Active Directory Objects Recovery from VM Backup

Active Directory and Objects

Active Directory (AD) is a global authentication directory, which provides centralized IT infrastructure management. AD is one of the most critical business applications, which means that recovery is essential to lowering service downtime. AD can contain and manage a multitude of objects, which must be strongly organized. Some of the objects depend on others, and the recovery process can be time-consuming and complex. The quality of the recovery process depends directly on a good backup, which must contain lost data. Have you ever been in a situation where one or more of Active Directory objects, such as a user, group, or entire Organization Unit (OU) were accidentally removed, or changed in AD? For example, we have an Active Directory domain controller, which contains several OUs and some users.

Active Directory Users and Computers

For some time everything went fine until someone permanently deleted an entire organizational unit.

Active Directory Organizational Unit

Users can’t access their accounts and services, and the domain rejects their credentials. The enterprise workflow is partially paralyzed. And now we should consider how we can recover deleted Active Directory objects.

Active Directory Objects Recovery Basics

You can start the recovery process using the integrated Windows Server utility, or another supported 3-rd party utility. Active Directory provides two main recovery methods:

Non-Authoritative Recovery

A non-authoritative recovery is a default method to recover Active Directory. It simply returns the domain to its state at the time the backup was made and allows normal replication to overwrite any object and container changes made afterwards.

Authoritative Recovery

An authoritative recovery process consists of two parts: non-authoritative recovery from backup which is followed by an authoritative recovery. The main difference is that it has the ability of making authoritative changes in objects and their attributes in the entire directory. This type of recovery can affect computer accounts, trusts, and group membership.

To select a proper recovery method you need to consider the following:

  • Actual cause of the failure: either accidental or malicious deletion/modification of objects that were replicated to all domain controllers (in that case it would be an authoritative recovery), or complete failure of the entire VM;
  • Roles and functions of the failed Active Directory server.

When considering in which of the situations described above you are, select the authoritative or non-authoritative method, or combine one of these methods with a 3-rd party tool. NAKIVO Backup & Replication can help to simplify this process.

AD Objects Recovery with NAKIVO Backup & Replication

The backup created using NAKIVO Backup & Replication contains all AD data, such as containers, objects, and attributes. It stores more information than in the tombstone. You can get instant access to Active Directory databases from VM backups. Recovery does not require creating a special lab or running a special type of backup. You can search Active Directory objects and containers, browse database, and view objects and their attributes.

Step 1

The first step of the recovery process is to find our backup in the NAKIVO Backup & Replication web interface. Under Overview, select your backup job and check the Virtual Machine name.

Start Active Directory Objects Recovery

Go to Job Dashboard and click on Recover, then select Granular Recovery>>Microsoft Active Directory objects.

Microsoft Active Directory Objects

Step 2

This will open the Active Directory Object Recovery Wizard. In the right pane, select the recovery point from which you would like to recover. At the bottom of the wizard you’ll see Automatically locate application databases. This option should be checked. Click the Next button to continue.

NAKIVO Active Directory Object Recovery Wizard

The AD database will be automatically found in the VM’s backup and show its content right in the product’s web interface.

On the Items step, you’ll see the ntds.dit Active Directory database which was found by the product. Now you can select the entire OU object and need to verify whether the checkbox to the left of Name is checked. Then click the Download button.

Selecting Objects from AD Database

In the next step you can configure attributes for recovering objects.

Step 3

To configure attributes of the selected objects click Recovery settings.

Recovery Settings

In the Recovery of User object drop-down menu you can choose either User will be disabled, or User must change password at next logon.

Objects Recovery Options

In this case, we choose the User must change password at next logon option. Click the Download button, and you’ll get a zipped .LDF file in your browser.

User Must Change Password at Next Logon Option

Step 4

Download the file into your Active Directory server and then unzip it.

Download Archive with Objects

Also, with the User must change password at next logon option selected there will be two files in the archive. One of them will contain current passwords for restored users.

Archive Contents

Before you start, make sure that Active Directory server has a CA role. Refer here for more information about this role. It will be necessary for secure LDAP connection

To recover objects, you need a secure LDAP connection. Run WindowsPowerShell as Administrator.

In the PowerShell console, go to the unzipped directory with Recovered items and run the following:

ldifde -i -t 636 -f filename.ldif -k -j logfolder

Where “filename.ldif” is the path to ldif file, and “logfolder” is the path to the folder where process logs will be saved. In our case, it will be:

ldifde -i -t 636 -f ad.ldif.ldif -k -j C:\Recovery\Log

The message in the console says that 31 entries modified successfully, and The command has completed successfully. You can find detailed information in the log file located in “logfolder”.

Import AD Objects Command Line Utility

In Active Directory Users and Computers you can now see the previously deleted OU – unit1, with all users in it.

Recovered Organizational Unit

Step 5

As we selected the recovery with User must change password at next logon before, we can see that this attribute is checked as well.

 Recovered User Must Change Password at Next Logon Attribute


As it was said before, Active Directory is a business-critical application. Microsoft Active Directory service is located on the top of many organizations infrastructure. Sometimes solutions based on it are very complex and consist of many controllers in a fairly large forest. Therefore, companies are always thinking about the safety of data in the directory service. Timely recovery of deleted or incorrectly changed directory service objects is an urgent problem for any organization. Correct restoration of Active Directory objects in most cases rescues businesses from the necessity to fully restore all VMs. Thus, it reduces downtime and ensures business continuity.