1. Modify your AD Schema so that password and SID History attributes are kept in the object’s tombstone. This means that the Password and SID History attributes will already be on the object should you need to restore it later. Things to note:
a. Only objects deleted after the schema modification will keep these attributes on the tombstone.
b. To make this choice simple, we have provided the “Password and SIDHistory Recoverability Tool”, which will easily modify your Schema without making a mistake. You can also reverse this change with the same tool, should you change your mind in the future.
2. Restore objects using Recovery Manager’s Restore Agent (the “Agent Method”). The RMAD Restore Agent will write these attributes from your backup file directly to the AD Database. This allows you to restore these critical attributes when needed without the need to modify your schema, however this direct write to the AD database is what Microsoft’s KB article references
a. We feel it is important to note that this feature has been widely used in RMAD since Windows 2000 and there has never been an AD corruption issue reported from using the Restore Agent.
3. If you are on Forest Functional level 2008 R2, then enable the AD Recycle Bin. This causes RMAD to re-animate objects from the recycle bin, which will automatically contain all object attributes, including Password and SIDHistory. Things to note:
a. Only objects deleted after you enable the recycle bin will contain all attributes. For more information: https://support.quest.com/SolutionDetail.aspx?id=SOL89040
b. Also; enabling the recycle bin can significantly increase the size of your AD database over time, depending on how many objects you delete/recycle.
Installs agent on DC prior to action
Directly writes to AD Database
Uninstalls agent after completion
Tombstone Reanimation interface to undelete object
LDAP API and ADSI to restore attributes not stored in tombstone.
(depending on the schema version)
To preserve and restore SID History in tombstones, modify the searchFlags attribute value for the SID-History
(sIDHistory) schema object.
To preserve and restore passwords in tombstones, modify the searchFlags attribute value for the following
password-related schema objects:
• Unicode-Pwd (unicodePwd)
• DBCS-Pwd (dBCSPwd)
• Supplemental-Credentials (supplementalCredentials)
• Lm-Pwd-History (lmPwdHistory)
• Nt-Pwd-History (nTPwdHistory)
The account must
• Have Write permission for the following folder on the Recovery Manager computer:
%AllUsersProfile%\Application Data\Quest Software\RMAD
• Be a member of the Domain Admins group.
To restore object attributes, you must only have write access to the attributes being restored.