Step 1: Make sure prerequisites are met
- You are logged on as a member of the Schema Admins group.
- Write operations to the schema are allowed.
Step 2: Modify the searchFlags attribute value
To preserve SID History in tombstones, you need to modify the searchFlags attribute value for the SID-History (sIDHistory) schema object.
To preserve passwords in tombstones, you need to modify the searchFlags attribute value for the following password-related schema objects:
- Unicode-Pwd (unicodePwd)
- DBCS-Pwd (dBCSPwd)
- Supplemental-Credentials (supplementalCredentials)
- Lm-Pwd-History (lmPwdHistory)
- Nt-Pwd-History (nTPwdHistory)
Important: The Lm-Pwd-History and Nt-Pwd-History attributes are used to store password history. For security reasons, it is recommended to restore them along with the password .
To determine the new searchFlags attribute value to be set, use the following formula:
8 + current searchFlags attribute value = new searchFlags attribute value
To modify the searchFlags attribute value
- Use the ADSI Edit tool (Adsiedit.msc) to connect to the Schema naming context using the domain controller that holds the Schema Master FSMO role:
- Start the ADSI Edit tool (Adsiedit.msc).
- In the left pane of the console, right-click the ADSI Edit console tree root, and then on the shortcut menu click Connect to.
- In the dialog box that opens, do the following:
- Click Select a well known Naming Context option, and then select Schema from the list below.
- Click Select or type a domain controller or server option, and then type the name of the domain controller that holds the Schema Master FSMO role.
- Click OK to connect.
- In the left pane of the console, expand the Schema container to select the container that includes the schema objects you want to modify.
- Right-click the object you want to modify in the right pane, and then click Properties.
- Enter the new searchFlags attribute value you determined earlier in Step 2: Modify the searchFlags attribute value:
- On the Attribute Editor tab, select searchFlags from the Attributes list, and then click the Edit button.
- In the Attribute Editor box, enter the new value and click OK.
Best Practices for creating backups
Best practices for creating backups
This section provides some best practices for backing up Active Directory data using Recovery Manager for Active Directory.
Develop a backup and restore plan
It is recommended to follow these rules to prevent Active Directory failure:
- Use only reliable and tested hardware, such as hard disks and uninterruptible power supply.
- Test any new configuration in a test lab before deploying it in your production environment.
- Ensure that each domain in your Active Directory forest has at least two domain controllers.
- Keep detailed logs about the health state of Active Directory on a daily basis, so that in case of a forestwide failure you could identify the approximate failure time.