[Samba] Right way to restore deleted objects (in samba 4.1 or newer with or without "ad recycle bin")

Mike Lykov combr at samges.ru
Tue Nov 1 16:07:28 UTC 2016

Hello all!

I operate two-dc domain, based on samba 2:4.1.9+dfsg-1~bpo70+1
Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2008 R2	

AD Recycle bin not enabled (it can be enabled only on Dom.Level 2008R2)

Previous week one of our administrators delete computer accounts from AD 
by accident, and we are not able to restore it.
I try to restore it as shown here: 
because recipe from wiki are only for active "AD recycle bin"

method from bug (without recycle bin)  - rename object from "Deleted 
objects" to lastknown place by ldbrename, and then delete IsDeleted 
attribute + add objectcategory attribute with ldbedit
after that object can be viewed in ADUC again
What about attributes as "lastKnownParent", "isRecycled" when restore 
objects, must i delete it also (I deleted it)?

Why attribute "isRecycled" set, on wiki it present only if recycle bin 
enabled? Is it because replication to second DC are done and "Multi-DC 
Environment: Deleted Objects are Recycled Too Fast" (from wiki)?
I restore objects with attribute "isRecycled" set and clear it, but now 
samba-tool dbcheck show me errors like
"Not moving object 
Objects,DC=DomainDnsZones,DC=dc,DC=mydom,DC=ru into LostAndFound
ERROR: parent object not found for 
If i run samba-tool dbcheck --fix, is it safe to fix it?

Second question is about lost attributes after restore by this methods.
Many attributes are lost, and after restore deleted machine account that 
computer cannot login to domain, saying "there are no trust with that 
domain" (from my memory).
In samba log, for example, I see errors like
"auth_check_password_recv: sam_ignoredomain authentication for user 
I googling and find that deleting attributes when move it to "deleted 
objects" are controlled by "searchflags" attribute, as listed here:
If I set for some attribute in schema an "8 (0x00000008)" value (in sum 
with other) that attribute must saved.  But for edit the schema i must 
set special permissions,
are worth it?
Or I need to enable recycle bin and not to mess with schema editing and 
searchflags (additionaly I don't know which attributes I need to preserve)?

Third question:
What are right sequence for raise functional level for domain with 
samba-tool domain level raise --domain-level=2008_R2 ?
Run it on DC with no FSMO roles and then on DC with it, and that's done? 
How to see that it successful other than "domain level show", is it 
affect replication?

After raise level and run (found in sources) enablerecyclebin script - 
how I can restore objects, with ldbmodify as it shown on wiki, and all 
(for communicate with computer account, for example) attribites are 
A. Bartlett wrote in 
https://bugzilla.samba.org/show_bug.cgi?id=10371#c27 about "Recycle bin 
not tested and therefore unsupported".
Are there a version there it is working, is it working in samba 4.1, 4.2 
or 4.4  (debian stable or testing)?

What about a changelog for samba 4.5: "Samba now supports tombstone 
reanimation, a feature in the AD DC allowing tombstones, that is objects 
which have been deleted, to be restored with the original SID and GUID 
still in place."
But are this "tombstone reanimation" conflicts with enabled "recycle 
bin" ? (#10371 comment 25)
wiki stated that "Windows Tools for Restoring Deleted Objects Does Not 
Work", but #1071 comment says about working "adrestore -r" ?

I find an Marc Muehlfeld's letter about similar themes :) 

Mike Lykov, system administrator, Russia

More information about the samba mailing list