Re: [ActiveDir] Restore AD

[Bryan Zink]

I've seen third party "recovery" consoles that mimic tombstone reanimation. 
They do this by maintaining a recent copy of all the attributes of all 
user/group objects. As far as specific products, why not try something 
simple like making an LDIFDE or CSVDE dump of your user and group objects 
part of a nightly system state backup?  The biggest issue with recovering 
SIDs is making sure your tombstone lifetime is sufficiently long enough to 
cover a deletion that occurred "a long time ago".

----- Original Message ----- 
From: "Shawn Hayes" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 03, 2004 2:01 PM
Subject: [ActiveDir] Restore AD

Why is it that MS hasn't added a deleted Security Principal retention for AD 
much like Exchange Server's deleted mailbox retention?  Wouldn't that 
greatly simply recovering from small mishaps?   I am not talking about the 
tombstone feature with Windows 2003 AD where you still have to manually 
recover Group Membership when recovering an account, but something actually 
intelligent and useful that would restore Group Membership when restoring 
accounts.  Shit, recover a Group from Deleted Security Principal retention 
and have it add the back links to the memberof attribute of the users that 
were members of the Group before the Group was deleted.  Recover an OU and 
it restores Security Principals and Members and Memberof attributes of all 
Security Principals within the OU.  Anybody heard of something like this 
coming down the pike?

Shawn Hayes
MCSE (2003, 2000, NT) Messaging
Systems Engineer
City of Virginia Beach
(757) 219-2057
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/