Tech-Ed 2010 Session Summaries 2: Mark Minasi's Night of the Living Directory

Tech-Ed 2010 Session Summaries 2: Night of the Living Directory: Understanding the Windows 2008 Server R2 Active Directory Recycle Bin, Undeletion, and Reanimation

Mark Minasi has always been my favorite presenter at Tech-Eds. No presenter has such skill at clearly, wittily explaining the most arcane, complicated technical topics. Not only that, he can pan gold from the most unlikely of streams. This year at Tech-Ed he gave a dynamite presentation on, of all things, the Recycle Bin. If anyone can find gold in garbage, it’s him.

To begin with, this remarkable functionality is not available out-of-the-box, and there are some constraints to universal and daily use of the recycle bin retrieval. For one, it can only be used in an organization running at 2008 Server R2 Forest Functional level. That means upgrading each and every domain controller everywhere. For another, it’s pretty much completely command prompt. That being said, what Mark presented was way easier than our option in the old days.

In the Old Days. In the old days, the effort was non-trivial, and excellent exam fodder: take a DC offline, reboot it in Directory Services Restore Mode, with AD off, with the local admin password, restore from a backup, use NTDSUTIL to do an authoritative restore, then reboot and wait for the retrieved item to propagate throughout the AD system. The difficulty is the dependence on backup reliability, and the change control process (and paperwork) involved in taking a DC offline and tinkering with it.

Why has this been so complicated? To understand this it helps to review what happens when we delete things.

Where the Dead Things Go. So, what happens to deleted user accounts? Within ADUC (Active Directory Users and Computers) even with View Advanced Features, we can see Lost and Found, System, and Users, but no Deleted Objects, even though it is in fact there. Mark later explains how to do this.

When We Delete Objects, several things happen. A new attribute, “isDeleted” is created and set to True. Almost all other attributes are stripped away, including Name. The Distinguished Name is largely changed to a long alphanumeric string. And the object is moved to a hidden contained called Deleted Objects. And there it remains for a fixed time, like souls at the shore of Styx, waiting for the ride across to oblivion.

While the container and its contents may be hidden, there are ways to view them. Minasi discussed three such tools:

1. LDP.EXE, which is available with W2K8S and later. This has been around for a long time, but is seldom used. Perhaps its lamentable so-called GUI and childish icon have something to do with this. Pull it up yourself and you be the judge. That being said, in four simple steps it can be invoked: start LDP, go to Connection, hit Cntrl-B (for Binding), hit Enter, and you’re in. Within LDP, Go to Options, then Controls, and within its Load Predefined section, select “Return deleted objects”. Then, Deleted Objects will appear. Interestingly, we could undelete from here.

2. AD PowerShell cmdlets, available with W2K8S and later. Here, start with an elevated-privilege command prompt for PowerShell. This command will show deleted objects: get-adobject –includedeletedobject or, alternately, with the more intuitive get-adobject –inc –f {isDeleted –eq $true}

3. SysInternals.com’s ADRESTORE.EXE. This command-line utility, run simply by itself, does the same thing. It shows deleted objects but not their container. And it does not get much easier than this.

Background: Tombstoning. Why even hold onto deleted objects at all? Minasi explains this extremely lucidly. The idea is to retain the object in its deleted state until all DCs have realized the object is deleted. This avoids the unpleasantness of having a user deleted in Tokyo but still asked to change passwords, say, in Toledo. This limbo-like state is tombstoning. As the new status propagates through the network, all DCs adopt tombstones for the deleted object. Once every DC has the tombstone, then they can all be deleted for good; this is called garbage collection. For Windows 2000 and 2003, this took place 60 days after the initial deletion; the length inexplicably tripled to 180 in W2K8S.

How to Restore. Mark begins by showing how this can be done with Windows 2003. This involves the tombstone reanimation procedure. In this case, the deleted object is restored by name, but group memberships and other attributes must be re-created, which for many users is a very non-trivial task, especially since this is seldom documented.

The first way is with LDP. Within LDP, establish visibility of deleted objects, then right-click the deleted object and select Modify. Then here, remove the isDeleted characteristic. Put this command in the Entry column for execution. Then change the distinguished name. (Also check the “Extended” box under the Entry List.) Be sure to select “replace” as the operation for this. Finally, click Run. This restores the deleted object, though most attributes remain to be re-populated.

ADRESTORE more simply allows the object to be brought back, with a simple adrestore –r. Pretty easy! As before, many attributes need to be re-done. With such a convenient approach, it might seem that nothing else would be necessary. This would be wrong.

W2K8S R2’s AD Recycle Bin brings more to the game. After it has been activated, that is. With this, a deleted object retains its attributes, and may be retrieved for 180 days. Then it remains in tombstoned state for another 180 days. Naturally this can be done from within PowerShell; full details are at http://blogs.msdn.com/b/dsadsi/archive/2009/08/26/restoring-object-from-the-active-directory-recycle-bin-using-ad-powershell.aspx

Once this has been activated, _then_ from within PowerShell use the “restore adobject” command, adding the deleted object’s objectGUID or its distinguished name. Mark also showed how to use filters and pipes to avoid typing all this. Interestingly, he also showed how to use the –whatif command to ascertain the result of executing a command before running it for real. This simple concept allows you to avoid much mischief and angry phone calls.

Other Topics. At the end Mark also covered some notes and gotchas. For example, if an OU with users is deleted, the OU must be restored before its users can (a workaround is to restore the users to different containers). Similarly, there is no recursive switch for such user restores. However, at http://technet.microsoft.com/en-us/library/dd379504(WS.10).aspx, Microsoft presents a PowerShell script for recursive restores. One other point was how to immediately and irrevocably delete an object, placing it beyond anything except a restore.

In the last couple of minutes of this quite impressive presentation, he briefly covered the ADRB PowerPack, containing a GUI for some of the tasks just mentioned. This allows you to recursively restore, permanently delete, etc.

Witty, informed, and insightful, this was easily one of the most memorable presentations at Tech-Ed this year, with phenomenal value and applicability in the most extreme of circumstances.