780 likes | 1.06k Vues
SESSION CODE: SIA306. Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin, Undeletion and Reanimation. Presented by Mark Minasi help@minasi.com www.minasi.com. Who's The Guy Presenting?. Working with computers since 1972
E N D
SESSION CODE: SIA306 Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin, Undeletion and Reanimation Presented by Mark Minasi help@minasi.com www.minasi.com
Who's The Guy Presenting? • Working with computers since 1972 • Written 32 books on OS/2, PC repair, Windows 3.1/95/98 troubleshooting, Windows NT 3.1 through Windows Server 2008 R2 setup, support and troubleshooting, several million copies sold • Columnist for Windows IT Pro Magazine , BYTE, Compute!, AI Expert, OS/2 Professional, over a thousand articles • Speak at many Windows conferences • Consult and teach about Windows • Directory Services MVP
Agenda • What the AD Recycle Bin (ADRB) can do, and what you need to use it • "Where The Dead Things Are:" life after deletion • Seeing deleted objects with LDP, PowerShell and adrestore • Pre R2 FFL: Reanimation with LDP and adrestore • How AD Recycle Bin (ADRB) works • Enabling ADRB • Undeleting with LDP, adrestore and PowerShell • A GUI for ADRB • Recursive Undeletes: Undeleting OUs (and OUs inside OUs…)
What's the Deal? Who Cares About the AD Recycle Bin (ADRB)? • So we've deleted a user, a couple of users, or perhaps a whole OU full of users • We need to undelete them • There has always been the "standard" way • Reboot the DC in DSRM • Restore the AD • Use NTDSUTIL to mark items as "authoritatively restored" • Reboot the DC in normal mode
Problems With the Traditional Approach • That works fine, except for the "take the DC offline" part • It can take a significant amount of time to reboot a DC in large organizations and heck, there may be paperwork ! • Why reboot any machine if it can be avoided? • Access to backups may be a dicey matter • So some sort of online AD object restore would be very attractive to many • As AD has matured, MS has slowly built in better and better support for online restores, so let's talk about it
Deletion, Through the Years • In Windows 2000, the death of an object was very nearly a final thing; undeletion was complicated, and offered no help in re-joining groups • Things got better in 2003, with "tombstone reanimation" support, which partially undeleted accounts, but left most attributes and group memberships gone, gone, gone • With 2008 R2, you can undelete a deleted item, but requires 2008 R2 FFL • So, again: pre-R2 FFL, we reanimate; post-R2 FFL, we can undelete
Where The Dead Things Are Deletion, Pre-AD Recycle Bin
Deleted Stuff "Goes to Limbo" • You're used to seeing some set of folders in Active Directory Users and Computers • But you probably know that if you click View / Advanced Features, you see more • Well, there's even more that you still can't see, including an important folder named "Deleted Objects" • So let's look at what your AD contains, versus what it shows you
What ADUC Shows You DC=Bigfirm,DC=Com CN=Builtin,DC=Bigfirm,DC=Com CN=Computers,DC=Bigfirm,DC=Com OU=Domain Controllers,DC=Bigfirm,DC=Com CN=Foreign Security Principals,DC=Bigfirm,DC=Com CN=Managed Service Accounts,DC=Bigfirm,DC=Com CN=Users,DC=Bigfirm,DC=Com OU CN=Mark,CN=Users,DC=Bigfirm,DC=Com
ADUC with View /Advanced Features, ADSIEDIT or LDP ( = "new stuff") DC=Bigfirm,DC=Com CN=Builtin,DC=Bigfirm,DC=Com CN=Computers,DC=Bigfirm,DC=Com OU=Domain Controllers,DC=Bigfirm,DC=Com CN=Foreign Security Principals,DC=Bigfirm,DC=Com CN=LostAndFound,DC=Bigfirm,DC=Com CN=Managed Service Accounts,DC=Bigfirm,DC=Com CN=Program Data,DC=Bigfirm,DC=Com CN=System,DC=Bigfirm,DC=Com CN=Users,DC=Bigfirm,DC=Com OU CN=Mark,CN=Users,DC=Bigfirm,DC=Com
What LDP (an admin tool we'll meet soon) shows, when equipped with the right "LDAP Control" DC=Bigfirm,DC=Com CN=Builtin,DC=Bigfirm,DC=Com CN=Computers,DC=Bigfirm,DC=Com OU=Domain Controllers,DC=Bigfirm,DC=Com CN=Foreign Security Principals,DC=Bigfirm,DC=Com CN=LostAndFound,DC=Bigfirm,DC=Com CN=Managed Service Accounts,DC=Bigfirm,DC=Com CN=Program Data,DC=Bigfirm,DC=Com CN=System,DC=Bigfirm,DC=Com CN=Users,DC=Bigfirm,DC=Com CN=Deleted Objects,DC=Bigfirm,DC=Com OU CN=Mark,CN=Users,DC=Bigfirm,DC=Com
When We Delete Objects, AD… • Creates and sets new attribute isDeleted to True • Removes attributes (as directed by the schema and yes, that could be changed); keeps objectClass, objectGUID, objectSID, sAMAccountName (and others) -- but almost everything else (names, attribs) is gone • Changes distinguished name (DN) from something like cn=mark,cn=users,dc=bigfirm,dc=com to a longer "mangled" name containing the objectGUID (example coming) • Moves AD object in a container called "Deleted Objects" • Calls the object a "tombstone" • For example:
Now, suppose someone wants to delete Mark… DC=Bigfirm,DC=Com CN=Builtin,DC=Bigfirm,DC=Com CN=Computers,DC=Bigfirm,DC=Com OU=Domain Controllers,DC=Bigfirm,DC=Com CN=Foreign Security Principals,DC=Bigfirm,DC=Com CN=LostAndFound,DC=Bigfirm,DC=Com CN=Managed Service Accounts,DC=Bigfirm,DC=Com CN=Program Data,DC=Bigfirm,DC=Com CN=System,DC=Bigfirm,DC=Com CN=Users,DC=Bigfirm,DC=Com CN=Deleted Objects,DC=Bigfirm,DC=Com OU CN=Mark,CN=Users,DC=Bigfirm,DC=Com Let's say that Mark has an objectGUID value of 6e2971d91 (and yes, that GUID is way too small, but it's just an example)
After deletion… DC=Bigfirm,DC=Com CN=Builtin,DC=Bigfirm,DC=Com OU=Domain Controllers,DC=Bigfirm,DC=Com CN=Foreign Security Principals,DC=Bigfirm,DC=Com CN=LostAndFound,DC=Bigfirm,DC=Com CN=Managed Service Accounts,DC=Bigfirm,DC=Com CN=Program Data,DC=Bigfirm,DC=Com CN=System,DC=Bigfirm,DC=Com CN=Users,DC=Bigfirm,DC=Com CN=Computers,DC=Bigfirm,DC=Com CN=Deleted Objects,DC=Bigfirm,DC=Com New place! CN=Mark\0ADEL:6e2971d91,CN=Deleted Objects,DC=Bigfirm,DC=Com New name! OU
When You're Gone, No One Remembers Your (Real) Name • An account with a DN of cn=mark,cn=users,dc=bigfirm,dc=com who has an objectGUID of be0fc7f6-a308-47a2-824a-99d9120774c8 would become • cn=mark\0ADEL:be0fc7f6-a308-47a2-824a-99d9120774c8,cn=Deleted Objects,dc=bigfirm,dc=com • (More specifically, built as RDN (the attribute named "name" in AD), "\0ADEL:," the objectGuid, and "cn=Deleted Objects," and the domain name
Seeing Your AD's Deleted Objects • Three tools: • ldp.exe (which is in Support Tools for 2003 R2 and earlier, and in-the-box for Server 2008 and 2008 R2) • AD PowerShell cmdlets (which is in-the-box for 2008 R2 but can be retrofitted to any DC with at least 2003 SP2… see my Newsletter #86 at my site www.minasi.com for the step by steps; requires no new DCs but does require at least one Windows 7 workstation) • Sysinternals' adrestore.exe
Using LDP to See Deleted Objects • Start LDP.exe • Starts out with a very simple interface and, in truth, doesn't always refresh correctly – so don't be shy about double-clicking some object in the left-hand pane to get it to refresh
LDP Initial Window Next, click Connection / Connect, which lets you tell LDP which server you'd like to connect to. You can punch in a DC name but just clicking "OK" will do the job.
LDP After Connection You're now connected to a particular DC, but you aren't really logged into the directory service yet, even if you're logged on as an enterprise admin. To "log onto the DS," you "bind" to the DS by clicking Connection / Bind and then probably just clicking OK. If, however, you need to proffer different credentials, choose the "Bind with credentials" option, fill in the creds and click OK
You're Bound… • The right-hand pane may show • ----------- • 0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1) • res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3 • {NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'} • Authenticated as: 'BIGFIRM\Administrator'. • But that's what good news looks like, believe it or not – it basically says, "we're happy with how he/she's already logged on" • Next, click Options / Controls
Removing the Veil We're about to ask LDP to show us my domain bigfirm.com, but by default LDP spares us the macabre view of The Dead Things. We are, however, made of tougher stuff than that, so we'll tell it that we can handle the truth by clicking the drop-down labeled "Load Predefined" and choose "Return deleted objects," as you see in the lower right-hand part of the dialog at left. Then click "OK" to return to LDP. Just be sure that the "Active Controls" field contains 1.2.840.113556.1.4.417.
Now Let's Look at BIGFIRM • From LDP, click View / Tree • Fill in your domain's LDAP name, as seen here, and click OK • In the left-hand pane, the domain appears with a plus next to it; click to open
LDP Domain View Click on "Deleted Objects," and, well, nothing happens. There's another LDP quirk – any time you want examine something in the left-hand pane, doubleclick it and it'll appear in the right-hand pane. If I do that and then double click a deleted user "mark," it looks like this:
We Could Undelete, But Not Yet… • We could "undelete" the account from LDP even with Server 2003, and I'll show you how in a moment • But let's leave that for a moment and see how to view deleted objects in a different way, using the R2 PowerShell AD cmdlets • Start up PowerShell on an equipped system from an elevated command prompt with two commands, powershell and import-module activedirectory
Seeing Deleted Objects in PoSH • The basic PowerShell command to see deleted stuff looks like • get-adobject –filter * -includedeletedobjects • And you can shorten it to • get-adobject –f * -inc • But that will show you every item in the whole AD, deleted or not; this shows just the deleted stuff: • get-adobject -inc -filter {isDeleted –eq $true} • If there are no items that match the search, you'll get an error message
Seeing Deleted Objects in PoSH • Another way to see just the deletes: • get-adobject -inc –f * -searchbase "cn=Deleted Objects, dc=bigfirm,dc=com" • Or use just the –filter command and match the samaccountname (which is, recall, one of the few things not wiped out by the deletion): • get-adobject –f {samaccountname –eq "mark"} –inc • Yet another: • get-adobject -inc -f {name -like "*DEL:*"} • And another • get-adobject –inc –f {isDeleted –eq $true} • (You probably would not want to see all of the dead things in a real domain)
The Third Way • The Sysinternals guys have a nice command-line tool called "adrestore.exe" • I'll show it to you later, but wanted to mention it now before moving to the next topic • In pre-ADRB worlds, it's great for simple reanimations, as we'll see
Tombstone Timeout how long before it's gone forever?
And Once Tombstoned… • AD doesn't physically delete the tombstone immediately; in fact, Wally's tombstone stays around for six months to a year before AD scrubs it out of the database • That's because AD can't safely delete Wally's record until every DC knows that Wally's gone – that is, until every DC contains a tombstone for Wally • Reason: once DC1 gets a tombstone for Wally, it knows that Wally is no longer around, and blocks various conditions which might cause Wally to re-appear because DC6 (which doesn't know that Wally's gone) tries to send out Wally-relevant updates to DC1
Eventually, AD Deletes Tombstones • In the perfect world, AD would physically delete Wally's tombstone as soon as every DC knows that every other DC has a Wally tombstone • But in a practical sense, that's not easy to do, as not every DC is running and connected to other DCs at every moment • So Microsoft's compromise was to cause AD to delete a tombstone after it has existed for some fixed period of time • That was 60 days on 2000 and 2003 RTM-based ADs, 180 days thereafter
Seeing Your Tombstone Period • From a PowerShell prompt, type • (get-adobject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=bigfirm,dc=com" -properties "tombstonelifetime").tombstonelifetime • Value returned is (surprisingly) in days
The Final Delete: Garbage Collection • Once a given DC notices that its local copy of the AD database contains one or more tombstones that are expired, then it's safe to physically delete them • AD checks for and deletes expired tombstones twice a day during its "garbage collection" period • So be careful when you reboot your DCs, as you don't want them doing garbage collection first thing in the morning while everyone's trying to log on!
Reanimating Tombstones bringin' them back to life… both before and after ADRB
Getting Deleted Objects Back • You can't undelete things right-out-of-the-box with 2008 R2, as you'll see soon – it's not even possible until you're at 2008 R2 forest functional level • So let's talk for a moment about restoring deleted objects before the AD Recycle Bin (ADRB) is functional • Uses a 2003 feature called "tombstone reanimation" • (And the main value is that we'll use the same procedures to undelete when ADRB gets enabled!)
Tombstone Reanimation Overview • Just restores the account; almost everything else – group memberships, office info, names, etc – must be repopulated • Not fun at all but only online recovery option even with 08 R2 pre-ADRB but, again, once you've got ADRB, this isn't a problem • KB 840001 covers details
Reanimating a Tombstone with LDP • Start LDP, connect, bind, enable control as before: • Start LDP • Connection / Connect / fill in DC name / OK • Connection / Bind / OK (or enter credentials) • Options / Controls enter "1.2.840.113556.1.4.417" in "Object Identifier," OK
Reanimating a Tombstone: LDP • Open Deleted Objects as before: • View / Tree • Enter domain name, like dc=bigfirm,dc=com, OK (or use the drop-down, which is pre-populated with useful distinguished names) • Open the Deleted Objects container: in the left-hand pane, click the domain name, then click the "plus" sign next to it, then double-click the "Deleted Objects" container and it'll show the deleted objects • Right-click on the item to undelete, choose Modify
LDP Reanimate Strategy • We've got to do two things to make AD reanimate this tombstone (or completely undelete, in ADRB): • Completely delete the isDeleted attribute • Fix the distinguished name from the "0ADEL:" mess to some value that no longer leaves it in Deleted Objects • And we've got to do them both simultaneously, which we can do with LDP
Reanimating with LDP (1) • In the Modify dialog box, create the "delete isDeleted" command by • type "isDeleted" in the "Attribute: field inside the "Edit Entry" group • Click the "Delete" radio button in the "Operation" group • Click Enter to queue it • Check the "Extended" check box so that LDP knows to use the "let me see deleted stuff" control
Reanimating with LDP • Now, the first command's in the queue; time for the second. • In "Edit Entry," change "Attribute:" to "distinguishedName" • Enter a new DN in "values:" • In "Operation," click "Replace" as we're not wiping out the DN, we're replacing it • Then click Enter to get it queued in the "Entry List" field
Reanimating with LDP With both commands queued in "Entry List," double-check that you remembered to check "Extended" and then click Run… … and your account's returned! (but disabled)
Reanimating With Adrestore • Find it at www.sysinternals.com; it's a CLI tool • Looks like adrestore [searchstring] [-r] • Run adrestore and it shows all deleted objects • Run adrestore –r and shows all deleted objects and asks if it can reanimate them • Run adrestore mark –r and it will show just the deleted objects whose name contains "mark" and it will ask if it can reanimate them
So It's Undeleted, But… • Again, the account is back, meaning that its SID hasn't changed (and so you needn't muck with permissions on resources), but it's forgotten most of its attributes, group memberships and everything else • Again, the account is deactivated • So it's time to repopulate those fields, which isn't much fun… • … and why Microsoft built ADRB