Saturday, May 1, 2010

Accidently Delete Entire OU of Computer Objects

We are so used to doing multiple things at once, multitasking as they say, and every now and then it bites you. So today, while doing some cleanup today in AD, one of my coworkers may have gotten a little overzealous, aka not paying full attention. He meant to delete a single computer object, but accidentally deleted an entire OU containing a significant numbers of Windows server computer objects.…. Serious DOH!!!!!! So for the sake of this article, let’s call him “JOE”

So it’s not the mistake, but how you react to it, because we have all made them before.

The good news is that we have multiple AD servers, and one is placed in a separate data center for DR purposes, and that is how we backed out of this Dooh! We leveraged the AD server in the remote data center as it had not received an update to the change yet. Why? When we configured it, it’s on a WAN segment, and therefore changes are batched and updated every three hours.

So Joe is a really good IT dude and just goofed. He is also smart and got on it right away. Joe did the following. They are at a high level, but you will get the idea.
  • Went to the remote AD server and turned off receiving replication. So it will not get the change.
  • Changed the update sequence number for the OU on the remote AD server. This is done via authoritative restore via Directory Services Recovery Mode.
  • Then he was able to replicate everything back.
  • And everything appeared to be good. And it was!
One Key! You have to have access to Directory Services Recovery Mode. This requires a password and it is set when you promote the server to an AD server. So you have to have the psw. If you do not have it, it’s easy to set. You just need to be able to login. So if you do not have it, or not sure, I suggest you set it and have it handy. It can bail you out of all sorts of goofs.

Recommended reading

Performing an Authoritative Restore of Active Directory Objects @ http://technet.microsoft.com/en-us/library/cc779573(WS.10).aspx

How To Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003 @ http://support.microsoft.com/kb/322672
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)