Windows Server 2003: Restore and Reanimation of Tombstoned Group Membership Links
Written by Liju Varghese , Premier Field Engineer.
The Issue
Performing an authoritative restore on a Windows Server 2003 domain controller of a group results in the reanimation of tombstoned group membership links.
The Impact
If an Organizational Unit containing Users and Groups was deleted, the authoritative restore of the OU will result in users being re-added to groups they were removed from. This can lead to unexpected behavior. For example, these users may be able to access resources they should not have permissions to, or vice versa.
How To Resolve The Issue
Install hotfix KB951320 on all domain controllers running Windows Server 2003 and take fresh backups
Steps to Reproduce The Issue
Use the following:
Domain controller(s) running Windows Server 2003, Ent. Ed. SP2 (5.2.3790)
![clip_image001[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/92/37/metablogapi/3527.clip_image0011_008C7E2C.gif "clip_image001[1]")
NTDSUtil.exe: version 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)
- Create an organizational unit named AuthRestore and within it 3 users, ARUser01, ARUser02 and ARUser03. Create a domain global group, ARGroup01 and add the 3 users as members
- Run the following command to verify the status of ARGroup01’s member attribute:
C:\>RepAdmin /ShowObjMeta 2k3RootDC01 "CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
dom,DC=local11 entries.
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectClass
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 cn
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 instanceType
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 whenCreated
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 nTSecurityDescriptor
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 name
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectSid
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountName
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountType
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 groupType
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectCategory
3 entries.
Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver Distinguished Name
======= ============ ============= ================= ======= ======= === =============================
PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122935 122935 1 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122936 122936 1 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122937 122937 1 CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
A value of type Legacy indicates that it does not contain individual replication metadata
A value of type Present indicates one with additional replication metadata attached, and therefore replicated using Linked Value Replication (LVR)
A value of type Absent denotes a deleted value with additional metadata attached. The entry is similar to a tombstoned object where it references the knowledge of a removed value in a LVR enabled attribute and will be garbage collected after TSL.
3. Remove ARUser01 from ARGroup01:
4. Verify the status using the RepAdmin /ShowObjMetacommand:
C:\>RepAdmin /ShowObjMeta 2k3RootDC01 "CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
dom,DC=local 11 entries.
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectClass
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 cn
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 instanceType
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 whenCreated
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 nTSecurityDescriptor
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 name
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectSid
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountName
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 sAMAccountType
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 groupType
122932 North\2K3ROOTDC01 122932 2011-11-30 14:36:06 1 objectCategory 3 entries.
Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver Distinguished Name
======= ============ ============= ================= ======= ======= === =============================
PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122935 122935 1 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
ABSENT member 2011-11-30 16:01:38 North\2K3ROOTDC01 122941 122941 2 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
PRESENT member 2011-11-30 14:36:19 North\2K3ROOTDC01 122937 122937 1 CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
5. Take a System State backup using NTBackup:
6. Delete the AuthRestore organizational unit
7. Reboot into Directory Services Restore Mode. To make the process easier, use the System Configuration Utility to set the DSRepair Boot.ini switch:
8. Perform a restore of the System State using NTBackup, but leave the option When restoring replicated data sets, mark the restored data as the primary data for all replicas unchecked under Advanced Restore Options unless this is the only domain controller in the domain:
9. Do not reboot at the end of the restore
10. Using the NTDSUtil command mark the AuthRestore organizational unit authoritative:
C:\>ntdsutil
ntdsutil: authoritative restore
authoritative restore: restore subtree OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local Opening DIT database... Done. The current time is 11-30-11 16:45.57.
Most recent database update occured at 11-30-11 16:01.38.
Increasing attribute version numbers by 100000. Counting records that need updating...
Records found: 0000000011
Done.
Found 11 records to update. Updating records...
Records remaining: 0000000000
Done.
Successfully updated 11 records.
The following text file with a list of authoritatively restored objects has been created in the current working directory:
ar_20111130-164557_objects.txtOne or more specified objects have back-links in this domain. The following LDIF files with link restore operations have been created in the current working directory:
ar_20111130-164557_links_2k3Dom.local.ldfAuthoritative Restore completed successfully.
authoritative restore: quit
ntdsutil: quit
Notice that an ldf file created contains a back-link from the user ARUser02 back to the ARGroup01 group:
dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
delete: member
member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
-dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
add: member
member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
-dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify delete: member member: CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local -
dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify add: member member: CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
-dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
delete: member
member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
-dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
add: member
member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
-
11. Reboot the domain controller into Normal mode; do not forget to clear the DSRepair Boot.ini switch:
12. Import the contents of the ldf file using the LDIFDEcommand :
C:\>ldifde -i -k -f ar_20111130-164557_links_2k3Dom.local.ldf -s 2k3RootDC01
Connecting to "2k3RootDC01"
Logging in as current user using SSPI
Importing directory from file "ar_20111130-164557_links_2k3Dom.local.ldf"
Loading entries.......
5 entries modified successfully. The command has completed successfully
13. You will notice that the user ARUser02 has been added back to the ARGroup01 group. This can be verified using the RepAdmin /ShowObjMeta command as well:
C:\>RepAdmin /ShowObjMeta 2k3RootDC01 "CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
dom,DC=local 12 entries.
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 objectClass
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 cn
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 instanceType
122932 5677eb8e-3f5d-4657-a7c6-0ec3285afaa3 122932 2011-11-30 14:36:06 1 whenCreated
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0000 isDeleted
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 nTSecurityDescriptor
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 name
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 objectSid
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 sAMAccountName
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 sAMAccountType
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 groupType
126991 North\2K3ROOTDC01 126991 2011-11-30 16:45:5710 0001 objectCategory
3 entries. Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver Distinguished Name
======= ============ ============= ================= ======= ======= === =============================
PRESENT member 2011-11-30 17:01:34 North\2K3ROOTDC01 127029 127029 200003 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
PRESENT member 2011-11-30 17:01:34 North\2K3ROOTDC01 127032 127032 200003 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
PRESENT member 2011-11-30 17:01:34 North\2K3ROOTDC01 127038 127038 200003 CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
14. Install KB951320 The file version of NTDSUtil.exe should now show 5.2.3790.4299 (srv03_sp2_qfe.080522-1212)
15, Repeat Step 3 through Step 9 . This time around the ldf files does not have any entries for ARUser02dn:
CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
delete: member
member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
- dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
add: member
member: CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
-dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
delete: member
member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
-dn: CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
changetype: modify
add: member
member: CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
-
16. Upon rebooting and importing the ldf file we see that the member attribute for ARUser02 is listed as Absent as it should be:
C:\>RepAdmin /ShowObjMeta 2k3RootDC01 "CN=ARGroup01,OU=AuthRestore,OU=POC,DC=2k3
Dom,DC=local12 entries.
Loc.USN Originating DC Org.USN Org.Time/DateVer Attribute
======= =============== ========= ================ =========
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 objectClass
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 cn
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 instanceType
122932 5677eb8e-3f5d-4657-a7c6-0ec3285afaa3 122932 2011-11-30 14:36:06 1 whenCreated
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200000 isDeleted
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 nTSecurityDescriptor
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 name
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 objectSid
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 sAMAccountName
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 sAMAccountType
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 groupType
131098 North\2K3ROOTDC01 131098 2011-11-30 23:45:10200001 objectCategory 3 entries.
Type Attribute Last Mod Time Originating DCLoc.USN Org.USN Ver Distinguished Name
======= ============ ============= ======================== ======= === =============================
PRESENT member 2011-11-30 23:49:24 North\2K3ROOTDC01 131131 131131 400005 CN=ARUser01,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
ABSENT member 2011-11-30 23:45:10 North\2K3ROOTDC01 131105 131105 400004 CN=ARUser02,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
PRESENT member 2011-11-30 23:49:24 North\2K3ROOTDC01 131137 131137 400005 CN=ARUser03,OU=AuthRestore,OU=POC,DC=2k3Dom,DC=local
And the user is not listed in the Members tab of the group:
Notes:
- Remember to take a backup after the hotfix has been installed. Restoring an older backup will result in the older version of NTDSUtil.exe being restored.
- A restore of system state also restores the Directory Services Restore Mode Administrator password at the time of the backup.
- If the DSRM Admin password is in an unknown state, you can reset it (as long as you can boot into Normal mode) using the steps in the article.
- In order to keep track of the DSRM Admin passwords across multiple domain controllers, a feature is available for Windows Server 2008 that lets you synchronize the DSRM Administrator password with a domain user account.