9. Active Directory management: Authorization Restoration

To restore a deleted object, you must use the permission to restore it. For example, if you delete an OU, computer, user, and other AD objects, if you restart the domain controller after restoration, it will be synchronized with other domain controllers in the network, in this way, the domain controller will receive information that OU has been deleted from other replication partners. When Active Directory users and computers are opened, the restored AD object will be deleted again.

In this case, authorization restoration is required to ensure that the restored AD object can be copied to other domain controllers. To perform an authorized restoration of Active Directory data, you must run the Ntdsutil utility before restarting the server after restoring system status data. You can use the Ntdsutil utility to mark Active Directory objects as authorized restores. If an object is marked as an authorized restoration, its update serial number is changed to make it larger than all other update serial numbers in the Active Directory replication system. This ensures that all restored or distributed data is correctly replicated or distributed within the Organization. By default, the USN of the restored object will increase by 100000 when the restored object is restored. In this way, the restored object will become an authorized copy of the entire domain.

Lab environment:

650) this. width = 650; "width =" 435 "height =" 256 "title =" clip_image001 "style =" border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" clip_image001 "src =" http://www.bkjia.com/uploads/allimg/131227/16303032O-0.png "border =" 0 "/>

DC01: The first domain controller in the domain that hosts five operation hosts.

DC02: refers to the outbound traffic controller.

Client01: client, used to verify whether the restoration is successful.

1. Prepare a system status backup and use the previous backup. To back up the system status using Windows Server Backup, see http://labixiaoniu.blog.51cto.com/695063/1293867.

2. Simulate accidental deletion of objects. Delete client computer accounts Client01, user1, and wfax0425. After deleting the computer account, the client prompts that it has lost trust and cannot log on.

650) this. width = 650; "width =" 469 "height =" 311 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1630301338-1.png "border =" 0 "/>

650) this. width = 650; "width =" 429 "height =" 165 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1630302114-2.png "border =" 0 "/>

3. After restarting DC01, press F8 and select "directory service repair mode ".

650) this. width = 650; "width =" 420 "height =" 261 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/163030JO-3.png "border =" 0 "/>

2. You cannot log on to the domain in directory Restore Mode. Use. \ administrator to log on to the local device.

650) this. width = 650; "width =" 379 "height =" 232 "title =" image "style =" margin: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1630301Y6-4.png "border =" 0 "/>

3. Enable Windows Server Backup to restore the system status. This restoration step is not the focus of the experiment. The restoration method is also described in detail in the previous article. There are only several key steps.

650) this. width = 650; "width =" 550 "height =" 420 "title =" image "style =" border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1630304N0-5.png "border =" 0 "/>

650) this. width = 650; "width =" 550 "height =" 422 "title =" image "style =" border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1630304L3-6.png "border =" 0 "/>

4. Do not restart the system after the restoration is completed. Otherwise, synchronization with other domain controllers will be deleted. Use ntdsutil for authorization restoration. Open CMD, enter ntdsutil, and set activity instance input: activate instance ntds.

650) this. width = 650; "height =" 140 "title =" image "style =" margin: 0px; border: 0px currentcolor; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1630301039-7.png "border =" 0 "/>

5. Enter authoriatative restore in ntdsutil. You can enter :? View the usage of the corresponding command and use restore object "DN" for authorization restoration.

650) this. width = 650; "height =" 308 "title =" image "style =" border: 0px currentcolor; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/16303021A-8.png "border =" 0 "/>

6. in authoriatative restore, enter: restore object "cn = wfax0425, ou = it, ou = users, ou = long, dc = lab, dc = com ", perform authorization restoration for the user account wfax0425. The same is true for computer accounts. Enter "cn = client01, ou = it, ou = users, ou = long, dc = lab, dc = com ", restores the computer account.

Note: The computer account also has a password, which is used to maintain the trust relationship between the computer and the domain and maintained by the server. By default, the password is changed every 30 days. Therefore, if the backup is performed 30 days ago, the restored computer account and domain will lose trust. You can rebuild trust through the Singapore domain.

650) this. width = 650; "height =" 218 "title =" image "style =" border: 0px currentcolor; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1630303242-9.png "border =" 0 "/>

650) this. width = 650; "height =" 338 "title =" image "style =" border: 0px currentcolor; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/16303024B-10.png "border =" 0 "/>

7. After the authorization is restored, restart the DC01 server. Open the "Active Directory users and computers" tool and you can see that the two accounts wfax0425 and Client01 have been successfully restored and are not deleted after synchronization with DC02, the account user1 that has not been authorized to be restored is deleted after synchronization. The two accounts are also synchronized in DC02.

650) this. width = 650; "height =" 306 "title =" image "style =" border: 0px currentcolor; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/1630304923-11.png "border =" 0 "/>

650) this. width = 650; "height =" 299 "title =" image "style =" margin: 0px; border: 0px currentcolor; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/163030F59-12.png "border =" 0 "/>

8. Use client Client01 to perform the logon test. You can also log on to the client successfully.

650) this. width = 650; "height =" 321 "title =" image "style =" margin: 0px; border: 0px currentcolor; background-image: none; padding-top: 0px; padding-right: 0px; padding-left: 0px; "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131227/163030O59-13.png "border =" 0 "/>

 

Summary: in the actual production environment, user accounts and computer accounts are generally used to allocate resource permissions. If these accounts are deleted, permissions are permanently lost, because you need to create a new account with the same account, you need to re-assign permissions because the SID is different. In this case, backup can be used to perform authorized restoration for objects accidentally deleted. However, restoring objects accidentally deleted in Windows Server 2012 provides a better solution, that is, the AD recycle bin. Compared with 2008 R2, the AD recycle bin in 2012 has a graphical interface, making the operation easier. In the production environment, if the DC is Windows Server 2012, we recommend that you enable the AD recycle bin. In this case, it is very convenient to restore the DC when it is deleted by mistake. For Windows Server 2012 AD recycle bin, see: http://labixiaoniu.blog.51cto.com/blog/695063/1200605

 

This article is from the "crayon mavericks" blog, please be sure to keep this source http://labixiaoniu.blog.51cto.com/695063/1295082