How-To set up the AD iDA to Restore Password Info.
By default, when an object is deleted in Active Directory Windows Server 2003 the password is striped and not preserved for the account. This is due to the default schema settings of Active Directory.
When an undeleted object is restored on Windows Server 2003, the system brings back the user account as enabled, but the operating system security marks it as disabled since the password is now missing from the account. You will be prompted to reset the password upon the next log on.
If you make the following changes to the Active Directory Schema before backing up Active Directory using the Active Directory iDA on a Windows 2003 Domain Controller, the user and computer account passwords will be restored and there will be no need to reset them after these objects are restored.
Details
With Windows 2003, both the Sid-History and password attributes (Unicode-PWD) are stripped from an object when it is moved into the Deleted Objects container.When the object is undeleted, it is missing the password attributes since they have been stripped, and so Windows Security marks these objects as disabled.
Windows 2003 SP1 now keeps the Sid-History attribute, however the password attribute is still stripped. Note that this behavioris a function of Active Directory and not something caused by Galaxy software. CommVault Galaxy will just automate the undelete of the object(s) and then restore the modifiable attributes that were backed up.
The schema changes recommended below are necessary to be able to undelete an object and retain the SID and password attributes.
Since these are changes that need to be made to the Active Directory schema, it’s advised that you consult with Microsoft if you require detailed explanation on these settings or how else they may impact your environment.
Procedure
The adldaptool.exe is included with Galaxy 5.9 and above which will automate the procedure listed below. You must run this utility on the client before your first backup to enable restores of passwords for User and Computer Accounts. If you do not run this utility before your first backup you will not be able to restore the passwords, and will have to manually reset the accounts after the restore.
To run the adldaptool.exe utility:
- From the command line, navigate to the Galaxy\base directory on the system that has the Active Directoy iDA installed.
- Enter the following command:
adldaptool <username> <password> -computer <machine name> –setschema 1
- Once this utility has been run, you may begin performing backup operations.
/ If you wish to reverse the schema changes, enter the following:
-setschema 0
Configure the schema manually
If you would like to perform these steps manually instead of using the adldaptool, here is the procedure:
Use ADSI Edit to load up the schema and change at the following:
For search flags, change the value for CN=unicode-pwd from 0 to 8
Cn=Unicode-Pwd, CN=Schema,Cn=Configuration,..<rest of domain>
For search flags, change the value for CN=SID-History from 1 to 8
SID-History, CN=Schema,Cn=Configuration,..<rest of domain
Below are snapshots pertaining to the above procedures.
Additional information:
See “Reanimating Tombstones — Restoring Individual Objects Online”
Cut from the article:
Reanimating Tombstones — Restoring Individual Objects Online
The Windows Server2003 directory database supports an LDAP API that reanimates the tombstone of a single object (undeletes the object) to avoid the necessity for an offline restore process in the event that an object is deleted unintentionally. This API is available for creating applications to restore the attributes that are preserved on tombstones, which include the object SID, GUID, and security descriptor, as well as any indexed attributes.
Note:When the deletion is performed on a domain controller that is running Windows Server2003 with SP1, the sIDHistory attribute is also retained.
Only attributes that are retained on the tombstone are restored; all other data must be recreated. Therefore, to restore an entire deleted container or a set of multiple objects, authoritative restore is still the best option.
Also see: