June 23, 2017
Active Directory Objects Recovery from VM Backup
Active Directory and Objects
Active Directory (AD) is a global authentication directory, which provides centralized IT infrastructure management. AD is one of the most critical business applications, which means that recovery is essential to lowering service downtime. AD can contain and manage a multitude of objects, which must be strongly organized. Some of the objects depend on others, and the recovery process can be time-consuming and complex. The quality of the recovery process depends directly on a VMware backup software, which must contain lost data. Have you ever been in a situation where one or more of Active Directory objects, such as a user, group, or entire Organization Unit (OU) were accidentally removed, or changed in AD? For example, we have an Active Directory domain controller, which contains several OUs and some users.
For some time everything went fine until someone permanently deleted an entire organizational unit.
Users can’t access their accounts and services, and the domain rejects their credentials. The enterprise workflow is partially paralyzed. And now we should consider how we can recover deleted Active Directory objects.
Active Directory Objects Recovery Basics
You can start the recovery process using the integrated Windows Server backup utility, or another supported 3-rd party utility. Active Directory provides two main recovery methods:
A non-authoritative recovery is a default method to recover Active Directory. It simply returns the domain to its state at the time the backup was made and allows normal replication to overwrite any object and container changes made afterwards.
An authoritative recovery process consists of two parts: non-authoritative recovery from backup which is followed by an authoritative recovery. The main difference is that it has the ability to make authoritative changes in objects and their attributes in the entire directory. This type of recovery can affect computer accounts, trusts, and group membership.
To select a proper recovery method you need to consider the following:
- The actual cause of the failure: either accidental or malicious deletion/modification of objects that were replicated to all domain controllers (in that case it would be an authoritative recovery), or complete failure of the entire VM;
- Roles and functions of the failed Active Directory server.
When considering which of the situations described above you are, select the authoritative or non-authoritative method, or combine one of these methods with a 3-rd party tool. NAKIVO Backup & Replication can help to simplify this process.
AD Objects Recovery with NAKIVO Backup & Replication
The backup created using NAKIVO Backup & Replication contains all AD data, such as containers, objects, and attributes. It stores more information than in the tombstone. You can get instant access to Active Directory databases from VM backups. Recovery does not require creating a special lab or running a special type of backup. You can search Active Directory objects and containers, browse database, and view objects and their attributes.
The first step of the recovery process is to find our backup in the NAKIVO Backup & Replication web interface. Under Overview, select your backup job and check the Virtual Machine name.
Go to Job Dashboard and click on Recover, then select Granular Recovery>>Microsoft Active Directory objects.
This will open the Active Directory Object Recovery Wizard. In the right pane, select the recovery point from which you would like to recover. At the bottom of the wizard you’ll see Automatically locate application databases. This option should be checked. Click the Next button to continue.
The AD database will be automatically found in the VM’s backup and show its content right in the product’s web interface.
On the Items step, you’ll see the ntds.dit Active Directory database which was found by the product. Now you can select the entire OU object and need to verify whether the checkbox to the left of Name is checked. Then click the Download button.
In the next step you can configure attributes for recovering objects.
To configure attributes of the selected objects click Recovery settings.
In the Recovery of User object drop-down menu you can choose either User will be disabled, or User must change password at next logon.
In this case, we choose the User must change password at next logon option. Click the Download button, and you’ll get a zipped .LDF file in your browser.
Download the file into your Active Directory server and then unzip it.
Also, with the User must change password at next logon option selected there will be two files in the archive. One of them will contain current passwords for restored users.
Before you start, make sure that Active Directory server has a CA role. Refer here for more information about this role. It will be necessary for secure LDAP connection
To recover objects, you need a secure LDAP connection. Run WindowsPowerShell as Administrator.
In the PowerShell console, go to the unzipped directory with Recovered items and run the following:
ldifde -i -t 636 -f filename.ldif -k -j logfolder
Where “filename.ldif” is the path to ldif file, and "logfolder" is the path to the folder where process logs will be saved. In our case, it will be:
ldifde -i -t 636 -f ad.ldif.ldif -k -j C:\Recovery\Log
The message in the console says that 31 entries modified successfully, and The command has completed successfully. You can find detailed information in the log file located in "logfolder".
In Active Directory Users and Computers you can now see the previously deleted OU – unit1, with all users in it.
As we selected the recovery with User must change password at next logon before, we can see that this attribute is checked as well.
As it was said before, Active Directory is a business-critical application. Microsoft Active Directory service is located on the top of many organizations infrastructure. Sometimes solutions based on it are very complex and consist of many controllers in a fairly large forest. Therefore, companies are always thinking about the safety of data in the directory service. Timely recovery of deleted or incorrectly changed directory service objects is an urgent problem for any organization. Correct restoration of Active Directory objects in most cases rescues businesses from the necessity to fully restore all VMs. Thus, it reduces downtime and ensures business continuity.