Read it & follow the snaps carefully before restoration .

Technet
- Performing an Authoritative Restore of Active Directory Objects

AskDS - Best practices around Active Directory Authoritative Restores in Windows Server 2003 and 2008 



Backup

Installed WBADMIN from feathers & taking Backup Using WBADMIN.


Click Add Items

Select System state


Restoration



(Here non auth restoration needed to be done by DSRM mode)
DSRM : bcdedit /set safeboot dsrepair
Normal : bcdedit /deletevalue safeboot

a)Getting the backup version using the "wbadmin get versions" (If we have multiple backups in same location)

b) Restroing the backup using "wbadmin start systemstaterecovery".

Press Y for reboot & will do auth restore for an user account - DSRM Mode.

Press Enter !

Click Yes !

NTDSUTIL
Activate Instance "NTDS"
authoritative restore
restore object <"DN">



AD DS Backup and Restoration

Known Issues for AD DS Backup and Recovery

AD DS Backup and Recovery Step-by-Step Guide

Windows Server 2012: Planning for Active Directory Forest Recovery

Powershell




How to check Active directory recycle bin enabled or not ?

Get-ADOptionalFeature -F 'name -like "Recycle Bin Feature"' | Select-Object EnabledScopes
Active directory recycle bin is disabled ,If above command output is empty.

How to restore the ActiveDirectory Objects


See the Tombstone

Get-ADObject -Filter {LastKnownparent -eq "OU=ADFS,DC=Contoso,DC=COM"} -IncludeDeletedObjects

 
Restore the Object

Get-ADObject -Filter {LastKnownparent -eq "OU=ADFS,DC=Contoso,DC=COM"} -IncludeDeletedObjects | Restore-ADObject -NewName bshwjt


See the deleted Objects From Active Directory Recycle BIN


##Prerequsites : 1. WIndows 2008 R2 DFL 2) Active Directory Recycle Bin
Get-ADObject –SearchBase “CN=Deleted Objects,DC=Contoso,DC=Com” –ldapFilter “(objectClass=*)” -includeDeletedObjects | FL *

_______________________________________________________________________________________________________________

Attributes Backup

How to manage our environment AD restoration without any downtime of any DC.

Best Practice:


1.   Take valid group membership back daily basis(with script).
2.   Take all attributes backup daily(with script)..
3.   Use ADRESTORE.NET(free systeminternal tool) for restoring the deleted object.

Download ADRESTORE.NET

http://technet.microsoft.com/en-us/sysinternals/bb963906

Restore the Group membership from backup and compare the attr value.
Schedule the backup  off-business hrs.
____________________________________

Dsquery for all users & all attributes backup - Domain 

Dsquery * -limit 0 -filter "&(objectClass=User)(objectCategory=Person)" -attr * >> Domain_all_users_attrs.txt

How to Export the Deleted Objects using LDIFDE

Ldifde –x –d “CN=Deleted Objects,DC=Contoso,DC=com” –f Del_obj.ldf && notepad Del_obj.ldf

Also See some proactive Steps Using Powershell

Active Directory Objects Restoration


________________________________________________________________________________________

Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.