Your network contains an Active Directory domain named contoso.com. The domain contains domain
controllers that run Windows Server 2008, Windows Server 2008 R2 Windows Server 2012, and Windows
Server 2012 R2.
A domain controller named DC1 runs Windows Server 2012 R2. DC1 is backed up daily.
During routine maintenance, you delete a group named Group1.
You need to recover Group1 and identify the names of the users who were members of Group1 prior to its
deletion. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do first?
A.
Perform an authoritative restore of Group1.
B.
Mount the most recent Active Directory backup.
C.
Use the Recycle Bin to restore Group1.
D.
Reactivate the tombstone of Group1.
Explanation:
The Active Directory Recycle Bin does not have the ability to track simple changes to objects. If the object itself
is not deleted, no element is moved to the Recycle Bin for possible recovery in the future. In other words,
there is no rollback capacity for changes to object properties, or, in other words, to the values of these
properties.
There is another approach you should be aware of. Tombstone reanimation (which has nothing to do with
zombies) provides the only way to recover deleted objects without taking a DC offline, and it’s the only way to
recover a deleted object’s identity information, such as its objectGUID and objectSid attributes. It neatly solves
the problem of recreating a deleted user or group and having to fix up all the old access control list (ACL)
references, which contain the objectSid of the deleted object.
Restores domain controllers to a specific point in time, and marks objects in Active Directory as being
authoritative with respect to their replication partners.
Mount the resent backup.
The restore is only for documentation purposes.
The question states that you need to recover the group as well. That would mean doing a restore.
Doesn’t recover mean restore? If so – A is correct.
Shouldn’t the answer be D if their explanation says to use tombstone reanimation?
It is actually B.
I tested it in lab.
1) Deleted test group that contained some users.
2) Wait 15-30 seconds
3) Open AD Administrative Center and then deleted objects
4) Restore deleted group to original location
5) Check and see that group contains all the users it previously contained
6) I checked and it also works if:
a) Deleted group has another group as a member
b) Deleted group is a member of another group
c) both options combined (a and b)
yeah, nice feature with 2012 R2, huh? but question states there are old 2008 (even without R2!) Domain Controllers in use, so you won’t get lucky!
Tombstone Reanimation is not useful as it doesn’t recover group memberships.
Mounting the backup and messing around further is way more effort than just performing an authoritative restore.
so for me A looks OK!
Special thanks to you Den, for all your comments, not only here…I used them a lot 🙂
It´s either A or B, but B wouldn´t restore the group which is needed in this case. Recycle Bin, cannot be used because there are 2008 nonR2 therefore, it can not run in 2008R2 mode.
The question asks what you need to do FIRST. You need to mount the AD backup then perform an authoritative restore
You need minimal W2K8 R2 for Tombstone Reanimation. But what to do first? To do Authoritative Restore first need to mount the backup.
I disagree. Performing authoritative restore does not require mounting the recent ad backup. It can demand restoring AD from a systemstate backup, if the modification has already been replicated to all DCs.
https://support.microsoft.com/en-us/kb/840001
In the case of the question we have to restore it while operating a 2008 Domain with the least amount of administrative effort. So performing an authoritative restore with ntdsutil is the only solution accepted.
As a side note, you want to mount the most recent Active Directory backup, if you need to document the user’s memberships in Group1 without a RESTORE (by using dsamain and ldp).