Active Directory Restore – From a DC which has not replicated with the mistake (deletion of an Object or OU)

Well.. I think this will be quite a interesting case study that all System Administrator should know and learn. And shows how important to have backup Domain Controller. For those running AD with a Single DC, please start to plan your AD DR Plan (Active Directory Disaster Recovery Plan)
Ok. This time, I will share with you if you made a mistakeb by deleting some AD Objects (Such as user accounts, computer accounts or a whole OU). AND you happened to have one DC somewhere that has not replicated with the mistake!
I have had experience and it is really exciting and glad that Microsoft website provided all the solution but one should always prepare themselve before accident happen so that you have sufficient time to react. 🙂
The method I am sharing is actually called "Procedures for Restoring Before Deletions Have Replicated" Under Microsoft Website
Recommendation is that it would be best If you have identified a global catalog server. If not, other domain controller that has not received replication of the deletions as you do not have to perform a preliminary restore from backup.
So, perform the following procedures on the recovery domain controller:
  1. Turn off inbound replication. (
  2. If you do not have a current backup of the recovery domain controller, Back up system state. You can use this backup if your recovery is not successful and you can try again. (
  3. Restart the domain controller in Directory Services Restore Mode Remotely as the DC is not physically near me. (
  4. Mark the object or objects authoritative. (
  5. Restart the domain controller normally.
  6. Synchronize replication with all partners. (
  7. Run an LDIF file to recover back-links in this domain. (
  8. Turn on inbound replication. (
  9. Back up system state on the recovered domain controller.(
  10. If the .ldf file shows back-links for objects in other domains, perform the procedures in Procedures for recovering group memberships (and any other back-link attributes) in other domains. (

One thing to take note if you are restoring GROUP. You must make sure all the users are already restored!! If not, you will encounter a lot of un-neccessary additional follow up~

I really hope that such scenario will not happened and one way to prevent is to make sure Domain Admin Rights or Rights to manage OU\Users Account\Computer Account are granted only to limited user in your IT Team.

And most important is one should always be careful with all the changes to the Objects in the AD especially comes to moving or deletion!!

This entry was posted in Microsoft Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s