Windows Server 2003: Restore and Reanimation of Tombstoned Group Membership Links

Be the first to comment!

by Liju Varghese on February 1, 2012

The Issue

Performing an authoritative restore on a Windows Server 2003 domain controller of a group results in the reanimation of tombstoned group membership links.

The Impact

If an Organizational Unit containing Users and Groups was deleted, the authoritative restore of the OU will result in users being re-added to groups they were removed from. This can lead to unexpected behavior. For example, these users may be able to access resources they should not have permissions to, or vice versa.

How To Resolve The Issue

Install hotfix KB951320 on all domain controllers running Windows Server 2003 and take fresh backups

Steps to Reproduce The Issue

Use the following:

  • Domain controller(s) running Windows Server 2003, Ent. Ed. SP2 (5.2.3790)
  • NTDSUtil.exe: version 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)
  1. Create an organizational unit named AuthRestore and within it 3 users, ARUser01, ARUser02 and ARUser03. Create a domain global group, ARGroup01 and add the 3 users as membersimage
  2. Run the following command to verify the status of ARGroup01’s member attribute:
    C:\>RepAdmin /ShowObjMeta 2k3RootDC01 “CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
    dom,DC=local    11 entries.
    Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
    ======= =============== ========= ============= === =========
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectClass
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 cn
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 instanceType
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 whenCreated
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 nTSecurityDescriptor
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 name
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectSid
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountName
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountType
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 groupType
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectCategory

    3 entries.
    Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver Distinguished Name
    ======= ============ ============= ================= ======= ======= === =============================
    PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122935 122935 1 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122936 122936 1 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122937 122937 1 CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local   A value of type Legacy indicates that it does not contain individual replication metadata
    A value of type Present indicates one with additional replication metadata attached, and therefore replicated using Linked Value Replication (LVR)
    A value of type Absent denotes a deleted value with additional metadata attached. The entry is similar to a tombstoned object where it references the knowledge of a removed value in a LVR enabled attribute and will be garbage collected after TSL.
  3. Remove ARUser01 from ARGroup01:image
  4. Verify the status using the RepAdmin /ShowObjMetacommand: C:\>RepAdmin /ShowObjMeta 2k3RootDC01 “CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
    dom,DC=local     11 entries.
    Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
    ======= =============== ========= ============= === =========
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectClass
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 cn
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 instanceType
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 whenCreated
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 nTSecurityDescriptor
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 name
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectSid
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountName
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountType
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 groupType
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectCategory 3 entries.
    Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver Distinguished Name
    ======= ============ ============= ================= ======= ======= === =============================
    PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122935 122935 1 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    ABSENT member 2011-11-30 16:01:38 North\2K3ROOTDC01 122941 122941 2 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122937 122937 1 CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local  
  5. Take a System State backup using NTBackup:
    image
  6. Delete the AuthRestore organizational unit
  7. Reboot into Directory Services Restore Mode. To make the process easier, use the System Configuration Utility to set the DSRepair Boot.ini switch:
    imageimage
  8. Perform a restore of the System State using NTBackup, but leave the option When restoring replicated data sets, mark the restored data as the primary data for all replicas unchecked under Advanced Restore Options unless this is the only domain controller in the domain:imageimage
  9. Do not reboot at the end of the restoreimage
  10. Using the NTDSUtil command mark the AuthRestore organizational unit authoritative:imageC:\>ntdsutil
    ntdsutil: authoritative restore
    authoritative restore: restore subtree OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local     Opening DIT database… Done. The current time is 11-30-11 16:45.57.
    Most recent database update occured at 11-30-11 16:01.38.
    Increasing attribute version numbers by 100000.     Counting records that need updating…
    Records found: 0000000011
    Done.

    Found 11 records to update. Updating records…
    Records remaining: 0000000000
    Done.

    Successfully updated 11 records.

    The following text file with a list of authoritatively restored objects has been created in the current working directory:
    ar_20111130-164557_objects.txt

    One or more specified objects have back-links in this domain. The following LDIF files with link restore operations have been created in the current working directory:
    ar_20111130-164557_links_2k3Dom.local.ldf

    Authoritative Restore completed successfully.

    authoritative restore: quit
    ntdsutil: quit

    Notice that an ldf file created contains a back-link from the user ARUser02 back to the ARGroup01 group:

    dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    changetype: modify
    delete: member
    member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    -

    dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    changetype: modify
    add: member
    member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    -

    dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    changetype: modify
    delete: member
    member: CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    -

    dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    changetype: modify
    add: member
    member: CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    -

    dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    changetype: modify
    delete: member
    member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    -

    dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    changetype: modify
    add: member
    member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    -

     

  11. Reboot the domain controller into Normal mode; do not forget to clear the DSRepair Boot.ini switch:image
  12. Import the contents of the ldf file using the LDIFDEcommand :C:\>ldifde -i -k -f ar_20111130-164557_links_2k3Dom.local.ldf -s 2k3RootDC01
    Connecting to “2k3RootDC01″
    Logging in as current user using SSPI
    Importing directory from file “ar_20111130-164557_links_2k3Dom.local.ldf”
    Loading entries…….
    5 entries modified successfully.     The command has completed successfully
  13. You will notice that the user ARUser02 has been added back to the ARGroup01 group. This can be verified using the RepAdmin /ShowObjMeta command as well:imageC:\>RepAdmin /ShowObjMeta 2k3RootDC01 “CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
    dom,DC=local     12 entries.
    Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
    ======= =============== ========= ============= === =========
    126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 objectClass
    126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 cn
    126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 instanceType
    122932 5677eb8e-3f5d-4657-a7c6-0ec3285afaa3 122932 2011-11-30 14:36:06 1 whenCreated
    126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0000 isDeleted
    126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 nTSecurityDescriptor
    126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 name
    126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 objectSid
    126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 sAMAccountName
    126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 sAMAccountType
    126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 groupType
    126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 objectCategory
    3 entries. Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver Distinguished Name
    ======= ============ ============= ================= ======= ======= === =============================
    PRESENT member 2011-11-30 17:01:34 North\2K3ROOTDC01 127029 127029 200003 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    PRESENT member 2011-11-30 17:01:34 North\2K3ROOTDC01 127032 127032 200003 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    PRESENT member 2011-11-30 17:01:34 North\2K3ROOTDC01 127038 127038 200003 CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
  14. Install KB951320 The file version of NTDSUtil.exe should now show 5.2.3790.4299 (srv03_sp2_qfe.080522-1212)
  15. Repeat Step 3 through Step 9
    This time around the ldf files does not have any entries for ARUser02dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    changetype: modify
    delete: member
    member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    -     dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    changetype: modify
    add: member
    member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    -    dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    changetype: modify
    delete: member
    member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    -    dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    changetype: modify
    add: member
    member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    -
  16. Upon rebooting and importing the ldf file we see that the member attribute for ARUser02 is listed as Absent as it should beC:\>RepAdmin /ShowObjMeta 2k3RootDC01 “CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
    Dom,DC=local    12 entries.
    Loc.USN Originating DC Org.USN Org.Time/DateVer Attribute
    ======= =============== ========= ================ =========
    131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 objectClass
    131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 cn
    131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 instanceType
    122932 5677eb8e-3f5d-4657-a7c6-0ec3285afaa3 122932 2011-11-30 14:36:06 1 whenCreated
    131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200000 isDeleted
    131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 nTSecurityDescriptor
    131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 name
    131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 objectSid
    131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 sAMAccountName
    131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 sAMAccountType
    131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 groupType
    131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 objectCategory     3 entries.
    Type Attribute Last Mod Time Originating DCLoc.USN Org.USN Ver Distinguished Name
    ======= ============ ============= ======================== ======= === =============================
    PRESENT member 2011-11-30 23:49:24 North\2K3ROOTDC01 131131 131131 400005 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    ABSENT member 2011-11-30 23:45:10 North\2K3ROOTDC01 131105 131105 400004 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    PRESENT member 2011-11-30 23:49:24 North\2K3ROOTDC01 131137 131137 400005 CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    And the user is not listed in the Members tab of the group: image
Note:

{ 0 comments }

How To Troubleshoot Microsoft Exchange Server Latency or Connection Issues

1 comment.

by Samuel Drey

This article is meant to be a hopefully useful guide to help Microsoft Exchange Server IT Operations teams understand, troubleshoot and remedy situations where users are experiencing issues connecting to the Exchange messaging service via Outlook or OWA. I’ve included information relating to Exchange Server 2003, 2007 and 2010.  The following process helps rule out [...]

Read the full article →

What You Need to Know About Microsoft Support Terminology

4 comments already!

by Rod Fournier

When discussing the meaning of Microsoft Support terminology with my customers, there are several terms that come up almost daily in conversations. Here are some hopefully helpful definitions for you that I use: Supported – When we (Microsoft) state we support something, it really means we have tested that scenario and that is works as [...]

Read the full article →

Exchange 2010 Service Pack 2 – What You Need To Know

1 comment.

by Rhoderick Milne

The Exchange team recently released SP2 for Exchange 2010 over on the Exchange team blog, and I wanted to use this blog entry to provide links to all the relevant content for SP2 and to raise awareness of some specific issues so that these will not negatively impact your deployments. You may have heard of [...]

Read the full article →

How To Do SharePoint Collaboration in the Absence of Proper Governance

Be the first to comment!

by Daniel Brunet

In my previous post, I explained the goal of this series of articles is to help farm administrators make decisions when they have to maintain one or multiple SharePoint farms without governance.  One of the most challenging service offerings with SharePoint besides Content Management is Collaboration, as it usually needs both flexibility and scalability. Whenever [...]

Read the full article →

Windows System State Recovery: What’s up with that Authoritative Restore checkbox?

Be the first to comment!

by Liju Varghese

On a domain controller running Windows Server 2008 R2, when performing a system state restore in Directory Services Restore Mode using Windows Server Backup, at the Select Location for System State Recovery step you have to decide whether or not to select the following option: Perform an authoritative restore of Active Directory files. This recovery [...]

Read the full article →

Maximize Exchange Administrator Productivity With PowerShell (Part 2)

Be the first to comment!

by Rhoderick Milne

In part one of this series we looked at some of the basic aspects of the PowerShell environment.  Let’s now look at the underlying mechanics on Exchange 2007 and 2010 servers.  We will need to address some aspects separately due to the different mechanisms that are used  between Exchange 2007 and Exchange 2010. Let’s kick [...]

Read the full article →

Creating Custom Performance Counters in Microsoft OpsMgr (Part 2)

Be the first to comment!

by Mark Farrugia

In my previous post I started down the path of wanting to create some custom counters in Operations Manager 2007, but I could not get started until I had downloaded and installed the authoring console for Microsoft System Center Operations Manager (OpsMgr) 2007. Now that that task was completed, let’s move on to creating the [...]

Read the full article →

Creating Custom Performance Counters in OpsMgr (Part 1)

Be the first to comment!

by Mark Farrugia

I recently switched disciplines in the Microsoft Premier Field Engineering (PFE) organization, changing from a Platforms-focused position to a System Center Operations Manager (OpsMgr) focused role. I discovered during my ramp up that I had questions on how to do some easy tasks, and that the answers were not always 100% obvious at first.  For [...]

Read the full article →

What To Do When System Center 2012 Endpoint Protection RC Installation Fails

Be the first to comment!

by Frank Plawetzki

The Issue: This happened to me today on my Windows 7 machine: the installation of Microsoft System Center 2012 Endpoint Protection (Release Candidate) failed with error code 0×80070643. The event log showed this error: Log Name:      Application Source:        Microsoft Security Client Setup Date:          02.12.2011 16:24:13 Event ID:      100 Task Category: None Level:         Error Keywords:      Classic [...]

Read the full article →

How To Effectively Capture Windows Memory Dumps (Pt 1: Using DebugDiag)

Be the first to comment!

by Richard Case

This is the first article in a series of blog posts on collecting Microsoft Windows memory dumps for specific scenarios. Each part will detail some of the tools and techniques that can be used to capture a memory dump for that scenario. These scenarios are based on real issues experienced by our customers that have [...]

Read the full article →

What You Need To Know About Exchange 2010 DAG Failover Behavior

2 comments already!

by PFE EMEA Messaging Engineers

In this article, I’ll provide some insight into changes in Microsoft Exchange Server 2010 Database Availability Group (DAG) failover behavior. The Exchange 2010 mailbox server which is part of the DAG uses windows clustering in a different way than previous versions and many administrators who are familiar with previous versions of Exchange may have incorrect [...]

Read the full article →

A Must Have Hotfix for Exchange DAGs running on Windows Server 2008 R2

2 comments already!

by PFE EMEA Messaging Engineers

In early August 2011, the Microsoft Windows Sustained Engineering team released the following Knowledge Base (KB) article and accompanying software hotfix regarding an issue in Windows Server 2008 R2 failover clusters:  KB2550886 – A transient communication failure causes a Windows Server 2008 R2 failover cluster to stop working The Microsoft Exchange Server team has since [...]

Read the full article →

← Previous Entries