Even the best-run network still needs to ensure survival
Remember when Windows 95 introduced us to the Recycle Bin? We’ve had this feature for so long, we forget how painful it was in the olden days—until we accidentally delete something in Active Directory (AD). Windows Server 2003 introduced the concept of the AD Recycle Bin. Unfortunately, nobody in Redmond wrote a GUI for the new feature. This led to a couple of free tools that tapped into the deleted objects, letting you save the day (and, perhaps, your job). One notable entry was Mark Russinovich’s AdRestore, a small, 42k tool that allows you to recover deleted AD objects (see the sidebar at the end of this article titled “3 Free Active Directory Restore Solutions”). Unfortunately, only the object itself is recovered; individual attributes aren’t.
Windows Server 2008 R2 improved on the original AD Recycle Bin, but it still doesn’t come close to the feature set of the two products in this review. Before I dive into the features of the two products in this review, I’d like to point out that under most circumstances, incidents like accidental object deletion shouldn’t normally happen. A properly designed organizational unit (OU) structure with delegated security permissions prevents desktop technicians and junior administrators from deleting AD objects in the first place (they should have permission to disable, but not delete).
However, even the best-run network still needs to ensure survival in the case of an “oops” or in case of a disaster. Let’s check out how these two products can help you in this endeavor. One is an inexpensive, very useful “Chevy” and the other is a much more expensive “Cadillac.”
NetWrix Active Directory Change Reporter lets you quickly restore deleted or modified objects in any version of AD (Windows 2000 Server or later). It also includes a robust reporting feature that keeps track of all AD changes that occurred in the last 24 hours.
Setup is with a simple 8MB file after the prerequisites (IIS and .NET 2.0) are installed. After you accept the license agreement and select the file location, the installation takes only a few seconds. When the installation is complete, a dialog box asks you to either configure the application later, launch a basic configuration, or launch a full-featured configuration. I decided to use the basic configuration that the Quick Start Guide recommends.
After I entered the license information, I used the Quick Start Guide to configure the remaining settings, such as long-term archiving of deleted AD objects, SMTP server, and the email accounts where the AD reports should be sent. This wizard also walks you through setting up advanced reporting (SQL Server Reporting Services), and a report delivery schedule. Licensing is set via a serial key code.
A dialog box informed me that the tombstone lifetime property was set to 180 days and advised that I change it to 744 so that deleted objects could be recovered. To do so, I could choose Yes in the dialog box.
When the simple installation was complete, I naturally tried to delete something to see if I could recover it. I created a new user called “Eric,” then promptly deleted it. Next, I chose the NetWrix AD Object Restore Wizard, which quickly walked me through restoring my object (see Figure 1). However, just like in some freeware AD restore tools, such as the AdRestore utility (which you can read about in the sidebar “3 Free Active Directory Restore Solutions”), only the object itself is restored—the properties (last name, description, office) and any group memberships aren’t recovered.
To restore the whole object (including the individual properties within the object), you need to take a snapshot of the directory ahead of time. This is done on a schedule for you every 24 hours or you can run it manually via Windows Scheduled Tasks. With this snapshot, you can restore not only the object, but all of the attributes within the object.
NetWrix also has a very sophisticated reporting feature that tracks what happens to objects in AD. Some examples of reports you can choose include All AD Changes by Date, All AD Changes by Object Type, and All AD Changes by User. There are 38 pre-canned reports that offer a view into AD that many desperately need. In addition, another 33 reports track changes to Microsoft Exchange Server and Group Policy. If these reports don’t provide the information that you require, you can use SQL Server Reporting Services to dive deeper into the data. Note: Win2K doesn’t track the "Who Changed" field. If your AD domain is set to Win2K functionality level, then this will affect you.
Netwrix AD Object Restore has an impressive feature set for a small price point. If you need something better than the built-in functionality that Microsoft delivers, yet don’t want to pay the price of the big boys, then AD Object Restore is the obvious choice.
NetWrix Active Directory Change Reporter
Quest Recovery Manager for Active Directory is an enterprise-level directory services recovery tool. In addition to providing tombstone and rollback functionality, Recovery Manager can also restore entire domain controllers (DCs)—even to dissimilar hardware.
The setup for Recovery Manager takes significantly longer and is more involved than the NetWrix product and requires quite a few prerequisites: Microsoft SQL Server 2008 Native Client, Microsoft .NET Framework 3.5 SP1, SQL Server Compact 3.5 SP1, SQL Server System CLR Types, SQL Server 2008 Management Objects, and Windows PowerShell 1.0. Each prerequisite is included and is installed for you. The setup requires one reboot halfway through the installation, but it immediately continues where it left off. A license file provides product licenses.
The longer setup time for Recovery Manager merely reflects the fact that it’s a much larger product with many more features. This becomes very clear when Recovery Manager first starts—five icons appear, labeled by task: Back Up Active Directory, Restore AD Objects, Restore AD LDS (ADAM) Objects, Restore Group Policy, Restore Active Directory.
I jumped right in and backed up AD. You can back up each DC separately, back up a specific container in AD, back up an ADAM directory or specific machines via a TEXT file. The backup can be run immediately or scheduled. Finally, you can specify a computer collection where the DCs will reside. This is useful if you want to back up the DCs in a specific AD site and store the backups on a central store within that site.
After you set up the backup and get it scheduled, you can wait for it to run or run it manually via Scheduled Tasks. To test the functionality, I created a couple of users, manually ran the backup (it takes only a few seconds on a small domain), then deleted a user. In Active Directory Users and Computers, I noticed a new Deleted Objects container at the top of the tree. Selecting this container shows all of the objects that have been deleted. I right-clicked the deleted user and chose Recover Deleted Objects.
From this wizard, you could use the built-in recycle bin and simply "undelete" the object; however, as you know, this only recovers the object, not the attributes of the object. So instead I chose Restore Objects from the Selected backup, which Figure 2 shows.
Next I needed to choose between an agentless and agent-based method. Recovery Manager’s deployment guide details the advantages and disadvantages of each. In short, the agentless method uses LDAP (which is less intrusive than installing a client), but requires you to extend the AD schema if you want to restore SID history or user passwords. (To learn why SID history can be important, see my article about migrating AD after a company merger at windowsitpro.com, InstantDoc ID 102596.) An agent-based restore doesn’t require any changes to the schema and is faster than using LDAP. If you choose to use the agent-based method, the agent is installed onto the domain controller (DC) during the restoration and is automatically removed when complete.
In just a few seconds, the deleted account was restored, along with all of its individual attributes. Note: If you do decide to extend the schema to allow password and SID history recovery without the agent, a simple GUI called Password and SIDHistory Schema Configuration is provided. Another separate application included with Recovery Manager is the Clone Wizard. If you have ever tried to restore AD onto dissimilar hardware after a disaster (or clone your environment for a lab), you will love this tool.
Recovery Manager is an extremely robust solution that ensures the recovery of everything in your directory structure—from the entire domain down to an individual object. More expensive than the NetWrix product, it also has many more features, such as AD site awareness, DC cloning, Group Policy backup, and direct integration with Active Directory Users and Computers.
Quest Recovery Manager for Active Directory
When we do a product review with multiple products, a clear winner is normally chosen and awarded the “Editor’s Choice” designation. However, this works only when you compare apples to apples. These two products are in two different leagues.
NetWrix Active Directory Change Reporter provides great rollback functionality for deleted AD objects that is head and shoulders better than the built-in functionality in AD. Its reporting capability and very low cost per active user make it a logical choice for a less complex network in a company on a budget. If your AD is not that complex, consider this Chevy.
Quest Recovery Manager for Active Directory, on the other hand, is a Cadillac designed for larger environments. Its higher sticker price might be a turn-off to some, but before you dismiss it outright, consider the cost and “interruption factor” of a major AD disaster. You might find the additional cost of Recovery Manager to be well worth it.
Support for both products is provided via a Knowledge Base website where you can also open new incidents. Phone support is also available. The choice is yours: Simple and inexpensive, or very robust with a higher price—you can’t go wrong either way.
Still want to tap into the tombstone “recycle bin” found in Windows Server 2003 but don’t need additional features? Try a freeware solution. It’s probable that there are more than the three free solutions I list below—please drop me a line and let me know. I’ll keep the online version of this article updated with any additional products that I hear about. If you didn’t know about the Active Directory Recycle Bin or these tools, fire up your VM lab and give these a try. For free utilities, they’re pretty cool.
ADRestore v1.1. This is a Microsoft solution, written by Mark Russinovich. As you might recall, Mark has written many, many useful freeware utilities such as psexec, regmon, filemon, and of course, the famous BSOD screensaver. The lightweight ADRestore command-line utility is simple: Execute “adrestore.exe” to see the objects that are available to recover, then run “adrestore.exe ‘r” to recover an object. Simple and effective.
Quest Software Object Restore for Active Directory. This product is very similar in functionality to Mark’s ADRestore but has a GUI interface that might be more comfortable for some administrators. Find it at Quest's website. In my tests of both products, their functionality appeared to be identical.
Quest Software Active Directory Recycle Bin PowerPack. This tool extends Quest’s PowerGUI admin console. Find it at the PowerGui website. The first step is to download both the PowerPack and PowerGUI. Install PowerGUI, then import the PowerPack. What I really like about this tool is that it checks to see if the Windows Server 2008 R2 Recycle Bin feature is turned on, then offers to turn it on for you. Note that this action is irreversible and involves more than a simple click—be sure to do your due diligence before turning this feature on. More details can be found at Microsoft's TechNet site.