Restore the object. Because the lag DC's copy of the directory still contains the object, you can restore it without the necessity of retrieving tape backups or restoring an old directory tree file. You can use Ntdsutil to increase the object's universal serial number (USN) by an increment of 100,000, thereby ensuring that the restored object will win the replication conflict.
- Reboot the delayed-replication DC you're using into Directory Service Restore Mode. To do so, press F8 at the OS selection screen during bootup and select the Directory Services Restore Mode option. You'll need to know the restore-mode password to log on.
- At a command prompt, type ntdsutil. Select the Authoritative Restore option by typing authoritative restore.
- Type restore object, followed by the object's DN. For example:
restore object CN=jesse.sutela@hp.com,
OU=US,DC=wamericas,DC=wtest,
DC=cpqtest,DC=net
This command should appear on one line. Wrap the DN in quotes if it contains any spaces. Press Enter.
- Reboot into regular mode.
|
Replicate the restored object into the rest of the domain. Determine which production DC in the domain is pulling updates from the delayed-replication DC by looking in the Active Directory Sites and Services snap-in. After you find the production DC that has a connection object from the delayed-replication DC you want, right-click the connection object and select Replicate Now to force the production DC to pull updates from the delayed-replication DC. The restored object should now replicate back to the production DC.
Recovering Crucial Information about the Deleted Object
If a user object has been deleted, restoring the object won't necessarily restore everything about that user. For example, when you restore a user object in Win2K, group memberships are lost. Therefore, you might also want look at the user's properties in the Active Directory Users and Computers snap-in. You can gather the group memberships for the user on the Member of tab of the account's Properties sheet. Windows 2003, in contrast, does a good job of fixing the domain group memberships after a restore. However, in either OS, membership in local groups of trusting domains will still be lost.
Keeping close track of local group memberships and logging that information will let you repopulate local groups after a user restore. This task might be tedious if you don't use some form of scripted automation. For more information about restoring groups, see "Resources," below.
Of course, other types of objects in AD might require restoration. One example is DNS data. Be mindful that DNS data might be stored within an application partition. Windows 2003 lets you move DNS data out of the default naming context and into an application. By default, application partitions aren't replicated to all DCs. For more information about how to ensure that your disaster-recovery plan includes application partitions, see the sidebar "Including Application Partitions,".
Up-Front Costs
You might think delayed replication sounds great, but the cost of having several extra servers sitting around, doing very little other than replicating once per week, will make the solution a hard sell to those in control of the IT budget. Bear in mind that a recovery site reduces the number of personnel necessary to recover a deleted object and decreases the amount of lost productivity for the affected user.
Besides using the justification that delayed replication is an insurance investment, you can further mitigate the up-front costs through the use of virtual servers. Assuming you have sufficient memory and processing power, all your recovery DCs could reside as virtual-server instances on one virtual-server host.
Turn Back Time
Recovery of deleted AD objects can be a lengthy process that involves more than one support group, particularly in midsized to large companies. Coordination of efforts and backup-tape location can lead to lengthy downtimes for users. In the event that a user account or entire subtree of objects is deleted, rapid recovery is crucial to keeping your business running smoothly. Using a delayed-replication site to facilitate the recovery of deleted objects is like turning back the hands of time.