When undeleting an object by using the agentless method, the Online Restore Wizard employs LDAP functions along with the Restore Deleted Objects feature provided by the Windows operating system. This feature restores only the attributes preserved in the object’s tombstone. The other attributes are restored from a backup. However, some attributes, such as Password and SID History cannot be written using LDAP functions, and thus cannot be restored from a backup via the agentless method.
In many situations, the inability to restore the Password attribute from a backup is not a big problem as an object’s password can be reset after restoring the object. As for the SID History attribute, its restoration may be business-critical. An example is a situation where the domain from which the object was migrated is unavailable or decommissioned, and therefore SID History cannot be re-added.
To enable the restoration of these two attributes using the agentless method, the Active Directory schema may be modified so that these attributes are preserved in object tombstones. As a result, an undeleted object has the same Password and SID History as the object had when it was deleted.
As this solution requires schema modifications, it should be carefully considered. Microsoft recommends modifying or extending the schema only in extreme situations. Proceed with extreme caution, because making a mistake may render the directory service unstable, resulting in a reinstallation.
Often, organizations are reluctant to make changes to the schema because schema modifications may result in heavy replication traffic. It is not the case for the schema modifications described in this article as they do not affect the partial attribute set (PAS).
Recovery Manager for Active Directory also provides an agent-based method for restoring or undeleting objects. With the agent-based method any attributes can be restored. The agent-based method does not require any schema modifications.
To preserve passwords and SID history in object tombstones, complete the following steps:
You are logged on as a member of the Schema Admins group.
Write operations to the schema are allowed.
To preserve SID History in tombstones, you need to modify the searchFlags attribute value for the SID-History (sIDHistory) schema object.
To preserve passwords in tombstones, you need to modify the searchFlags attribute value for the following password-related schema objects:
The Lm-Pwd-History and Nt-Pwd-History attributes are used to store password history. For security reasons, it is recommended to restore them along with the password.
To determine the new searchFlags attribute value to be set, use the following formula:
8 + current searchFlags attribute value = new searchFlags attribute value
Use the ADSI Edit tool (Adsiedit.msc) to connect to the Schema naming context using the domain controller that holds the Schema Master FSMO role:
a. Start the ADSI Edit tool (Adsiedit.msc).
b. In the left pane of the console, right-click the ADSI Edit console tree root, and then on the shortcut menu click Connect to.
c. In the dialog box that opens, do the following:
Click Select a well known Naming Context option, and then select Schema from the list below.
Click Select or type a domain controller or server option, and then type the name of the domain controller that holds the Schema Master FSMO role.
d. Click OK to connect.
In the left pane of the console, expand the Schema container to select the container that includes the schema objects you want to modify.
Right-click the object you want to modify in the right pane, and then click Properties.
Enter the new searchFlags attribute value you determined earlier:
a. On the Attribute Editor tab, select searchFlags from the Attributes list, and then click the Edit button.
b. In the Attribute Editor box, enter the new value and click OK.