How-To set up the AD iDA to Restore Password Info.

How-To set up the AD iDA to Restore Password Info.
By default, when an object is deleted in Active Directory Windows Server 2003 the password is striped
and not preserved for the account. This is due to the default schema settings of Active Directory.
When an undeleted object is restored on Windows Server 2003, the system brings back the user account
as enabled, but the operating system security marks it as disabled since the password is now missing
from the account. You will be prompted to reset the password upon the next log on.
If you make the following changes to the Active Directory Schema before backing up Active Directory
using the Active Directory iDA on a Windows 2003 Domain Controller, the user and computer account
passwords will be restored and there will be no need to reset them after these objects are restored.
Details
With Windows 2003, both the Sid-History and password attributes (Unicode-PWD) are stripped from an
object when it is moved into the Deleted Objects container. When the object is undeleted, it is missing
the password attributes since they have been stripped, and so Windows Security marks these objects as
disabled.
Windows 2003 SP1 now keeps the Sid-History attribute, however the password attribute is still stripped.
Note that this behavior is a function of Active Directory and not something caused by Galaxy software.
CommVault Galaxy will just automate the undelete of the object(s) and then restore the modifiable
attributes that were backed up.
The schema changes recommended below are necessary to be able to undelete an object and retain the
SID and password attributes.
Since these are changes that need to be made to the Active Directory schema, it’s advised that you
consult with Microsoft if you require detailed explanation on these settings or how else they may impact
your environment.
Procedure
The adldaptool.exe is included with Galaxy 5.9 and above which will automate the procedure listed below.
You must run this utility on the client before your first backup to enable restores of passwords for User
and Computer Accounts. If you do not run this utility before your first backup you will not be able to
restore the passwords, and will have to manually reset the accounts after the restore.
To run the adldaptool.exe utility:
1.
From the command line, navigate to the Galaxy\base directory on the system that has the Active
Directoy iDA installed.
2.
Enter the following command:
adldaptool <username> <password> -computer <machine name> –setschema 1
3.
Once this utility has been run, you may begin performing backup operations.
If you wish to reverse the schema changes, enter the following:
-setschema 0
Configure the schema manually
If you would like to perform these steps manually instead of using the adldaptool, here is the procedure:
Use ADSI Edit to load up the schema and change at the following:
For search flags, change the value for CN=unicode-pwd from 0 to 8
Cn=Unicode-Pwd, CN=Schema,Cn=Configuration,..<rest of domain>
For search flags, change the value for CN=SID-History from 1 to 8
SID-History, CN=Schema,Cn=Configuration,..<rest of domain
Below are snapshots pertaining to the above procedures.
Additional information:
See “Reanimating Tombstones — Restoring Individual Objects Online”
http://technet2.microsoft.com/WindowsServer/en/Library/54094485-71f6-4be8-8ebffaa45bc5db4c1033.mspx
Cut from the article:
Reanimating Tombstones — Restoring Individual Objects Online
The Windows Server 2003 directory database supports an LDAP API that reanimates the tombstone
of a single object (undeletes the object) to avoid the necessity for an offline restore process in the
event that an object is deleted unintentionally. This API is available for creating applications to
restore the attributes that are preserved on tombstones, which include the object SID, GUID, and
security descriptor, as well as any indexed attributes.
Note:
When the deletion is performed on a domain controller that is running Windows Server 2003 with SP1, the sIDHistory
attribute is also retained.
Only attributes that are retained on the tombstone are restored; all other data must be recreated.
Therefore, to restore an entire deleted container or a set of multiple objects, authoritative restore is
still the best option.
Also see: http://support.microsoft.com/default.aspx?scid=kb;en-us;840001