Your network contains an Active Directory domain named contoso.com. The domain contains
domain controllers that run Windows Server 2008, Windows Server 2008 R2 Windows Server 2012,
and Windows Server 2012 R2.
A domain controller named DC1 runs Windows Server 2012 R2. DC1 is backed up daily.
During routine maintenance, you delete a group named Group1.
You need to recover Group1 and identify the names of the users who were members of Group1
prior to its deletion. You want to achieve this goal by using the minimum amount of administrative
effort.
What should you do first?
A.
Perform an authoritative restore of Group1.
B.
Mount the most recent Active Directory backup.
C.
Use the Recycle Bin to restore Group1.
D.
Reactivate the tombstone of Group1.
Explanation:
The Active Directory Recycle Bin does not have the ability to track simple changes to objects. If the
object itself is not deleted, no element is moved to the Recycle Bin for possible recovery in the
future. In other words, there is no rollback capacity for changes to object properties, or, in other
words, to the values of these properties.
There is another approach you should be aware of. Tombstone reanimation (which has nothing to
do with zombies) provides the only way to recover deleted objects without taking a DC offline, and
it’s the only way to recover a deleted object’s identity information, such as its objectGUID and
objectSid attributes. It neatly solves the problem of recreating a deleted user or group and having to
fix up all the old access control list (ACL) references, which contain the objectSid of the deleted
object.
Restores domain controllers to a specific point in time, and marks objects in Active Directory as
being authoritative with respect to their replication partners.
I believe that the “minimum amount of administrative
effort “is” Mount the most recent backup Active Directory “and for which” Perform an authoritative restore of Group1 “may not be correct.
Question doesn’t specify if deletion has propagated throughout the entire domain. If so then mount the backup is FIRST. Otherwise just do the Authoratative Restore.
If the deletion has propagated throughout the domain, the procedure is as follows:
1.Locate a DC for which a system-state backup was made before the deletion occurred.
2.If the DC is running Windows Server 2003, reboot it into DSRM.
If the DC is running a later version of Windows Server, stop the Active Directory Domain Services (AD DS) service.
3.Restore the DC’s system state but do not reboot when the restore completes.
4.Mark the objects in question as authoritative using Ntdsutil.exe. See below for details.
5.Reboot the DC into normal mode or restart the AD DS service. The objects marked as authoritative will be replicated back to the other DCs in the domain.
If the deletion of the objects in question has not propagated to all DCs in the domain, the following steps can be performed to recover the deleted objects:
1.Locate a DC which has not received the deletion through AD replication (in other words, a DC on which the objects are still “live”). The DC may be disconnected from the network temporarily as a means of preventing replication.
2.If the DC is running Windows Server 2003, reboot it into Directory Services Restore/Repair Mode (DSRM).
If it is running a later version of Windows Server, stop the Active Directory Domain Services (AD DS) service.
3.Mark the objects in question as authoritative using Ntdsutil.exe. See below for details.
4.Reboot the DC into normal mode or restart the AD DS service. The objects marked as authoritative will be replicated back to the other DCs in the domain.
There is a similar question and the answer was B.
1) with an autoritative restore (of all) we recover the group and the users but it only ask for user’s information. It does not want to recover them.
2) The recycle bin does not provide information about the attributes of the object.
The right answer is: B. Mount the most recent Active Directory backup. Then make an autoritative restore of the group and extract information about the users of the group.
IMHO. am I right?
Already explained here why A: http://www.certifychat.com/70-411-a/313-question-42-verification.html
I believe the answer is D.
We can’t use Recycle Bin because we need the functional level at least Windows Server 2008 R2 or higher to activate that function.
Authoritative restore is OK but that process will involve shutdown of DC which can’t be count as “minimum amount of administrative effort” for sure. Thus we left for B and D. By reactivating the tombstone of Group1 we restore group but membership attributes will be lost. So we need to use backup to gain information about members of Groups 1.
Of course we can look into backup first and recover group second and vice versa. In that case I just make a guess that first we need to recover the Group 1.
tombstoned objects are stripped of membership, so this isn’t an option
ad recycle bin can only be used when all dcs are 2008 r2 and above so this won’t work
authoritative restores don’t require mounting anything, they’re done in dsrm mode and require a system state backup be restored. IMO this is different.
mounting the backup doesn’t add anything here. you can’t restore objects from a mounted backup, only a restored one in DSRM.
so i agree with the answer, A
answer is B