If you or a colleague happen to mistakenly delete an object in Active Directory the results can be disastrous. ADRecycleBin allows administrators to quickly find and restore deleted objects in Active Directory. If you are running Active Directory in Windows 2008 R2 native mode you can enable the Active Directory Recycle Bin. If you are running Active Directory in an earlier mode you can re-animate deleted objects.

Features

Supports Windows 2008 R2 Active Directory Recycle Bin technology
Supports Object reanimation in earlier versions of Active Directory
Review deleted objects
Restore multiple objects at the same time
An Example
Consider the following scenario. We have some users, computers and a group in an Organization Unit called Richmond Hill:

I decide to delete an object ignoring all of the prompts. First prompt:

As well as the second prompt:

To make things worse, the computer object was a very important shared PC with a ton of mission-critical applications, and without this object in Active Directory, no one can log on to this PC with their domain ID. So how do we get these deleted objects back?

Using ADRecycleBin.exe

Firstly, before you run ADRecycleBin.exe ensure that your account has the appropriate privileges to restore objects in Active Directory. You will want to run the tool in the same domain where you plan on restoring the objects. Launch ADRecycleBin.exe and click the Load Deleted Objects button:

Unless you intend on restoring other types of objects other than OUs, Users, Computer or groups, I recommend you leave the Load Filter checkboxes as the default. Then click the Load Deleted Objects button. This will load all of the deleted objects detected based on the Load Filter checkboxes:

To restore all of the objects from our Richmond Hill OU click on one of the child objects, for example, I have selected the group called: LDAP://CN=ROL-RichmondHill IT Managers\0ADEL:86249fc3-ca0e-4614-b258-65fb15ff9ab7,CN=Deleted Objects,DC=beta,DC=local. Then I right-click and select the Select All menu item:

This will check all of the siblings. Incidentally, selecting a child node will automatically check its parent. Once we have selected the objects we wish to bring back from the dead, we click the Restore Checked Objects button:

This will initiate the restore process. When this process is complete a new window will open showing us a summary of the Active Directory deleted objects that were restored:

From this window we can copy and paste the messages of importance or export the results to a csv file to let others know what was restored:

When we close the Restore Summary window the deleted objects will be enumerated again:

Our OU called Richmond Hill has now been successfully restored:

DOWNLOAD THE FREE TOOL

http://www.overall.ca/index.php?option=com_docman&task=doc_download&gid=78&Itemid=11

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

Immediately after that, John tries to authenticate and – he succeeds. He’s prompted to change his password, does so and logs successfully in. “Thanks buddy”, he ends the conversation. You scratch your head wondering how that password got replicated so fast. You’re sitting in the headquarters doing the change and John is in some branch office which has a pretty tight replication schedule and intervall – rep takes place every three hours between headquater and John’s branch. You verify that “Active Directory Users and Computers” you used to reset John’s password with is “connected” to a local headquarter-DC. You scratch your head. How’s that possible? How’s password reset getting replicated so fast to the branch DC?

The answer lies in PDC chaining. The password isn’t immediately replicated to the branch DC – the mechanism is different. Once a domain controller receives an authentication request, it checks for the credentials provided. In our scenario, the password hasn’t replicated yet to John’s branch office and as John tries the password we manually resetted it to, it fails. Smart-pants branch-DC doesn’t give up though and the next step it tries is ask the PDC emulator-FSMO-holder-DC for help. It chains the authentication request to the PDC. The PDC checks the credentials and – since it got our resetted password already, it replies to the branch-DC that the password is valid. In addition to the “pass is valid” reply to the branch DC, it actually sends the current pass in a follwing message.

Branch-DC now lets John authenticated, but provides him with the “Change password” dialog to pick a new password. After that, John is allowed to log on to his machine.

What basically happened was that branch-DC, evaluating John’s password to “not valid”, forwarded John’s auth request to the PDC which evaluated to true and responded accordingly. After that, the PDC pushes the John’s current credentials to the branch-DC so that it’s up-to-date. This “push” isn’t anything like immediate rep or urgent-rep but a special LDAP operation (Single object replication).

So — why’s branch-DC asking PDC to re-check John’s credentials? Branch-DC knows what all DCs know and that is that PDC always has the valid password* for all users. Once a password gets changed, the DC that handles the password change request pushes the new update via a special RPC call to the PDC to update the password. The PDC is the first to know about password changes and password resets. Again, this isn’t done with pure replication but with a special RPC call to the PDC.

* Exceptions are environments that don’t allow direct DC communication (e.g. a meshed network). In cases where DCs cannot reach the PDC directly – either for chaining an auth request or RPC-pushing the password – the request fails. In those cases, the passwords go along their way through normal replication. Password changes aren’t pushed directly and auth requests are evaluated as “invalid” if the PDC isn’t reachable.

The process is here in a small picture:

1) An admin in site B resets a user’s password in site B.

(2) The DC pushes the new password via an RPC call to the PDC.

(3) At the same time, the user in site C tries to authenticate using the new password. DC-C checks the password with its local database and comes to find that the password isn’t correct (the password reset hasn’t replicated to DC-C).

(4) DC-C forwards the authentication request to the PDC which knows the new password because of the RPC call. It reponds to DC-C, that the password is valid.

(5) Immediately after that, it pushes the new user password via an LDAP operation to DC-C so that DC-C’s database is updated (regarding the user’s password only!). This is not done by normal replication means – it’s a special push.

(6) DC-C allows the user to authenticate.

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

When firing the command at my box, I didn’t get any results either:

C:\Windows\system32>adfind -b “CN=Deleted

Objects,DC=intern,DC=frickelsoft,DC=net” -f”&(objectClass=user)(objectCategory=person)” objectSID

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389Directory: Windows Server 2003

0 Objects returned

Looking at the query, I remembered that deleted objects aren’t deleted right away but are moved to the “Deleted Objects” container, get a new name and are stripped from most of their attributes. Only a few of them are preserved. Knowing that objectClass is one of the attributes that is preserved, let’s see whether objectCategory is. For that, we need to get the “searchFlags” attribute of the schema object here. The searchFlags bitmask tells us, whether the attribute is preserved on deletion – bit #3 (decimal = as described in

http://msdn.microsoft.com/en-us/library/ms679765(VS.85).aspx and  http://www.frickelsoft.net/blog/?p=151

is the one we’re looking for:

C:\Windows\system32>adfind -sc s:objectCategory searchFlags

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389

Directory: Windows Server 2003

Base DN: CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

dn:CN=Object-Category,CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

>searchFlags: 1 [INDEX(1)]

We can see that searchFlags for “objectCategory” is 1 which resolves to “put attribute into index”.

Hmm..as we thought, not preserved — but let’s check objectClass, too:

C:\Windows\system32>adfind -sc s:objectClass searchFlags

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389

Directory: Windows Server 2003

Base DN: CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

dn:CN=Object-Class,CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

>searchFlags: 9 [INDEX(1);PRESERVE TOMBSTONE(8)]

1 Objects returned

Okay, that’s a nine which resolves to “put into index” (=1) and “preserve on deletion” (=8, so 1+8 = 9). I must admit you could have looked that one up too on MSDN:

http://msdn.microsoft.com/en-us/library/ms679011(VS.85).aspx

- objectCategory has searchFlags “1″ everywhere — but hey, we wanted to use ADfind, right? It makes sense now that we don’t get any results. We could query now for “objectClass=user” only, but that’s probably not what we want, as computers are part of the “user” objectClass, too.

So the query won’t work as we’re filtering for an attribute that isn’t there any more. So — what can we do there?

Change our search to only display objectClass=user objects and NOT objectClass=computers Unfortunately, we don’t get any results for that, as seen in the above output. Hum… what did go wrong?

Looking at the ADfind help at

http://www.joeware.net/freetools/tools/adfind/usage.htm (or /?),

we can see that we need the “-showdel” switch to make ADFind issue the “Show deleted objects” LDAP control to the server. Our query looks like this now:

C:\Windows\system32>adfind -b “CN=Deleted

Objects,DC=intern,DC=frickelsoft,DC=ne

t” -f “&(objectClass=user)(!objectClass=computer)” -showdel objectSID

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389

Directory: Windows Server 2003

dn:CN=User, Created_0111200813120�ADEL:5d0f95e6-516a-474c-9a35-c479a8d80ff8,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1603

dn:CN=User, Created_0111200813140�ADEL:73ab9ee1-10c5-4d99-9abc-5d21ca274ef4,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1604

dn:CN=User, Created_0111200813150�ADEL:c7393437-7868-481e-9633-7cd49c62fb36,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1605

dn:CN=User, Created_0111200813160�ADEL:8f0fcce6-0f6e-4802-8faa-12e5ae2d48a3,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1606

4 Objects returned

If you don’t know what ADfind is or what ADMod does, you really should check joe’s repository of cool tools at

http://www.joeware.net

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

Replication of the active directory operates within the directory service component of the security sub system.This component is called Ntdsa.dll and accessed through the LDAP protocol.Ntdsa.dll runs as a part of the Local security authority , which runs as Lsass.exe.Updates are transported by the IP over the RPC protocol.

In the above figure , you can see a common network (2 sites connected via a wan link) with a domain controller in each location

The health and maximized performance depends upon the smooth replication process .If you have problems , with replication you will not only have login problems , but also poor performance .
Now consider a common problem , with a failed network link

ISP ‘s and telecom service providers ocassionally have problems and service can be interrupted . This of course stops the communication between the domain controller’s therefore also severing the repolication process .This can prevent the synchronization of information between the domain controller’s and possibly cause the corruption or other problems .

The best thing is to provide abckup link such as ISDN , is a digital wan technology used to faciliate connections between the sites .More commonly Used today for disaster recovery,ISDN still has a place in today’s market place.

Here are the several steps to trouble shoot active directory

Verifing the Network Connectivity

Inorder to have the replication process properly the Network connectivity must be ina proper way. Although , iodeally all domain controllers would be connected by high -pass and redunat LAN and WAN links this rarely the case for larger deployments and for most companies that utilize slow WAN links that aren’t recoverable from disaster .
In real world, deployments, analog /dial up and slow connections are common ,
if you have verified that replication toplogy is set up properly ,you should communicate that servers are able to communicate properly .

Verifing the router and firewall configurations .

When building a secure network most times controls are placed on the network devices to filter the traffic going form place to place .The most coomonly tool used for controlling the traffivc is firewall.A fire wall usually dedicated to only protecting the perimeter so it is designed to do that it only minimizes the risk.
Firewalls are used to restrict the types of traffic that can be transferred over the networks.Their main use is to prevent unauthorized users from transferring the information .

Network Ports used by the Active directory Replication:

RPC replication uses dynamic port mapping as per default setting .When you need to connect an RPC end point during active directory replication ,RPC uses TCP port 135. RPC on the client contacts the RPC endpoint mapper on the server a well known port and randomly allocates high end TCP ports from 1024 to 65536 .The ports which are used by the active directory replication are .

PROTOCOL PORT

LDAP UDP 389
TCP 389

LDAP(SSL) UDP 636
TCP 636

KERBEROS UDP 88
TCP 88

DNS UDP 53
TCP 53

SMB over IP UDP 445
TCP 445

GLOBAL CATALOG SERVER TCP 3268
TCP 3269

Examining the Event logs:

Errors if they occur they show up in the event viewer. When ever there is an error in the replication service the computer writes events to the directory service and file replication service event logs. we may receive events such as

1. Event ID 1311 in the directory service log
2.Event ID 13265 with error “DNS LOOKUP FAILURE” or ” RPC SERVER UNAVAILABLE”.

Verifing the site links:

Before domain controllers in different sites can communicate each other verify the site links are connected properly. If replication doesnt occur properly verify the site links by using the rool repadmin.exe.Use this site tool for correct site links and to display inbound and outbound connections

Verifing the Replication topology:

The active directory sites and services tool allows you to verify the that a replication topology is logically constient.You can perform this task by right clicking the NTDS settings , within a server object and choosing all tasks => choose replication topology and you can verify the topology by the active directory sites and services tool.

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

Among the many cool new features provided with that release, Microsoft
has now added a recycle bin feature to Active Directory.

The management interface provided by Microsoft for this feature is the command line, or more specifically, PowerShell.

That’s great if you’re like me and you love to manage your infrastructure
using PowerShell, but what if you prefer a GUI? Fortunately there is a solution for you too.

Requirements

PowerGUI 1.9.0.900 or later

PowerShell 2.0 or later

Microsoft Active Directory module 1.0 or later

A forest running in Windows Server 2008 R2 Native mode (the PowerPack will prompt you to change the mode if it is not the required mode)

The Active Directory recycle bin feature must be enabled (the PowerPack will prompt you to do this if it is not enabled)

Features

� View the contents of the recycle bin, including hierarchies

� Restore individual items in the recycle bin (recursively or not) to their original location

� Restore individual items in the recycle bin (recursively or not) to a specified location

� Permanently delete objects in the recycle bin (recursively or not)

� Empty the contents of the recycle bin

� Modify the number of days that the recycle bin is configured to retain objects and the number of days that objects are to be kept in a tombstone state before permanent deletion

Download AD Recycle Bin PowerPack from here

How to install

1. Download the ActiveDirectoryRecycleBin.powerpack file
that is attached to this article.

2. Open the PowerGUI admin console.

3. Select File | PowerPack Management to open the PowerPack Management dialog.

4. Click on the Import button to import the PowerPack.

5. Using the dialog that just opened, browse to the location where you downloaded the ActiveDirectoryRecycleBin.powerpack file and select that file. Click on the Open button to import the Active Directory Recycle Bin PowerPack into PowerGUI.

6. At this point the PowerPack is imported and you will have an Active Directory Recycle Bin node in the Admin Console. Continue reading the Getting Started section if you want to know how to get started using this PowerPack.

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

check if the secure channel has been corrupted

From ServerA, go to Start -> Run and type: \\ServerB
From ServerB, go to Start -> Run and type: \\ServerA

If you get and error message indicating that the target name is incorrect, then the the secure channel has been corrupted.

You will also see error messages in replmon and repadmin debug indicating that the target is invalid as well.

Perform the following steps to fix the problem:

Stop the Kerberos Key Distribution Center (KDC) service, and then set it to Manual startup.

Run

netdom resetpwd /server: /userd: /passwordd:*

Restart the computer, start the KDC, and then set it back to Automatic startup.

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

Windows Server 2003 provides security policies that ensure that all users select strong passwords. Creating a password policy involves setting the following options in the Default Domain Group Policy object. These policies, with the exception of those settings related to password lifetime, are enforced on all users in a domain.

The default password filter (Passfilt.dll) included with Windows Server 2003 requires that a password:

•Is not based on the user’s account name.
•Contains at least six characters.
•Contains characters from three of the following four categories:
•Uppercase alphabet characters (A–Z)
•Lowercase alphabet characters (a–z)
•Arabic numerals (0–9)
•Nonalphanumeric characters (for example, !$#,%)
As stated above, this policy is enabled by default.

In some occasions, such as testing, lab-building, classes and so on, you might want to disable this built-in requirement.

Security Warning: Bare in mind that this setting can only be enabled/disabled at the domain level, and NOT on an OU level. Disabling the password requirement for an entire domain will lower your security configuration, and should only be done when absolutely necessary.

In order to disable this requirement you need to edit the Default Domain Policy for your domain.

Go to Administrative tools folder.
Double-click on the Default Domain Security Policy icon.
Note: If for any reason you don’t see that icon you can still edit the Default Domain Group Policy from the AD Users and Computers snap-in, or from a GPMC window (if you have GPMC installed – Download GPMC).
Navigate to Security Settings > Account Policies > Password Policy.
Right-click on the Minimum Password Length option in the right pane and select Properties.

Keep the V on the Define Setting selected! Do not remove the V from that check-box. Removing the V will cause the GPO to revert to the default setting, which is what we are trying to remove in the first place.
Enter 0 (zero) for the number of minimum characters required in a password.

Now double-click on the Passwords Must Meet Complexity Requirements option in the right pane.

Again, do not remove the V from that check-box. Instead, select Disabled.

Click OK all the way out and close the GPO window.

In order to refresh the policy type the following command in a CMD window and click ENTER:

gpupdate /force

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

•You run out of disk space and want to move it away from the system disk
•You want the DB to run on a faster/more reliable hard disk (other than the system disk)
•You experience performance issues and want to seperate the DB from the core OS hard disk
•You fat-fingered the correct location of the DB file when running dcpromo to bring the DC up
The discussion brought up a few funny suggestions on how to go about that (including simply “copy and paste” the files – at least they thought about booting in DS restore mode). So here’s the outline how to do it with 2000 server and Server 2003 (For Server 2008, see below):

1. Boot into Directory Services Restore Mode (DSRM) by pressing F8 on DC reboot. That’s right, moving the database involves downtime.

2. Start ntdsutil in a CMD.

3. Enter the “File maintenance” submenu by typing “files“.

4. Move the database to a new place by typing “move db to ” where location is a path, similar to E:\NTDS\. Note that you don’t have to specify the file name – just the folder ntdsutil shall copy the files to.

[5. Move the log files to a new place place by typing “move logs to ” where location is - again - a path like E:\NTDS. This is optional, but I’d keep the transaction log files with the database.]

6. Check whether the new file location is correct, typing “info” (still in the file maintenance submenu. Give it a go. If you’ve fat-fingered it once, changes are you did twice. The “info” command also prints out where all files are stored; database and log files and how much space they need.)

7. Check integrity of the database after it has moved. Do so by typing “integrity“. This step might take a few minutes depending on how large your database is — but since your down anyway, you should take the time to ensure everything is correct.

8. Type “quit” twice and close the cmd. Now boot into normal mode again.

9. It is recommended that you back up the system state to have a current backup of the database now (it is a good thought to have a backup anyway since you clean-booted the DC and have it check for integrity. Another aspect is that when restoring an older system state, the location previous location of the NTDS.dit will be used – you’d have to move the NTDS.dit once again using ntdsutil.

Please don’t forget to check security on the folder you move the database to. It’s a bad idea to move it into a shared folders or the wwwroot. You may laugh and I must admin those two examples are a bit of extreme. The point is that you should take a moment and review the NTFS permissions of the DB folder. Don’t share it, don’t allow anyone to access it. Permissions it needs are (pasted from http://support.micro…com/kb/258062):

Windows Server 2003

Account Permissions Inheritance
System Full Control This folder, subfolders and files
Administrators Full Control This folder, subfolders and files
Creator Owner Full Control Subfolders and Files only
Local Service Create Folders / Append Data This folder and subfolders

Windows 2000

Account Permissions Inheritance
Administrators Full Control This folder, subfolders and files
System Full Control This folder, subfolders and files

A Windows Server 2008’s NTDS.dit location can be changed this way (it differs as Windows Server 2008 has the capability of stopping Active Directory and its services temporarily. This wasn’t possible with before 2008):

1. Stop the “Active Directory Domain Services” service in services.msc. It will prompt you that it’ll need to shut down other services as well (Kerberos, File Replication, DNS, ..). You want these services to stop, too, so click “Yes”.

2. Open ntdsutil. You need to activate the correct instance of ntds to perform maintenance tasks. The standard instance of Active Directory is “ntds”, so we use “activate instance ntds” as the first command.

3. Enter the File maintenance submenu by typing “files” as the second command.

4. Move the database to a new place by typing “move db to ” where location is a path, similar to E:\NTDS\. Note that you don’t have to specify the file name – just the folder ntdsutil shall copy the files to.

[5. Move the log files to a new place place by typing “move logs to ” where location is - again - a path like E:\NTDS. This is optional, but I’d keep the transaction log files with the database.]

6. Check whether the new file location is correct, typing “info“. (”info” also prints out where all files are stored; database and log files and how much space they need.)

7. Check integrity of the database after it has moved. Do so by typing “integrity“. This step might take a few minutes depending on how large your database is — but since your down anyway, you should take the time to ensure everything is correct.

8. Type “quit” twice and close the cmd. Start the “Active Directory Domain Services” service again.

9. Backup the system state. See above for reasons.

Just like with Server 2003 and 2000, check the security on the folder you move the DB to (see above). Since I haven’t found documentation that tells otherwise, I guess the permissions in Server 2003 are good for 2008 too.

Suppose I have the following Example

TopLevelGroup — Global Security Group

TopLevel — User

TopLevel2 – User2

Nested1 – Global Security Group

Nested1 Members

Nested User

Nested User 2

InsideNested – Global Security Group

InsideNested Members

InsideNested1

There are several ways to do this, I’m not saying these are the only methods but these are three examples that work.

The first method is to use the PowerShell. For this example you will need the Quest AD Cmdlets. Thanks to MVP Dmitry Sotnikov for the Quest cmdlets.

Get-QADGroupMember “Group Name” -indirect

The second method is using ADFIND by MVP Joe Richards

adfind -default -bit -f “memberof:1.2.840.113556.1.4.1941:=DN of Group” samaccountname -nodn

More on that query here

Now on to method three. Some people (especially in classified networks) can’t install the Quest cmdlets or adfind (or any third party tool)

The Microsoft DStools can be used. For this example I’ll use dsquery and dsget

dsquery group -samid “group name” | dsget group -members -expand

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.