In the series of Virtual Backups and of my latest article How to backup Virtual Domain Controllers. This time we will Backup and Restore Active Domain objects (computers, user accounts with a password, Group Policy Objects (GPOs), etc.).
As we check in the previous article, we can create a Backup Job to backup our Domain Controllers and have a proper restore of our Domain Controllers, this time we will use the same Backup Job created in the previous article and only restore some Active Domain Objects.
First, we will delete from our DC-02 one user named “Te be Deleted” one computer object “WIN7-TEST” and the same DNS entry for this computer.
Deleted the objects, wait until DC-01 replicate and has the objects also deleted in DC-01 Active Directory NTDS database. In less than a minute DC-01 has been replicated, and objects are removed from the DC-01.
For this test, I also try to login with a Domain account into that VM that I deleted the computer account from the Active and Directory Users and Computers.
When I login I get this: “The security database on the server does not have a computer account for this workstation trust relationship”
Note: Sorry this test VM is in Portuguese, so the above warning is in Portuguese.
Next lets us start the restore process of the user and the computer account from our DC-01 (but we can also do it from any other domain controller that we have a backup.
Create a Restore Job by starting to select “Microsoft Active Directory objects.”
Next, choose the Domain Controller that you will use to restore your Domain Controller Objects. In our case, we will use the DC-01. Again you can choose any Domain Controller that you have a backup.
Note: Enable the option “Automatically locate application databases.” By enabling this option, Nakivo will find the Active Directory NTDS database.
Next Backup will start searching for the Active Directory NTDS database.
After Backup finds the Active Directory NTDS database, we drill down and check our Domain.
Next, we can now start selecting the objects that we want to restore.
First I will choose the Computers OU and select the computer account that we need to restore. In this case is the computer account “Win7-Test”.
Next, I select the User OU and select the user that was deleted. In this case is user “To Be deleted”.
After we made our selection, if we click on the bottom option “show/hide”, we will see all objects that will be restored.
Next, click “Recover” and start the recovery process.
We have two options to recover. We can download the file to import to AD, or we can forward the same file by email.
- Download option
We can download the file directly, but since we have a user to recover, we need to click recover settings and select the recovery option for the User Account.
We will leave the default “User will be disabled”.
Open the zip file, or save it.
After we have our ldif so that we can import into the Active Directory.
What is a ldif file? LDIF, or the LDAP Data Interchange Format, is a text format for representing LDAP data and commands.
LDIF is a type of file with all information that we need to import the objects to the Schema. You can read more about ldif HERE.
- Forward via email option
Just fill the field and press send.
Note: To use these option emails server settings need to be configured with your email server.
Regardless the option we selected the result is always the file that we need to import.
Now let us learn how to import this file and all information into our Schema and consequently into our Active Directory NTDS database.
Copy the file to your Domain controller, login to your Domain Controller and run command line as an administrator.
The file that we imported is in “C:\App\RecoverFiles”
Before you can use the ldifde command, you need to enable a secure LDAP connection on the Active Directory machine. Check how to HERE.
If not when you run the command, you will get: The connection cannot be established. The error code is 8224
Then run the following:
ldifde -i -t 636 -f C:\App\RecoverFiles\ad.ldif -k -j C:\App\RecoverFiles
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>ldifde -i -t 636 -f C:\App\RecoverFiles\ad.ldif -k -j C:\App\RecoverFiles
Connecting to "Nested-DC-01.provirtualzone.local"
Logging in as current user using SSPI
Importing directory from file "C:\App\RecoverFiles\ad.ldif"
20 entries modified successfully.
The command has completed successfully
And now User and Computer is imported to the Schema, and our Active Directory NTDS database is restored with the objects we deleted before.
Next just login to the deleted computer with the deleted user. Besides I needed to reset the computer account, all is ok and working.
Note: When deleting a computer account most of the times the restore is not enough since we still need to reset the computer account. So, in my opinion, is easy to remove the computer from the domain and add them again to fix deleted computer account. If is just a couple of computers, if is more, then restore with Nakivo and then create a script to reset all your computer account (inside of the Guest OS).
Even the restore of Active Directory objects is not a very straightforward process, is not very hard. Even if we don’t have too many experiences with AD or LDAP processes.
Next article in this series: How to restore Exchange Server Objects.
Note: Share this article, if you think it is worth sharing.