Windows Server 2003: Restore and Reanimation of Tombstoned Group Membership Links




Written by Liju Varghese, Premier Field Engineer.

The Issue

Performing an authoritative restore on a Windows Server 2003 domain controller of a group results in the reanimation of tombstoned group membership links.

The Impact

If an Organizational Unit containing Users and Groups was deleted, the authoritative restore of the OU will result in users being re-added to groups they were removed from. This can lead to unexpected behavior. For example, these users may be able to access resources they should not have permissions to, or vice versa.

How To Resolve The Issue

Install hotfix KB951320 on all domain controllers running Windows Server 2003 and take fresh backups

Steps to Reproduce The Issue

Use the following:

clip_image001 Domain controller(s) running Windows Server 2003, Ent. Ed. SP2 (5.2.3790)

clip_image001[1] NTDSUtil.exe: version 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)

  1. Create an organizational unit named AuthRestore and within it 3 users, ARUser01, ARUser02 and ARUser03. Create a domain global group, ARGroup01 and add the 3 users as membersclip_image002
  2. Run the following command to verify the status of ARGroup01’s member attribute:
    C:\>RepAdmin /ShowObjMeta 2k3RootDC01 "CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
    dom,DC=local11 entries.
    Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
    ======= =============== ========= ============= === =========
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectClass
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 cn
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 instanceType
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 whenCreated
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 nTSecurityDescriptor
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 name
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectSid
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountName
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountType
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 groupType
    122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectCategory
    3 entries.
    Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver Distinguished Name
    ======= ============ ============= ================= ======= ======= === =============================
    PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122935 122935 1 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122936 122936 1 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
    PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122937 122937 1 CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
      

A value of type Legacy indicates that it does not contain individual replication metadata
A value of type Present indicates one with additional replication metadata attached, and therefore replicated using Linked Value Replication (LVR)
A value of type Absent denotes a deleted value with additional metadata attached. The entry is similar to a tombstoned object where it references the knowledge of a removed value in a LVR enabled attribute and will be garbage collected after TSL.

 

3.  Remove ARUser01 from ARGroup01:clip_image003

4.  Verify the status using the RepAdmin /ShowObjMetacommand:

C:\>RepAdmin /ShowObjMeta 2k3RootDC01 "CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
dom,DC=local 11 entries.
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectClass
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 cn
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 instanceType
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 whenCreated
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 nTSecurityDescriptor
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 name
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectSid
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountName
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountType
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 groupType
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectCategory 3 entries.
Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver Distinguished Name
======= ============ ============= ================= ======= ======= === =============================
PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122935 122935 1 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
ABSENT member 2011-11-30 16:01:38 North\2K3ROOTDC01 122941 122941 2 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122937 122937 1
CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local

5. Take a System State backup using NTBackup:

clip_image004

6. Delete the AuthRestore organizational unit

7. Reboot into Directory Services Restore Mode. To make the process easier, use the System Configuration Utility to set the DSRepair Boot.ini switch:

clip_image005clip_image006

8. Perform a restore of the System State using NTBackup, but leave the option When restoring replicated data sets, mark the restored data as the primary data for all replicas unchecked under Advanced Restore Options unless this is the only domain controller in the domain:

clip_image007clip_image008

9.  Do not reboot at the end of the restore

clip_image009

10. Using the NTDSUtil command mark the AuthRestore organizational unit authoritative:

clip_image010

C:\>ntdsutil

ntdsutil: authoritative restore

authoritative restore: restore subtree OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local Opening DIT database… Done. The current time is 11-30-11 16:45.57.

Most recent database update occured at 11-30-11 16:01.38.

Increasing attribute version numbers by 100000. Counting records that need updating…

Records found: 0000000011

Done.

Found 11 records to update. Updating records…

Records remaining: 0000000000

Done.

Successfully updated 11 records.

The following text file with a list of authoritatively restored objects has been created in the current working directory:
ar_20111130-164557_objects.txt

One or more specified objects have back-links in this domain. The following LDIF files with link restore operations have been created in the current working directory:
ar_20111130-164557_links_2k3Dom.local.ldf

Authoritative Restore completed successfully.

authoritative restore: quit
ntdsutil: quit

Notice that an ldf file created contains a back-link from the user ARUser02 back to the ARGroup01 group:

dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
delete: member
member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local

dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
add: member
member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local

dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
delete: member
member: CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local

dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
add: member
member: CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local

dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
delete: member
member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local

dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
add: member
member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local

11. Reboot the domain controller into Normal mode; do not forget to clear the DSRepair Boot.ini switch:

clip_image011

12.  Import the contents of the ldf file using the LDIFDEcommand :

C:\>ldifde -i -k -f ar_20111130-164557_links_2k3Dom.local.ldf -s 2k3RootDC01
Connecting to "2k3RootDC01"
Logging in as current user using SSPI
Importing directory from file "ar_20111130-164557_links_2k3Dom.local.ldf"
Loading entries…….
5 entries modified successfully. The command has completed successfully

13.  You will notice that the user ARUser02 has been added back to the ARGroup01 group. This can be verified using the RepAdmin /ShowObjMeta command as well:

clip_image012C:\>RepAdmin /ShowObjMeta 2k3RootDC01 "CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
dom,DC=local 12 entries.
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 objectClass
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 cn
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 instanceType
122932 5677eb8e-3f5d-4657-a7c6-0ec3285afaa3 122932 2011-11-30 14:36:06 1 whenCreated
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0000 isDeleted
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 nTSecurityDescriptor
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 name
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 objectSid
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 sAMAccountName
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 sAMAccountType
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 groupType
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 objectCategory
3 entries. Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver Distinguished Name
======= ============ ============= ================= ======= ======= === =============================
PRESENT member 2011-11-30 17:01:34 North\2K3ROOTDC01 127029 127029 200003 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
PRESENT member 2011-11-30 17:01:34 North\2K3ROOTDC01 127032 127032 200003 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
PRESENT member 2011-11-30 17:01:34 North\2K3ROOTDC01 127038 127038 200003 CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local

14. Install KB951320 The file version of NTDSUtil.exe should now show 5.2.3790.4299 (srv03_sp2_qfe.080522-1212)

15, Repeat Step 3 through Step 9 . This time around the ldf files does not have any entries for ARUser02dn:

CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
delete: member
member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
– dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
add: member
member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
-dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
delete: member
member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
-dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
add: member
member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local

16.  Upon rebooting and importing the ldf file we see that the member attribute for ARUser02 is listed as Absent as it should be:

C:\>RepAdmin /ShowObjMeta 2k3RootDC01 "CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
Dom,DC=local12 entries.
Loc.USN Originating DC Org.USN Org.Time/DateVer Attribute
======= =============== ========= ================ =========
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 objectClass
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 cn
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 instanceType
122932 5677eb8e-3f5d-4657-a7c6-0ec3285afaa3 122932 2011-11-30 14:36:06 1 whenCreated
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200000 isDeleted
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 nTSecurityDescriptor
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 name
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 objectSid
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 sAMAccountName
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 sAMAccountType
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 groupType
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 objectCategory 3 entries.
Type Attribute Last Mod Time Originating DCLoc.USN Org.USN Ver Distinguished Name
======= ============ ============= ======================== ======= === =============================
PRESENT member 2011-11-30 23:49:24 North\2K3ROOTDC01 131131 131131 400005 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
ABSENT member 2011-11-30 23:45:10 North\2K3ROOTDC01 131105 131105 400004 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
PRESENT member 2011-11-30 23:49:24 North\2K3ROOTDC01 131137 131137 400005 CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local

And the user is not listed in the Members tab of the group: clip_image013

Notes:

Comments (0)

Skip to main content