Your network contains an Active Directory domain named contoso.com. The domain
contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 is backed
up daily.
The domain has the Active Directory Recycle Bin enabled.
During routine maintenance, you delete 500 inactive user accounts and 100 inactive groups.
One of the deleted groups is named Group1. Some of the deleted user accounts are
members of some of the deleted groups.
For documentation purposes, you must provide a list of the members of Group1 before the
group was deleted.
You need to identify the names of the users who were members of Group1 prior to its
deletion.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do first?
A.
Mount the most recent Active Directory backup.
B.
Reactivate the tombstone of Group1.
C.
Perform an authoritative restore of Group1.
D.
Use the Recycle Bin to restore Group1.
Explanation:
The Active Directory Recycle Bin does not have the ability to track simple changes to
objects.
If the object itself is not deleted, no element is moved to the Recycle Bin for possible
recovery in the future. In other words, there is no rollback capacity for changes to object
properties, or, in other words, to the values of these properties.
Actually the answer is wrong.
In this case you deleted users and groups. So it would register in the ad recycle bin. It wouldn’t have if you change group membership or any other object attribute.
Here is a thorough explanation.
http://davidmtechblog.blogspot.com/2014/03/windows-server-2012-active-directory.html
Yes but you have to restore all the deleted members too and not just Group1.
you do not have to restore anything, read the question!
provided answer achieves goal with least effort…
In Windows Server 2012, the Active Directory Recycle Bin feature has been enhanced with a new graphical user interface for users to manage and restore deleted objects. Users can now visually locate a list of deleted objects and restore them to their original or desired locations.
Navigate to the Deleted Objects container.
https://technet.microsoft.com/en-us/library/hh831702.aspx
answer should be D
Why else would they mention that the recycle bin is enabled?
It says nothing about restoring just identifying so the Answer is correct
The recycle bin is mentioned in the classic MS red herring fashion.
Yes, if the wording in the exam is the same, zak must be correct.
Might be wrong , but even if you restore the group you won’t be able to see all the members from before the group was deleted cause some of the members might have been deleted too , so answer A seems to be the correct one , but answer D indeed creates confusion and that probably the intention when they mention the recycle bin is enabled on question header.
It’s is A 🙂
Some of the members of the Group1 WERE deleted. So when you restore Group1 the accounts who are still deleted are NOT a member of Group1.
I just tested this with the Active Directory Recycle Bin on.
The answer is A. And here is the reason why.
Yes the accounts have been deleted but so are the memberships to the groups now yes you can actually restore the accounts from the recycle bin. But the accounts will not be put back as members of any group. So you would have to assign them manually. But the question stated that least amount of admin effort must be used. So yes you will do a restore from the backup to get all the accounts, groups and their memberships.
you do not need to restore anything!
When you restore a group, if user account is not deleted, group membership WILL be restored (user will appear as a member of a group).
If a user is deleted, it WILL NOT appear as a member of that group (it can’t, it’s deleted.
If you restore a user that was a member of that group, it’s group membership will be restored, also.
Tested ond W2K12R2.
I just finished creating a group, creating a user, inserting the user in the group, activating the recycle bin, deleting the group.
Then I to ADAC to click on the recycle bin, found the deleted group, restore and now when I click to group to view its properties, I see the user that I created in the first place.
So how is the answer not D ?
Because you do not want to restore the group, you only want to create a list of its members. Both C and D restore it, so can’t be answers. The tombstone does not have the membership of the group, because that is deleted when a group is deleted. Only mounting a previous backup accomplishes what is requested with the least administrative effort.
Please try that yourself and see what I’m talking about.
Anyone?
You did not delete the user, so it’s not a valid example.
If you create two users : x1, x2, and a group G1.
Add x1,x2 to G1.
Delete: x1,G1
Restore: G1
You will see that G1 has only X2 as member, because X1 is STILL DELETED.
So you would need to restore all the users and G1 to see the members of G1 before the
deletion.
Restoring only a group is no problem, but if you also restore all of the users, then you will need to delete the before deleted users (and G1).
This is not clearly the least administrative effort.
So I think that this tricky question’s answer is A
I Agree, you do not know the sequence(!) of events. If the Useraccounts where deleted before the Group1 was deleted, you will not find the answer in the AD Recycle bin!
Just to be sure, you must mount a previous version of the AD database!
I’ve just checked that in my lab.
I’ve created 5 users (User1, User2, User3 etc.) and put them into Group1.
I’ve removed Group1 + User4 and User5.
Then, I have restored Group1 with Recycle Bin (User4 and User5 still in recycle bin)
The Group membership was restored but only with existing users (User1, User2 and User3).
So in this question, it’s definitely not D.
Personally, I’d go for A.
Zak is correct. The keywords in this question are ‘provide a list of members’ and ‘minimum amount of administrative effort’.
There is no mention of the users or groups needing to be restored. Therefor answer A is correct.
It seems like a whole lot of administrative effort to mount the most recent backup. You can’t simply read the contents of the group from the tape itself. You need to do a restore from the tape in order to see what was in the group. All I can see on my backup tape are object names (files and folders), not the contents of those objects.
Who’s saying you need to restore from tape?
This is a Microsoft exam so forget all other third party tools.
Technet reference:
https://technet.microsoft.com/en-us/library/cc731620.aspx
Example how to mount and browse with the Active Directory and Computers:
https://mizitechinfo.wordpress.com/2013/08/13/simple-step-create-a-snapshot-of-ad-ds-in-windows-server-2012-r2-by-using-ntdsutil/
However, all the other answers are incorrect because they will not provide the names of the deleted members. So yes the first step would be to mount the tape.
The answer is A. This is the only option that can “recover Group1 and identify the names of the users who were members of Group1 prior to its deletion”. You are restoring the object to it’s previous state as of the prior backup which has all that information.
AD Recycle Bin could work as it does save membership information, but it is only available at the 2008 R2 functional level. You have a 2008 DC – so max functional level can only be 2008 therefore no AD recycle bin.
The question is not about the groups – the question is – “What do you do first”. You need to mount the backup before you can restore the group. The answer is A.
When you restore from the Recycle Bin it does not restore group memberships for deleted user account . So those 100 deleted user accounts will not be restored into Group1. The answer is certainly not D.