In this post, I am going to talk about my experience doing an Authoritative Restore of a deleted Active Directory user object. The steps were completed by restoring from a previous System State backup and using the ntds utility.
I started by deleting a test AD user: Ryan Smith from the Accounting_OU Organizational Unit in a lab domain:
Prior to this, I had taken a System State backup with the Windows Server 2008 R2 Backup/Wbadmin Utility. The objective is to restore the deleted object from a backup that was taken prior to the deletion. The domain controller is running Windows Server 2008 R2.
1) My first step was to copy the backup folder (WindowsImageBackup Folder) to the local DC Server. This is to avoid risking a network disruption while the restore/recovery process is running.Copy the ‘WindowsImageBackup’ folder from the remote backup target or other location to the local domain controller on which the restore operation is to be performed.
2) Move the ‘WindowsImageBackup’ subfolder into a top level folder and share the top level folder. The path should look like: \\DC00\Toplevelfolder\WindowsImageBackup. Where DC00 is the Domain Controller Server name. Share the TopLevelfolder location with permission to the administrators group.
3) At this time, I had to restart the Server into the Directory Services Restore Mode. This I accomplished by opening a PowerShell window and entering the following command: bcdedit / set safeboot dsrepair. Then press Enter.
4) Open the Windows 2008 Backup Utility and follow the wizard to complete a System State restore . On the Getting Started screen, use the ‘A backup stored on another location’ option. We still intend to use the local copy of the backup.
5) Select the option ‘Remote shared folder’, on the next screen enter the UNC path of the locally shared directory and click next. On the select backup date, the currently available backups and date will be displayed. Select the backup of interest and click next.
6) On the select recovery type screen, select the system state and click next. (You can restore just the system state)
7) On the ‘Select Location for System State Recovery’, select the ‘Original location’ option, without checking the ‘Perform an authoritative restore of AD files ‘option. Click next. Click ok on the prompt.
8) You will be prompted for a reboot after the restore or you could check the ‘Automatically reboot the server to complete the recovery process’ checkbox.
9) After the Recovery process, the Server reboots into the DSRM. Open a PowerShell window.
10) Type: ntdsutil, Press Enter.
Type: Activate instance ntds, Press Enter.
Type: Authoritative Restore, Press Enter.
11) At the Authoritative Restore prompt, type the following command and DN name of the deleted user object: Restore Object “cn=Ryan Smith,ou=it_ou,ou=users-all,dc=testdomain,dc=net” or the name of the object to be restored.
You will be prompted with the following: Are you sure you want to perform this authoritative restore, click yes.
After a few seconds, the following message should appear in the shell: Authoritative Restore has completed successfully message.
12) Quit out of the ntdsutility.Change the safemode configuration using: bcdedit /deletevalue safeboot.
Restart the computer into normal mode.
After restart, start the DNS console/service if necessary and check the restored object using ADUC or Powershell with he Get-ADUser cmdlet.