Saturday, April 21, 2018

Active Directory recovery - 3rd party tools - Recovery Manger Plus - 4

This is my last post on Manage Engine's "Recovery Manager Plus" which is a third party tool for Active Directory recovery operations (among other things). In my previous posts, I've attempted to restore users, groups and attributes of these objects. For the most part, these efforts were successful. In this post, I'll attempt to restore a DNS node/zone and a Group Policy Object (GPO).


***


DNS 

This is my second attempt to backup and restore a DNS node or DNS zone. My first attempt (not presented in any blog post) was not successful. What follows is a fresh start with a new DNS zone and nodes.

I create a DNS zone and add two DNS nodes. For the time being, I will not create a corresponding PTR zone:



I then perform a backup:




Under the Active Directory tab (in Recovery Manager Plus - RMP), I look at the Backup Summary (DNS section) and see no changes:




As I learned from previous experiences, it may be necessary to make a change (delete a node or zone) and then perform another backup for the summary to reflect the change.

So I delete a node (and confirm the operation as needed):







Note: granted, it would probably be easier to re-register the entry or recreate it manually than resorting to the backup but that is another story.

I then initiate another backup (if our incremental backups are frequent enough, this step might not be necessary).

I still notice no change reflected in the DNS section of the Backup Summary under the Active Directory tab (you can look at the screenshot above - nothing has changed).

I cannot find anything pertaining to DNS in the Restore, Rollback or Recycle sections - regardless of the date of the backup.

For now, I'll leave it at that (same result for the entire DNS zone).

Yes, the DNS zones are Active Directory integrated.

Let's try a GPO.


***


GPO

The RMP dashboard shows "Group Policy - 9" and that appears to represent the nine Group Policy objects that I have:



I will delete a GPO...






And then run an incremental backup to view the changes.

From the start, I see that, compared to the previous status quo, we have one less GPO:



On the Active Directory dashboard, I see the deletion of the GPO is indicated:





I attempt a restore but encounter the same challenge as in an earlier blog post. The most recent backup (of course) holds the deleted object which I cannot restore. The preceding backup does not seem to contain the object (before deletion). I only see (not shown here) some user and group objects used in previous restore experiments.

So this was not successful...




On the other hand, I was able to recycle the GPO:



Note: we restore and recyle the selected object(s) by clicking on the green "Restore" or "Recycle" button toward the bottom of the screen inside RMP (but not shown in the screenshots above).


We have 9 GPOs once again:




And I can confirm that directly in the Group Policy Management Console:



***


This concludes my final blog post on Recovery Manager Plus. With the exception of DNS, I was able to restore (or recycle) deleted objects more efficiently than resorting to a native Active Directory backup/restore operation. As for the problems encountered, this is the first time I've used the product (trial version) so I may be missing something. If a reader of this post has the solution, please comment below.

Note: if I understand correctly, the trial version is fully functional so that should not be the source of any limitation. 

Saturday, April 14, 2018

Active Directory recovery - 3rd party tools - Recovery Manager Plus - 3

In my previous blog post, I attempted to recover certain objects and was successful in 2 of 3 cases (please refer to that blog post for details). However, I was not able to recover the members of a group, probably because I was not selecting the correct backup version. In the following lines, I'll attempt the recovery operation again.

***


In this second attempt, I will use the "HR" group once again but with different members:




And once again, I delete the group:





The group has obviously been deleted:





In Recovery Manager Plus (RMP), I perform a backup (which takes into account recent changes), go to the Active Directory tab, and then look at the the column "Groups" where I can see that 1 group has been deleted and 4 users modified (probably a reference to the change in group membership): 




I'll now do what I did last time and indicate what I think was the error. Still under the Active Directory tab, I select the "Restore" option (to the left of the screen but not shown in the screenshot below) and observe, here as well, the deleted group and the modified users. I select a backup (red dot in screenshot)...




And then click on Restore:




The restore apparently completes but the result is the same as before (and the group is not restored in Active Directory):




Now, I could recycle the group as in my previous blog post but that did not restore the group membership.

So what is the problem?

We have to make sure we select the correct backup (by date and time) and in particular NOT the backup that we initiate manually so the most recent changes are displayed. That backup takes place AFTER the group was deleted and does not allow us to restore it.

We need to select the previous backup in which the group was still "undeleted":



Note: the icon representing the group is black here and not red.


If we peform the restore now, and look at the restore details, we see an attribute name ("Members") with the restored value: 






That is more promising. Better yet, if I go back into Active Directory (Users and Computers), I see that the group is restored with its 4 members:




***

In this blog post, I've made some more progress leaning about the third party Active Directory recovery tool "Recovery Manager Plus". We've now restored users and groups as well as attributes of these objects. In my next blog post, I'll attempt to restore a DNS zone and a Group Policy Object (GPO). While the product does allow other recovery operations (bare metal and virtual machine), I will not explore those options in this serie of blog posts.

Friday, March 30, 2018

Active Directory recovery - 3rd party tools - Recovery Manger Plus - 2

After installing and configuring Recovery Manager Plus (RMP), and restoring a simple user object in my previous blog post, I wanted to evaluate some other recovery scenarios: group membership of a deleted user, members of a deleted group and content of an organizational unit (OU). That's what I'll do in the following paragraphs, with no further ado.

***


Restore group membership of a deleted user?

If I delete a user object, will the groups of which it is a member also be restored in the members property?

John Thompson is a member of the Domain Users and Accounting groups:



I delete John Thompson:




I go to RMP and recycle him:



Note: I have to check "John Thompson" and then click on "Recycle" (not shown in the screenshot).

I confirm the operation:




And John Thompson is no longer in the recycle bin:




On the other hand, he does reappear in Active Directory - with his former group membership:





*

I discovered two things when attempting to recover the account.

First, the deleted object does not appear in the RMP recycle bin immediately, I have to perform a manual backup for RMP to compare what has changed:



If we schedule backups often enough, we may not need to perform a manual backup to see what object was deleted. Otherwise, if we are shocked to discover that an object was accidently deleted AND does not appear in the RMP recyle bin, we should perform a manual backup before concluding the object is lost forever.

Second, we use the recycle option rather than the restore option. If I attempt to restore John Thompson, I procede as follows and encounter a strange message:



Note: although the screenshot does not show each and every step, I check "John Thompson" and then click on the restore button - a green button just under the list of users and that I seem to have managed to omit in my screenshots.




This looks good...


But then I see this (and John Thompson is not restored in Active Directory either):



This puzzles me because I was able to use the restore option in my first blog post for Anne Schubert. On the other hand, in a demonstration on YouTube, Derek Melber does use the recycle option (and does have to perform a manual backup for the object to appear in the recycle bin):

ManageEngine ADSolution - Recovering Deleted Active Directory Objects and All Properties

Note: the video was available at the time I composed this blog post - which may or may not be the case when you read it.



Restore members of a deleted group?

Now I'll delete a group and see if I cannot only restore (or recycle...) the group itself but also the members. I will use the group "HR" which includes the members shown below:  



I delete the group...



And then recycle the group:





The group is restored but the members are not:



This is strange. Is another action required to complete the restore (?). In any case, for the time being, I want to test my last scenario: deletion of an organizational unit (OU) with all its content.



Restore OU and child objects


I have a regional OU called "Nice" with several objects inside (two users and a group):




I attempt to delete the OU...



But the attempt fails:



If we want to delete (or move) a OU, we have to uncheck the protection from accidental deletion first (under the object tab - Advanced View) and then try again - and confirm our intentions:



Note: I could have left this part out but thought it could serve as a reminder to protect key objects in Active Directory against accidental deletion. Some (like organizational units) are by default.


So I delete the OU and there is no longer anything between "My V Security Groups" and "Program Data":



As before, I go to the recycle bin, select the OU "Nice" and click on Recycle (not shown in the screenshot but very evident in the actual interface):










The OU is restored with the objects shown above and even a third user that I had deleted before:




***

So far, the tool has proved to be much more efficient than a native Active Directory authoritative restore which would require rebooting a domain controller (into recovery mode), restoring the entire Active Directory database, and then marking the object (or objects) to be restored as "authoritative".

There does seem to be a distinction between "restore" and "recyle" (the latter was possible, the former was not) and probably "rollback" for that matter.

We may have to perform a manual backup for changes - and deleted objects in particular - to appear in the RMP recycle bin.

The only "miss" was the failure to restore/recycle the members of our HR group. At this point, I do not master the product well enough to determine if that is a shortcoming or if such a restore requires additional steps.