Preserving passwords and SID history in object tombstones
To preserve passwords and SID history in object tombstones, complete the following steps:
Step 1: Make sure prerequisites are met
- You are logged on as a member of the Schema Admins group.
- Write operations to the schema are allowed.
Step 2: Modify the searchFlags attribute value
To preserve SID History in tombstones, you need to modify the searchFlags attribute value for the SID-History (sIDHistory) schema object.
To preserve passwords in tombstones, you need to modify the searchFlags attribute value for the following password-related schema objects:
- Unicode-Pwd (unicodePwd)
- DBCS-Pwd (dBCSPwd)
- Supplemental-Credentials (supplementalCredentials)
- Lm-Pwd-History (lmPwdHistory)
- Nt-Pwd-History (nTPwdHistory)
Important: The Lm-Pwd-History and Nt-Pwd-History attributes are used to store password history. For security reasons, it is recommended to restore them along with the password .
To determine the new searchFlags attribute value to be set, use the following formula:
8 + current searchFlags attribute value = new searchFlags attribute value
To modify the searchFlags attribute value
- Use the ADSI Edit tool (Adsiedit.msc) to connect to the Schema naming context using the domain controller that holds the Schema Master FSMO role:
- Start the ADSI Edit tool (Adsiedit.msc).
- In the left pane of the console, right-click the ADSI Edit console tree root, and then on the shortcut menu click Connect to.
- In the dialog box that opens, do the following:
- Click Select a well known Naming Context option, and then select Schema from the list below.
- Click Select or type a domain controller or server option, and then type the name of the domain controller that holds the Schema Master FSMO role.
- Click OK to connect.
- In the left pane of the console, expand the Schema container to select the container that includes the schema objects you want to modify.
- Right-click the object you want to modify in the right pane, and then click Properties.
- Enter the new searchFlags attribute value you determined earlier in Step 2: Modify the searchFlags attribute value:
- On the Attribute Editor tab, select searchFlags from the Attributes list, and then click the Edit button.
- In the Attribute Editor box, enter the new value and click OK.
Best Practices for creating backups
Best practices for creating backups
This section provides some best practices for backing up Active Directory data using Recovery Manager for Active Directory.