Your network contains an Active Directory domain named contoso.com. The domain
contains domain controllers that run Windows Server 2008, Windows Server 2008 R2
Windows Server 2012, and Windows Server 2012 R2.
A domain controller named DC1 runs Windows Server 2012 R2. DC1 is backed up daily.
During routine maintenance, you delete a group named Group1.
You need to recover Group1 and identify the names of the users who were members of
Group1 prior to its deletion. You want to achieve this goal by using the minimum amount of
administrative effort.
What should you do first?
A.
Perform an authoritative restore of Group1.
B.
Mount the most recent Active Directory backup.
C.
Use the Recycle Bin to restore Group1.
D.
Reactivate the tombstone of Group1.
Explanation:
The Active Directory Recycle Bin does not have the ability to track simple changes to
objects. If the object itself is not deleted, no element is moved to the Recycle Bin for possible
recovery in the future. In other words, there is no rollback capacity for changes to object
properties, or, in other words, to the values of these properties.
There is another approach you should be aware of. Tombstone reanimation (which has
nothing to do with zombies) provides the only way to recover deleted objects without taking a
DC offline, and it’s the only way to recover a deleted object’s identity information, such as its
objectGUID and objectSid attributes. It neatly solves the problem of recreating a deleted
user or group and having to fix up all the old access control list (ACL) references, which
contain the objectSid of the deleted object.
Restores domain controllers to a specific point in time, and marks objects in Active Directory
as being authoritative with respect to their replication partners.
The answer seems to be good, but explanation is quite random 🙁 There is no AD Recycle Bin in this environment because of Windows 2008 DCs
I do not like A – looks like too much trouble and RESTORE is not required
B – good option, recovers without restoring and lets identify the names
C – Recycle Bin is not enabled by default – ruled out completely.
D – less trouble and does the job, but restore is not required
B seems to be a better choice. Any thoughts anyone?
You need to RECOVER Group1 AND identify the names…..
B won’t let you restore anything. A will.
B seems like the right option…. mounting and using dsamain to open it as ldap… view the group 1 members and unmount.. simple i guess
I think the answer is still A because with B you would need to know and apply much more knowledge with dsamain than with A – performing an authoritative restore.
If the question was you need simply to view the members of group 1 then I would have chosen B too. The question asks for a restore of group 1 so that will require A.
this question was asked in exam
interesting, but you point is?
I’m not sure its A or B .. I would say B.
This question has been bugging me a lot, so please bear with me on my ramblings:
A: Does not sound “right” because we do not do authoritative restore of a group, we do authoritative restore of a backup/snapshot, and we recover what is there.
B: Mount does not recover either, only “shows”, or “makes available” to then effectively restore.
C: Recycle bin does not exist in 2008 (you have one Windows 2008 server),but in 2008 R2.
D: You can reanimate a tombstoned object (like a group)
So I would go with D
Any thoughts ?
Yup I would go with D as well. Bcz as you said Mount backup would be just to identify here it says to restore the group. so not B. Not C either as you mentioned. Im a bit confused about A. But would go for D.
But the question is, Will the tombstone recovery also restore the memberships of the group? Bcz we are doing the recovery for the memberships
I would go for B , put back the recent AD backup .. restore group + users in it + membership to that group .. and identify before restore is also possible ..
recycle bin is ruled out , not enabled by default.
Users have been deleted = so no Author. restore , only when removed!
Yooo fellas, I brought you the answer
click the following link and read the first section
https://technet.microsoft.com/en-us/library/dd379542(v=ws.10).aspx
and I quote:
The default tombstone lifetime was 180 days in Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), and Windows Server 2008. You could use tombstone reanimation to recover deleted objects without taking your domain controller or your AD LDS instance offline. However, the reanimated objects’ link-valued attributes (for example, group memberships of user accounts) that were physically removed and the non-link-valued attributes that were cleared were not recovered. Therefore, administrators could not rely on tombstone reanimation as the ultimate solution for accidental deletion of objects. For more information about tombstone reanimation, see Reanimating Active Directory Tombstone Objects (http://go.microsoft.com/fwlink/?LinkID=125452).
Therefore the correct answer is A.
Actually your quote mentions “physical deletes” only. But your second link states it more clearly:
Active Directory will not save forward-linked or backward-linked attributes in the tombstone, even if you specify to do so in the searchFlags attribute of the schema object. In particular, Active Directory doesn’t save things such as the member attribute of a group or the memberOf attribute of a user.
So to restore a group with membership you can’t use tombstone reanimation. It’s A.
really? the question states you just should *identify* the names and *recover* the group…also asking for the first step answer D does not look that bad…when the next steps are maybe mounting latest AD backup to *identify* the names. Just checking the wording and exact description of the scope of work :-/
I was just thinking further…they require “minimum administrative effort”…so when it comes to get the job done you could kill 2 birds with one stone by applying answer A: group would get restored and by viewing the membership you get the names!
surely you might have another disadvantages…but the more I think about this question the more pain in the a** I get %-(
Crap question. On first view I would go with B. However reading the question very carefully it does say “You need to recover Group 1”! A snapshot will not recover objects, I would go with ‘A’ the given answer, it is the only answer that would work.
context that I got on the test was that group and some members of the group were deleted. They wanted to just view the members of the group from before the deletions for audit purposes.
Based on all of that wording I chose Mount the backup.
On the test they specifically said AD recycle bin was on and they were running 2012 R2 domain level.
realized upon further studying the question I saw on the exam was another question on here.
Disregard my previous reply.
Hey Anon how relevant are this questions in regard to the actual exam?
I think the Answer is D Recovery the Tombstone of Group1. It’s a sneaky question but if you read carefully it states “What should you do first”. That makes me think the answer is not the whole processes. So I would re-animate the tombstone to satisfy the recovery objective. The second action would be to mount he most recent backup and then check the group membership. This is kind of implied by the “identify the names of the users” part of the question again indicating that the first action should be to re-animate the tombstone.
I kind of agree with you J, the only thing that gets me is the least administrative effort part. I think that by tombstone reanimating the group, and mounting the backup does require less administrative effort than an authoritative restore.
I will go with A
Yesterday I got this question i chosen B But i got less mark in this Category..I think Answer is A
the question is “What should you do first?”
While “authoritative restore” restores group with membership, it is not the first thing to be done. First thing to do is restore of DC system state, restart DC in “dsrepair mode” and then do “authoritative restore”. In ITIL compliant organisation, bringing server down takes a lot of administrative work/approval.
“Reactivate the tombstone of Group1” to restore group and mount snapshot to enumerate membership to reapply to restored group is less hassle than rebooting a DC. “Reactivate the tombstone of Group1” would be the first thing to do.
I suggest D.
A question with three possible answers, the only one to rule out completely is C.
“You want to achieve this goal by using the minimum amount of administrative effort. What should you do first?”
With that in mind A is not the minimum administrative effort (rebooting a server into AD Recovery mode, you want to avoid that in production). So i think B and D are the candidates.
So we come to “What should you do first?”. If it was me i would mount the backup first, check the group membership from the AD DS snapshot, then reanimate the object, and fix the group references. But either way works.
Impossible to answer conclusively i fear.
Firstly I have to say the MS should refrain from asking these crap questions where there’s no absolute right answer. Test strictly technical knowledge not interpretation of the English language.
Having said that – there is no absolute correct answer, we can absolutely rule out the recycle bin because there are 2008 DC’s
The others are possible answers – (A) would fix the problem at hand restoring the group and memberships but as an Admin in a real world situation its not what I would do first – getting the group membership info. is what I would need first.
Why? I can always recreate a group called Group1 but I wouldn’t remember all the members of the group.
So getting that info. in a real world scenario is most important.
I would then Reactivate the tombstone of Group1 – this doesn’t restore the memberships but I already have that info.
This can all be done Live without interruption to the users and my boss wouldn’t even know. Otherwise wait for after hours and do it the longer way which is (A)
So mounting the backup and getting the info (B) is what I’m going for.
Geez – you could do step (D) Reactivate the tombstone of Group1 first then mount the backup (B) and get the members of the group.
In a real world scenario either could be done first to satisfy this question do (D) first and recover just the group.
Final answer (D)
“You need to recover Group1 and identify the names of the users who were members of
Group1 prior to its deletion.” So we didn’t remove them before delete it.
I tried it on my lab:
– Created a Test group
– Add administrator as member of the group
– Delete the group
– Reactivate the tombstone of group Test
– Administrator was still on the group.
Because ldp is a bit annoying (and I’ve no idea to use it) I used adrestore from sysinternals instead. https://technet.microsoft.com/en-us/magazine/2007.09.tombstones.aspx
D is my answer, perform an authoritative restore of Group1 also will work but it’s more intrusive.
I tested this with LDP, – It is a nightmare to use but I restored a deleted user (I couldn’t get it to work with a group) and his group membership was not restored. TechNet articles say attributes such as password and group memberships are not restored with tombstone reanimation.
Did the same with a user and a group with Adrestore and in both cases the memberships were retained. I think that adrestore is doing something beyond the abilities of LDP. You are really only removing the ‘isdeleted’ flag with LDP not actually restoring it.
So I go with A. although its debateable whether you would need to do B. first to locate the deleted object.
Its b. I find it strange no one points this out but the question asks what to do first, so while you do need to recover. It would be important in this scenario to mount the snapshot first so you can identify the names of the objects prior to deletion.
An authoritative restore will restore the group and let you see members as well (after the restore). No need to identify the members first, since you will have to run the auth restore anyway and “minimum amount of administrative effort” is required.
Why bother, you need to restore the group anyway and the members will come back after the authoritative restore.
Recover! not Restore!
A is correct:
B – “The Active Directory database mounting tool does not recover deleted objects by itself” https://technet.microsoft.com/en-us/library/cc753246(v=ws.10).aspx
C – Recycle Bin cannot be used due to Windows Server 2008 DC’s (Domain Level must be 2008 R2 or later)
D – “tombstone reanimation doesn’t provide a solution for recovering group memberships in Active Directory” – https://technet.microsoft.com/en-us/library/2007.09.tombstones.aspx
I’m going with A.
Further info ruling out D:
“User-group links are not preserved in tombstones. For example, when a user object is reanimated, the user account is not a member of any group. All of this information must be recreated manually by the Active Directory administrator.”
https://www.ibm.com/support/knowledgecenter/en/SSGSG7_6.4.0/com.ibm.itsm.client.doc/c_res_activedirwin_reanimatevsrestore.html
Info on how to do an authoritative restore:
http://www.dell.com/support/article/uk/en/ukbsdt1/sln156828/windows-server-how-to-perform-an-authoritative-restore-of-active-directory-objects?lang=en