Restore AD from backup

To restore AD using this Windows Backup Server needs to be running full backups of the drive with the NTDS.dit file on the DC.

 

To browse the backups/NTDS snapshots

 

Ntdsutil

Activate instance ntds

Snapshot

List all

 

Identify the backup and copy the GUID to be mounted

 

Snapshot>Mount {GUID}

 

You can browse the backup and copy things from it if needed. You can also mount the NTDS file within it.

Note the path of the NTDS.dit file within it for the next part.

 

Dsamain-dbpath c:\$SNAP_465746_VOLUME_C$\windows\ntds\ntds.dit -ldapport:5000

 

From a dsa.msc you can now "change domain controller" and look at do.contoso.local:5000 to mount the AD database.

 

To un-mount

 

Unmount {GUID}

 

Restore AD from directory service recovery mode

 

If an OU or user our group or any object is deleted from AD you will need to perform an authorities restore by rebooting into DRSM

 

Bcdedit /set safeboot dsrepair

 

Shutdown /r /t 0

 

Server reboots

 

To identify the backup again run

 

Wbadmin get versions

 

Copy the version   :dd/mm/yyyy-hh:mm

 

Run a non-authoritative restore

 

Wbadmin start systemstaterecovery -version:03/24/2015-18:22

 

Run an authoritative restore

 

Ntdsutil

Act inst ntds

authoritative restore subtree "ou=test,dc=contoso,dc=local"

 

 

Reset boot method

 

Bcdedit /deletevalue safeboot

 

Shutdown /r /t 0

Restore AD Objects

  • To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet
    Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
    Below is a sample for enabling it for domain.com:
    Enable-ADOptionalFeature –Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com" –Scope ForestOrConfigurationSet –Target domain.com
     
    Once you have the Recycling Bin for Active Directory you will have to use LDP.exe to restore. By default the container with the deleted objects is not displayed. The following steps will allow you to see the container with the deleted objects.

        
    To display the Deleted Objects container
    1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.
    2. On the Options menu, click Controls.
    3. In the Controls dialog box, expand the Load Predefined pull-down menu, click Return deleted objects, and then click OK.
    4. To verify that the Deleted Objects container is displayed:
      1. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then Bind
      2. Click View, click Tree, and in BaseDN, type DC=<mydomain>,DC=<com>, where <mydomain> and <com> represent the appropriate forest root domain name of your AD DS environment.
      3. In the console tree, double-click the root distinguished name (also known as DN) and locate the CN=Deleted Objects, DC=<mydomain>,DC=<com>container, where <mydomain> and <com> represent the appropriate forest root domain name of your AD DS environment.
         
         
        Once you have enabled the container to be displayed, you can now restore deleted objects from Active Directory. Below are the steps to recover a single item from the recycle bin using LDP.exe.
        To restore a deleted Active Directory object using Ldp.exe
    1. Open Ldp.exe from an elevated command prompt. Open a command prompt (Cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.
    2. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.
    3. On the Options menu, click Controls.
    4. In the Controls dialog box, expand the Load Predefined drop-down list, click Return Deleted Objects, and then click OK.
    5. In the console tree, navigate to the CN=Deleted Objects container.
    6. Locate and right-click the deleted Active Directory object that you want to restore, and then click Modify.
    7. In the Modify dialog box:
      1. In Edit Entry Attribute, type isDeleted.
      2. Leave the Values box empty.
      3. Under Operation, click Delete, and then click Enter.
      4. In Edit Entry Attribute, type distinguishedName.
      5. In Values, type the original distinguished name (also known as DN) of this Active Directory object.
      6. Under Operation, click Replace.
      7. Make sure that the Extended check box is selected, click Enter, and then click Run

Active Directory Compaction Script

Compaction Script


@ECHO OFF

ECHO To compact the NTDS.dit file for this domain

ECHO controller ensure you have the following

ECHO folders set up on the c:\

ECHO.

ECHO C:\Temp

ECHO C:\OriginalNTDS

ECHO.

pause

del C:\temp\*.dit

del C:\originalntds\*.dit

net stop ntds /y

ntdsutil "activate instance NTDS" files "compact to C:\temp" quit quit

cd \windows\ntds

del *.log

copy ntds.dit \originalntds

del ntds.dit

copy c:\temp\ntds.dit

ntdsutil "activate instance NTDS" files integrity quit "semantic database analysis" "go fixup" quit quit

ECHO To restart the AD DS press enter.

pause

net start ntds

ECHO Compacting Finished.

pause

Bulk Active Directory Import

CSVDE -i -f c:\users.csv

 

To Loop a DSAdd command

 

for /f "Tokens=*" %i in (c:\5000users.csv) do dsmod user %i -pwd Pa$$w0rD -disabled no

Creating users in Bulk with PowerShell

Finding Commands

 

Get-command *AD*

 

New-ADUser

Remove-ADUser

 

New-ADUser -Path "ou=User Accounts,dc=contoso,dc=com" -Name "Mary North"

-SAMAccountName "mary.north" -UserPrincipalName "[email protected]"

-EmailAddress "[email protected]" -GivenName "Mary" -Surname "North"

-Description "Sales Representative in Australia"

-Company "Contoso, Ltd." -Department "Sales"

-Office "Sydney"

 

Password Set

 

-AccountPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)

-ChangePasswordAtLogon $true -Enabled $true

 

Piped command

 

Get-ADUser "mary.north" | Set-ADUser -DisplayName "North, Mary"

 

Variable Command

 

$user = Get-ADUser "mary.north"

Set-ADUser $user -EmployeeNumber 12345

 

 

IMPORT FROM CSV

 

$UserList=IMPORT-CSV c:\users\administrator\documents\newusers.csv

 

# Step through Each Item in the List

 

FOREACH ($Person in $UserList) {

 

# Build Username

 

$Username=$Person.Username

 

# Build Password from Firstname and Lastname

 

$Password=$Person.Firstname+$Person.Lastname

 

# Build the Displayname

 

$Name=$Person.Firstname+” “+$Person.Lastname

 

# Build and define Domain name

 

$Domain="@teamrou.com"

 

# Build User Principal Name

 

$UPN=$Username+$Domain

 

# Build and define Home Directory path

 

$HDrive="\\Shares\%username%\"

 

# Build and define which Organizational Unit to create User inside

 

$OU="OU=test,DC=yourdomainhere,DC=com"

 

# Create Account in Active Directory (AND HERE...WE...GO!)

 

New-ADUser -Name $Name –GivenName $Person.Firstname –Surname $Person.Lastname –DisplayName $Name –SamAccountName $Username -HomeDrive "H:" -HomeDirectory $HDrive –UserPrincipalName $UPN -Path $OU

 

# Set Password

 

Set-ADAccountPassword -Identity $Username -NewPassword (ConvertTo-SecureString -AsPlainText $Password -Force)

 

# Add User to Security Groups

Add-ADPrincipalGroupMembership -Identity $Username -MemberOf "Sales","Test"

 

# Enable Account

Enable-ADAccount -Identity $Username

}