You need to recover Group1 and identify the names of the users who were members of Group1 prior to its deletion

Your network contains an Active Directory domain named contoso.com. The domain contains
domain controllers that run Windows Server 2008, Windows Server 2008 R2 Windows Server 2012,
and Windows Server 2012 R2.
A domain controller named DC1 runs Windows Server 2012 R2. DC1 is backed up daily.
During routine maintenance, you delete a group named Group1.
You need to recover Group1 and identify the names of the users who were members of Group1
prior to its deletion. You want to achieve this goal by using the minimum amount of administrative
effort.
What should you do first?

Your network contains an Active Directory domain named contoso.com. The domain contains
domain controllers that run Windows Server 2008, Windows Server 2008 R2 Windows Server 2012,
and Windows Server 2012 R2.
A domain controller named DC1 runs Windows Server 2012 R2. DC1 is backed up daily.
During routine maintenance, you delete a group named Group1.
You need to recover Group1 and identify the names of the users who were members of Group1
prior to its deletion. You want to achieve this goal by using the minimum amount of administrative
effort.
What should you do first?

A.
Perform an authoritative restore of Group1.

B.
Mount the most recent Active Directory backup.

C.
Use the Recycle Bin to restore Group1.

D.
Reactivate the tombstone of Group1.

Explanation:
The Active Directory Recycle Bin does not have the ability to track simple changes to objects. If the
object itself is not deleted, no element is moved to the Recycle Bin for possible recovery in the
future. In other words, there is no rollback capacity for changes to object properties, or, in other
words, to the values of these properties.
There is another approach you should be aware of. Tombstone reanimation (which has nothing to
do with zombies) provides the only way to recover deleted objects without taking a DC offline, and
it’s the only way to recover a deleted object’s identity information, such as its objectGUID and
objectSid attributes. It neatly solves the problem of recreating a deleted user or group and having to
fix up all the old access control list (ACL) references, which contain the objectSid of the deleted
object.
Restores domain controllers to a specific point in time, and marks objects in Active Directory as
being authoritative with respect to their replication partners.



Leave a Reply to pikapoka Cancel reply7

Your email address will not be published. Required fields are marked *

four × three =


Bas

Bas

Correct answer=B

dj

dj

Bas: your solution implies the group wasn’t changes after the last backup and before it was deleted. Consider the situation where the group was changed multiple times after it was last backed up and before it was accidentally deleted. Restoring from backups wouldn’t solve the problem. You would just be restoring a previous copy of the group, not the group exactly before it was deleted.

I would say the answer would be to use the recycle bin, but a requirement of AD recycle bin is all DCs must be 2008 R2 or later, so the only answer left is to reanimate the tombstoned object, or D, even though it’s a crap ton of work!

Final Answer: D

Bas

Bas

@DJ: You want to achieve this goal by using the minimum amount of administrative
effort.

pikapoka

pikapoka

OK, this one took way too much of my precious time but the way I see it is…..

An authoritative restore process returns a designated, deleted Active Directory object or container of objects to its pre-deletion state at the time when it was backed up.

In our scenario Group1 was deleted during the maintenance. We are asked to recover Group1 and identify the names of the users who were members of Group1 prior to its deletion.

IMHO, answer A would be the right approach. One of the reason why I don’t think mounting of the most recent AD backup (answer B) is not necessary is the word “MOST RECENT”.

B – B. Mount the most recent Active Directory backup:
Mounting up before doing an authoritative restore would be an option if we would not know exactly when object was deleted (yesterday, last week, 10 days ago…). Using mounting tool can improve recovery processes by providing a means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain. When inadvertent deletions or modifications occur, you can use a snapshot to compare the data in the current directory against data in the snapshot
NOT applicable as there are DCs running WS 2008
D – Reactivate the tombstone of Group1 –> not really useful as it doesn’t recover group membership

My answer is: A

Gökhan MERT

Gökhan MERT

Recover is not restore. Therefore => B.
A require most admin effort…. reboot, restore AD backup, auth restore….
With mounting AD backup, not require to restart in DFSM mode…

explanation

explanation

The answer has to be A. Since there are 2008 DC(s), then the recycling bin is not even an option (the functional level must be at least 2008 r2). https://technet.microsoft.com/en-us/library/dd392261(v=ws.10).aspx

Reactivating the tombstone is an option for restoring the group itself, but it will not restore any membership links, only the object itself.

Snapshots aren’t like backups in which we can just use them to restore to a previous version; snapshot provide the information of AD at the point it was taken. While this could be used to get the group memberships, it would not be able to restore the deleted group (you could recreate the group and use its old memberships, but the SID would be different now and it’s not an actual restore).

Now you’re left with one option, an authoritative restore.

Fung

Fung

Neither tombstone nor AD recycle bin will recover membership. Has to be A