none
Can not restore a deleted AD Object on Windows 2012 Server using several different methods

    Question

  • I am trying to restore/reanimate a user object from AD using the LDP.exe method, aka tombstone reanimation. I am logged in as the domain Administrator (DOMAIN\Administrator),

    But when I follow the MS KB procedure (delete the isDeleted attribute and replace its DN to the original one which was simplyCN=First Last,CN=Users,DC=foo,DC=com etc.) I get the following error:

    “Error 0x2077 Illegal modify operation. Some aspect of the modification is not permitted.”

    I am connected via SSL (636) when this happens. I also noticed a few things:

    1) adrestore -r does not list any deleted objects despite the fact that the object in question is clearly listed under the "Deleted Objects" CN.

    2) Using Powershell's GetADObject calls do not see it either (yes, even with -IncludeDeletedObjects option parameter).

    3) The 2012 AD Recycle bin does not show objects yet the object in question has isDeleted=True and isRecycled=True.

    I'm at my wits end on what I could possibly be doing wrong. I did notice that our systemFlags attribute on the domain is 0x8C00000000 which is the default but has (DISALLOW_RENAME and MOVE I think). But again, it's the default so I haven't really looked into changing it.

    Has anyone seen this problem before? What am I doing wrong?



    • Edited by pisymbol Tuesday, April 18, 2017 8:13 PM
    Tuesday, April 18, 2017 8:11 PM

All replies

  • Hi,

    According to your description, i suppose you might referred to the link below:

    https://social.technet.microsoft.com/wiki/contents/articles/5549.recover-active-directory-deleted-items-using-ldp-exe.aspx

    And your server is 2012 with recycle bin enabled, so i also suggest you could refer to link below to check if it's parent ou hasn't been restored:<lastKnownParent >

    https://technet.microsoft.com/en-us/library/dd379509%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Besides, the last things i want to confirm is that:

     insure you are using LDAPS (636)and a DN that doesnt exist

    Try add the computer's name in the front of CN=First Last,CN=Users,DC=foo,DC=com etc.

    for instance: CN=server,CN=First Last,CN=Users,DC=foo,DC=com etc.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 19, 2017 6:56 AM
    Moderator
  • This article http://www.itninja.com/blog/view/restore-deleted-objects-of-active-directory-through-ldp-exe can help you to understand how to restore deleted Objects of Active Directory using LDP.exe
    • Edited by Patrickjohn Wednesday, April 19, 2017 7:37 AM
    Wednesday, April 19, 2017 7:36 AM
  • Guys, that is what I am doing. I've read all of those articles you referred to and yes, I'm connecting/binding to 636 and no, there isn't another DN that exists that matches its original DN.

    The "lastKnownParent" is indeed "CN=Users,DC=foo,DC=com" which I am appending to the name to get the fully qualified DN (similar to all the other uses in the CN=Users container).

    I'd like to understand more fundamentally why doesn't adrestore -r even show deleted objects? That is very strange.

    Note that the object was deleted BEFORE recycling was enabled. I just found that out by one of our AD admins.

    Why do I need to put the server name in front of the DN? That would not be its original DN value. I'm not even sure what "server" would be? The PDC?

    Wednesday, April 19, 2017 11:27 AM
  • Hey,

    Can you try this option in LDP.exe and provide the results.?

    Make sure that the Extended  check box is selected,click Enter , and then click Run

    Did you tried to restore by using AD Administrative Center in Server 2012 to restore the object


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Wednesday, April 19, 2017 12:17 PM
  • The Extended option is absolutely checked and it fails with "Illegal modify operation."

    As I said above, the AD Administrative Center doesn't show ANY deleted objects at all which has be really confused (and probably why 'adrestore' -r doesn't work either).  Yet the CN=Deleted Objects container has a few objects in it including the one I want to reanimate.

    Question: The MS doc says that the LDAP procedure is to remove the isDeleted attribute and replace the DN with the original one. How about the isRecycled attribute? That is still set to "True." Shouldn't that also be deleted as well as part of the procedure now?

    Wednesday, April 19, 2017 2:21 PM
  • The exact error message I'm seeing is:

    ***Call Modify...
    ldap_modify_ext_s(ld, 'CN=First Last\0ADEL:2fac39f1-7bdb-4a09-bcf2-11879c14c6cb,CN=Deleted Objects,DC=foo,DC=com',[2] attrs, SvrCtrls, ClntCtrls);
    Error: Modify: Unwilling To Perform. <53>
    Server error: 00002077: SvcErr: DSID-030F24DD, problem 5003 (WILL_NOT_PERFORM), data 0

    Error 0x2077 Illegal modify operation. Some aspect of the modification is not permitted.

    I tried a similar LDP.exe modification but added removing isRecycled as well. That fails but the SvcErr is DSID-030F2471 instead.

    What am I doing wrong?


    • Edited by pisymbol Wednesday, April 19, 2017 2:44 PM
    Wednesday, April 19, 2017 2:42 PM
  • Could this be my issue:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/457da36f-8a7e-43a8-9d67-e5732ff27b67/restore-deleted-ad-user-account-in-windows-server-2012?forum=winserverDS

    Is there anyway to restore an object if the recycle bin feature was turned off before the deletion and then turned on afterward?

    Thursday, April 20, 2017 5:24 PM
  • I am also wondering if I can use instead the "authoritative restore" method using the ntsdutil command.

    Has anyone done this before? I'm surprised this issue isn't more prevalent.

    Thursday, April 20, 2017 5:30 PM
  • Hi pisymbol,

    >>I am also wondering if I can use instead the "authoritative restore" method using the ntsdutil command.

    I suppose we could try.

    You could refer to link below to executing the authoriative restore:

    https://technet.microsoft.com/en-us/library/cc732211(v=ws.11).aspx

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 21, 2017 3:14 AM
    Moderator
  • Hi pisymbol,

    did this issue was solved?

    If not, please share the current situation for further assistance.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 26, 2017 5:56 AM
    Moderator
  • The issue is not resolved. AD simply will not let me restore the object.
    Friday, May 12, 2017 4:49 PM
  • I am seeing the exact same issue as the OP. Has there been any clarification on this issue?
    Thursday, March 22, 2018 1:20 AM