Your network consists of a single Active Directory forest. The forest contains one Active Directory domain. The
domain contains eight domain controllers. The domain controllers run Windows Server 2003 SP2.
You upgrade one of the domain controllers to Windows Server 2008 R2.
You need to recommend an Active Directory recovery strategy that supports the recovery of deleted objects.
The solution must allow deleted objects to be recovered for up to one year after the date of deletion.
What should you recommend?
A.
Increase the tombstone lifetime for the forest.
B.
Increase the interval of the garbage collection process for the forest.
C.
Configure daily backups of the Windows Server 2008 R2 domain controller.
D.
Enable shadow copies of the drive that contains the Ntds.dit file on the Windows Server 2008 R2 domain
controller.
Explanation:
RESTORATION OF DELETED AD OBJECT
Authoritative Restoreby using the ntdsutil from the backups taken by Windows Server Backup. It is required
to be performed in Directory Services Restore Mode (DSRM), i.e. the domain controller needs to be offline.
Tombstone Reanimationhas been introduced since Windows Server 2003. Active Directory kept the deleted
objects in the database for a period of time (180 days by default) before physically removing them. The deleted
objects distinguished name (also known as DN) was mangled, most of the objects non-link-valued attributes
were cleared, all of the objects link-valued attributes were physicallyremoved, and the object was moved to a
special container in the object’s naming context (also known as NC), named Deleted Objects. The object, now
called a tombstone, became invisible to normal directory operations.
Active Directory Recycle Bin, introduced in Windows Server 2008 R2, helps minimize directory service
downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without
restoring Active Directory data from backups, restarting AD DS, or rebooting domain controllers. When you
enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory
objects are preserved and the objects are restored in their entirety to the same consistent logical state that they
were in immediately before deletion.
The “restorable” period is determined by Deleted Object Lifetime(determined by msDS-deletedObjectLifetime
attribute, null by default) and Recycled Object Lifetime(determined by tombstoneLifetime attribute, 180 by
default in Windows Server 2003 SP1 or later). These2 values can be modified by ADSI Edit, LDP and Active
Directory Module for Windows Powershell. Microsoft recommends the “restorable” period should be 180 days
or more.
Correct answer is c. AD recycle bin is only possible with functional level of 2008 R2. This clearly states that only one of the 8 DCs may be upgraded to 2k8r2. Given these parameters, only daily backups can achieve the object recovery objective of a year. In an AD without recycle bin, restoring deleted objects from the deleted objects container is not considered viable since much of the object’s metadata will be lost
I do not agree with you Blah:
Revise this:
“The “restorable” period is determined by Deleted Object Lifetime(determined by msDS-deletedObjectLifetimeattribute, null by default) and Recycled Object Lifetime(determined by tombstoneLifetime attribute, 180 by default in Windows Server 2003 SP1 or later). These 2 values can be modified by ADSI Edit, LDP and Active Directory Module for Windows Powershell.”