The incoming linked-attribute values may or may not replicate It depends on the current forest functional level and the level when Maria was added to the groups

Linked-Value replication Windows 2003 forest functionality introduced linked-value replication Replication metadata is attached to each entry in the link tables When Maria is restored all incoming linked-values are marked as authoritative in the link table G DNT: 2000DNT: 1000 Maria DC1 Maria authoritatively restored G AUTH DNT: 7654DNT: 8657 Maria DC2 Replicates that G1 has Maria as a member AUTH

No Linked Value Replication Prior to 2003 forest functionality replication metadata existed on the attribute and not the individual links To restore Marias group membership one option was to authoritatively restore all groups that she belonged to If Maria was added to some groups before and after linked-value replication was enabled During an authoritative restore of Maria, some links would replicate others wouldn’t

Partial Solution LDF Produced During Authoritative Restore # CN=G1,OU=Groups,OU=Demo,DC=example,DC=com # dn: dn:: PEdVSUQ9NGVjMmQxYjctMzU0Yi00ZjE3LTlhNmItYzU2Nzg4OGJjZjI0Pg== # Base64 encoded: changetype: modify delete: member # CN=Maria,OU=Berlin Users,OU=Demo,DC=example,DC=com # member: member:: PEdVSUQ9NmE2NzdiZGUtZjgzZS00OWE1LWI1ZmItZWIwNzRhMjg5OWI3Pg== - # CN=G1,OU=Groups,OU=Demo,DC=example,DC=com # dn: dn:: PEdVSUQ9NGVjMmQxYjctMzU0Yi00ZjE3LTlhNmItYzU2Nzg4OGJjZjI0Pg== changetype: modify add: member # CN=Maria,OU=Berlin Users,OU=Demo,DC=example,DC=com # member: member:: PEdVSUQ9NmE2NzdiZGUtZjgzZS00OWE1LWI1ZmItZWIwNzRhMjg5OWI3Pg== -

Recycle Bin Enabled Live object Deleted object DeleteDelete Recycled object Garbage collection X Purged from directory Deleted object lifetime (180 days) Tombstone lifetime (180 days) All attributes retained Online undelete Garbage collection

Recycle Bin for AD Requires 2008 R2 Forest functionality PowerShell driven Enable-ADOptionalFeature ‘Recycle Bin Feature’ – Scope ForestOrConfigurationSet –Target ‘forest’ Once enabled cannot be disabled Get-ADObject –LDAPFilter {} –IncludeDeletedObjects Restore-ADObject –Identity Parent object must be restored in advance of child object Restores all attributes including linked attributes

Object Deletion The object is moved to the deleted objects container Referred to as a deleted object isDeleted attribute is set TRUE isRecycled attribute not present lastKnownparent set msDS-LastknownRDN set Live object Deleted object DeleteDelete All attributes retained Online undelete

Object Deletion (continued) The RDN of the object is changed to a "delete- mangled RDN” All attribute values with the exception objectCategory and sAMAccountType are retained If the object is undeleted these are automatically restored from the defaultObjectCategory and userAccountControl attributes

Object Deletion (continued) Linked-attribute values (references) to and from the object are retained Not visible to LDAP with out special control The object remains as a deleted object for the Deleted Object Lifetime (DOL = 180 days) After this period the Garbage Collection service converts the object to a Recycled Object

Recycled Object Similar characteristics to a pre-recycle bin tombstone object The majority of attribute values are removed Linked-attribute values (references) to and from the object are deleted isRecycled set TRUE A recycled object cannot be reanimated Retained to allow replication to occur

Lifetimes Recycled object remains for the Tombstone Lifetime (TSL = 180 days) After this period the Garbage Collection service purges the object from the directory The DOL and TSL values are held in attributes of the “cn=Directory Service, cn=windows NT, cn=Services, cn=configuration, dc= DOL in msDS-deletedObjectLifetime attribute TSL in tombstoneLifetime attribute

Other Thoughts Backups are valid for max of smallest value of DOL or TSL Best practice recommendation DOL = TSL Anticipated database growth 5-10% On deletion, regulatory compliance may not allow retained of full copy of deleted object Permanently delete with Get-Adobject –LDAPFilter {} –IncludeDeletedObjects | Remove-ADObject

Restoring Objects Locate objects using the appropriate filter Pipe the results into Restore-ADObject Many ingenious filters can be constructed Restore uses with particular job title, description etc Restore use deleted after a certain date $Event = New-Object Datetime(2009, 11, 5, 9,0,0) Get-ADObject –filter ‘whenChanged –gt $event –and isDeleted –eq $true’ -includeDeletedObjects |Restore-ADObjects

Hierarchy Required You cannot restore an object if the parent container does not exist Restore-ADObject Can restore to alternate name and path Microsoft provides a script to aid restoring a hierarchy of objects us/library/dd379504(WS.10).aspx

And Now Live Object

Thanks for coming Have a good trip back

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite! Required Slide

Summary Deleting and recovering directory objects How objects are stored Incoming and outgoing linked-attributes Authoritative restore Enabling the Recycle Bin Live, deleted and recycled objects Recovering deleted objects from the Recycle Bin

Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.

Related Content Breakout Sessions: SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin SVR317 Managing Windows Server 2008 R2 and Windows 7 with Windows PowerShell V2 Interactive Theater Sessions : SIA02-IS Active Directory: What's New in R2 Hands-on Labs: WSV03-HOL Advanced Windows PowerShell Scripting WSV20-HOL Windows Server 2008 R2: What's New in Microsoft Active Directory Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.

My Sessions at TechEd Breakout Sessions: SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory? SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies SVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together Interactive Theater Sessions: SVR08-IS End-to-End Remote Connectivity with DirectAccess Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide