Perform authorization restoration for the deleted ad ds object

Information: After you delete a user account, this account will not be immediately deleted from the active directory database, but will be transferred to a hidden folder named deleted object in the Active Directory database, at the same time, this version number will be added. By default, server2003sp1 and later versions will be permanently deleted after 180 days. In the previous versions, the system will only be 60 days old. Background: Two domain controllers, one account of the first account, are accidentally deleted. If backup and restoration are used to perform unauthorized restoration, after the restoration, after the restoration enters the normal system, when the active directories of the two domain controllers replicate data to each other, the new version will overwrite the old one. Therefore, restoring the account is in vain, therefore, we need to perform authorized restoration to enter the Directory Service Restoration mode and perform unauthorized restoration first.

The operation is the Backup recovery to a certain point in time (we recommend that you use the command to enter the directory service recovery mode, because the operating system needs to be restarted after the restoration, but still enters the directory service recovery mode, if you press F8 to enter the system, the two DC servers will copy data to each other after entering the system. Therefore, we recommend that you use the command to access the system, because you have to use the command once to access the normal system, which is relatively safe)

View the user's DN

1. Run the command: dsquery.exe user

2. Run the command to view the version attributes: repadmin/showmeta "CN = tom, CN = Users, DC = yangwj, DC = com"

3. Because the version number will increase after modification, we can use this to compare the changes before and after (tom in is not deleted)

4. Start to execute the authorization restoration command:

1. First enter ntdsutil

2. Enter activate instance ntds to activate the instance.

3. Enter authoritative restore.

4. Enter the restore command to start authorization: restore object cn = tom, cn = users, dn = yangwj, dc = com

5. Because I did not execute it under dsrm, that is, I did not back up the file before. If you have any questions, contact me, following the steps and commands above will not cause errors, but some system running problems will inevitably occur. If you want to perform an authorized restoration for the database in the entire Active Directory, run the restore database command. If you want to perform an authorized restoration for an organization, such as a business department, run the following command: restore subtree ou = business department, dc = yangwj, dc = com

6. After restoration, You can manually execute synchronization to replicate the data to see the effect. Enter the command: repadmin/syncall dc.yangwj.com/e/d/A/P.

/E indicates that domain controllers in all sites are included.

/D indicates that the server is identified by distinguished name (dn ).

/A indicates synchronizing all directory partitions in the Controller of this domain

/P indicates that the synchronization mode transfers the changed data of this domain controller to other domain controllers.

7. After synchronization is completed, you can see that the tom user has been restored. by viewing the attribute version number, it will be increased by 100000. (run the following command: repadmin/showmeta cn = tom, cn = users, dc = yangwj, dc = com)

To transfer an active directry database file, you must first stop the active DS service.

Run the following command: net stop ntds:

1. After stopping the instance, enter ntdsutil and then the activate instance ntds command to activate the instance.

2. Enter the files command, and then run the command move db to C: \ ntds (this is the path, and you do not need to create the folder yourself)

3. Run the move logs to c: \ ntds command to transfer transaction logs.

4. By the way, you can perform database Integrity check (like Windows fragment). The command is: Integrity

Note: For related operations, refer to help