Restoring a Deleted Group






Restoring a Deleted Group

Problem

You want to restore a group object that has been inadvertently deleted, as well as restoring its members.

Solution

Using a graphical user interface
  1. Reboot the domain controller in Directory Services Restore Mode.

  2. Perform a System State restore.

  3. Before rebooting the server, perform the steps listed in the following section.

Using a command line interface
  1. To restore the user and group accounts, use the following sequence of commands (replace <ContainerDN> with the name of the container or OU containing the user and group objects that need to be restored):

    	> ntdsutil
    	> authoritative restore
    
    	> restore subtree <ContainerDN>
    	> quit
    	> exit
    

  2. Reboot the domain controller into normal mode and wait for replication to complete.

  3. Reboot the domain controller into Directory Services Restore Mode again. Perform the commands in Step 1 a second time. (It is only necessary to mark the restore as authoritative a second time; you do not need to perform the actual System State restore again.)

  4. Restart the domain controller after running these commands.

Discussion

In most cases, it is sufficient when restoring a deleted object within Active Directory to simply perform an authoritative restore of the object or container. However, things get a bit more complicated when you're restoring group objects as well as the users who were members of those groups. Because you cannot easily control the order in which objects are restored to the AD database, you may run into a situation where a group object gets restored before the users who were members of that group. In this case, when Active Directory attempts to populate the restored group's member attribute, it can only populate it with user objects that already exist within the directory. Put another way, if some or all of the users or other groups that are referenced in the restored group's member attribute have not yet been restored, they will not be included in the restored group's member attribute. This will leave the restored group in an inconsistent state, since it will not possess all of the members that it had before it was deleted.

To correct this issue, it's necessary to perform the authoritative restore process twice when restoring groups and their members. The first authoritative restore will re-create all users that should be members of the group objects. The second pass will go back and correctly re-populate the member attribute of any restored groups, now that all of the needed user objects exist within Active Directory.

See Also

MS KB 216993 (Useful Shelf Life of a System-State Backup of Active Directory), MS KB 840001 (How to Restore Deleted User Accounts and Their Group Memberships in Active Directory), and Chapter 17 for more on recovering and restoring Active Directory



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows