Restore deleted computer active directory

​Restoring a deleted Active Directory (AD) object is a critical operation in any Windows Server environment. Active Directory is the backbone of many organizations, managing user accounts, computers, and other networked resources. A deletion in Active Directory can have serious consequences, from lost access to resources to wider disruptions across your network. When AD objects, such as users, groups, or organizational units (OUs), are deleted, it’s important to restore them as quickly as possible to minimize downtime and prevent further complications. 

1. Active Directory Deletions

Before we dive into the recovery methods, it’s important to understand the mechanisms of Active Directory deletions.

Active Directory is a hierarchical database used to store objects like user accounts, groups, computers, and shared resources. These objects reside in containers known as Organizational Units (OUs) and are typically managed through the AD Administrative Center or via PowerShell commands.

When you delete an object in Active Directory, it is not immediately erased from the directory. Instead, it is placed into a “deleted objects” container. However, depending on the configuration of your Active Directory environment, the deleted object may eventually be purged after a specific retention period or tombstone lifetime.

2. Types of Deletions in Active Directory

There are two main types of deletions you might encounter in Active Directory:

a) Soft Deletion:

Soft deletion occurs when an object is deleted but not yet permanently removed from the Active Directory database. This typically happens when the object is moved to the Deleted Objects container and is flagged for removal. In most cases, soft deletions can be restored without significant issues.

b) Hard Deletion:

Hard deletion occurs when the object is completely removed from the database and is no longer recoverable through typical methods. This can happen when the object has been purged from the Deleted Objects container or the tombstone lifetime expires. Restoring hard-deleted objects often requires advanced techniques like using backups or leveraging the authoritative restore process.

3. Methods to Restore Deleted Active Directory Objects

There are several methods available for restoring deleted Active Directory objects, depending on your environment and the tools at your disposal.

a) Using Active Directory Recycle Bin (Recommended Method)

Since Windows Server 2008 R2. Microsoft has introduced the Active Directory Recycle Bin, a feature designed to simplify the restoration of deleted AD objects. If the Recycle Bin is enabled in your domain, deleted objects are preserved in a “tombstone” state for 180 days by default, allowing for easier recovery.

Steps to Restore Objects from Active Directory Recycle Bin:

Enable the Active Directory Recycle Bin (If Not Already Enabled):

Open the Active Directory Administrative Center (ADAC).

In the left pane, right-click the domain name and choose Enable Recycle Bin.

This action requires the forest functional level to be at least Windows Server 2008 R2.

Find the Deleted Object:

In ADAC, select Deleted Objects from the navigation tree.

Use the search feature to find the deleted object you wish to restore.

Restore the Deleted Object:

Right-click the object and select Restore to restore it to its original location.

If needed, you can move the object to a different location in the AD structure.

Verify Restoration:

Confirm that the object has been restored by browsing to its original location in the AD structure.

b) Using PowerShell to Restore Deleted Objects

PowerShell provides a powerful interface for managing Active Directory, including restoring deleted objects.

Steps to Restore Deleted Objects Using PowerShell:

Check if Recycle Bin is Enabled:

powershell

Get-ADOptionalFeature -Filter ‘Name -like “Recycle Bin Feature”‘ | ft Name, Enabled

Search for Deleted Objects:

powershell

Get-ADObject -Filter ‘isDeleted -eq $true’ -IncludeDeletedObjects -Properties * | ft Name, ObjectClass, DistinguishedName

Restore a Specific Object:

powershell

Restore-ADObject -Identity “CN=John Doe,CN=Deleted Objects,DC=example,DC=com”

Verify the Restoration:

powershell

Get-ADUser -Identity “John Doe”

This method can be used to restore individual objects (users, groups, OUs) that have been deleted and are still within the Recycle Bin retention period.

c) Using Authoritative Restore (For Domain Controllers)

If the Active Directory Recycle Bin is not enabled, or if the tombstone lifetime has expired, you might need to perform an authoritative restore of your AD objects using backups. This method requires access to a backup of your domain controller’s system state.

Steps to Perform an Authoritative Restore:

Boot into Directory Services Restore Mode (DSRM):

Restart the domain controller and press F8 during boot to enter Directory Services Restore Mode.

Restore the System State Backup:

Use Windows Server Backup or a third-party tool to restore the system state from a backup.

Mark the Object as Authoritative:

After restoring the backup, open a Command Prompt with Administrator privileges.

Run the following command to mark the object as authoritative:

cmd

ntdsutil.exe ntdsutil: authoritative restore authoritative restore: restore object CN=John Doe,CN=Users,DC=example,DC=com

Reboot the Domain Controller:

After performing the authoritative restore, restart the domain controller.

Verify Restoration:

Confirm that the object has been restored by checking the AD structure and attempting to access the object.

d) Using Backup (Non-Authoritative Restore)

If an authoritative restore is not needed, you can also restore AD objects by performing a non-authoritative restore from a backup. This is suitable when you need to restore the entire domain or several objects that were deleted in the past.

Restore the Domain Controller from Backup:

Use Windows Server Backup or another backup solution to restore the domain controller’s system state.

Check the AD for Missing Objects:

After restoration, check the Active Directory structure for the missing objects.

Run the repadmin Command:

To force replication and update all domain controllers with the restored objects, run:

powershell

repadmin /syncall /AdeP

Verify the Restoration:

Check if the deleted objects have been restored and replicated to all domain controllers.

4. Best Practices for Preventing Active Directory Deletions

While it’s essential to know how to restore deleted objects, it’s even better to put measures in place to prevent accidental or malicious deletions in the first place.

Enable Active Directory Recycle Bin: Always ensure that the Active Directory Recycle Bin is enabled in your domain to take advantage of the easy restoration process.

Set Up Proper Permissions: Limit who has the ability to delete objects within Active Directory. Use role-based access control (RBAC) to restrict administrative access to only those who need it.

Regular Backups: Implement a robust backup strategy for Active Directory. This should include regular system state backups of your domain controllers.

Audit AD Activity: Enable auditing to track who deletes objects and when. This can help identify accidental or unauthorized deletions.

Test Restoration Procedures: Regularly test your AD recovery procedures to ensure they will work in case of an emergency.