Everything you wanted to know about AD object recovery but were afraid to ask

I have been hearing these questions daily so I decided to post a blog and hopefully clear up some confusion. My goal is to explain what Recovery Manager for Active directory offers, what the Windows 2008 R2 Recycle Bin offers and finally, how they benefit each other.

What is the difference between RMAD restore methods?

As you know, Recovery Manager for Active Directory has 3 ways of restoring deleted objects:

Undelete – this method uses Microsoft Tombstone Reanimation interface to restore the object. Using this method only attributes preserved in tombstone are restored.

“Agentless” from backup – this method consists of 2 operations: Undelete and re-apply all attributes stored in backup. Attributes that cannot be written using LDAP are not restored (Password and SIDHistory for example).

“Agent-based” from backup – here RMAD performs same 2 operations as for previous method, but this one does not rely on LDAP capabilities. All attributes can be restored.

What is the difference between deleted object in 2008 R2 with Recycle Bin and others?

After enabling Recycle Bin functionality in Windows 2008 R2 (Note that this operation cannot be undone) deleted objects retain all attributes, links, and group memberships that existed immediately before the moment of deletion.Objects remain in this state for a

specified configurable period of time that is called deleted object lifetime. When the applicable deleted object lifetime period expires, the objectis transferred to the next state—“recycled”.

Recycled object in Windows 2008R2 is more like deleted object in older versions of Windows – only few attributes are preserved in this state and it has its own lifetime period. Main difference – there is NO WAY torestore such object.

How RMAD works with 2008 R2 Recycle Bin

RMAD won’t help you enable Recycle Bin feature.

Undelete method actually restores deleted object with all attributes using all functionality of AD Recycle Bin.

RMAD can help you to recycle objects but note that this operation is irreversible.

Ways to restore Password and SIDHistory avoiding agent-based method.

If you want to be able to restore Password and SIDHistory attributes using “agentless” method or manually you need to modify AD Schema in the following way:

To preserve SID History in tombstones, you need to modify the searchFlags attribute value for the

SIDHistory (sIDHistory) schema object.

To preserve passwords in tombstones, you need to modify the searchFlags attribute value for the

following password-related schema objects:

• Unicode-Pwd (unicodePwd)

• DBCS-Pwd (dBCSPwd)

• Supplemental-Credentials (supplementalCredentials)

• Lm-Pwd-History (lmPwdHistory)

• Nt-Pwd-History (nTPwdHistory)

You can also use “Password and SIDHistory Recoverability Tool” to automate this process

About the Author