[Samba] Right way to restore deleted objects (in samba 4.1 or newer with or without "ad recycle bin")

Andrew Bartlett abartlet at samba.org
Tue Nov 1 17:33:59 UTC 2016


On Tue, 2016-11-01 at 20:07 +0400, Mike Lykov via samba wrote:
> Hello all!
> 
> I operate two-dc domain, based on samba 2:4.1.9+dfsg-1~bpo70+1

First, please upgrade to Samba 4.5.  This is particularly important if
you wish to try and restore a deleted object.

> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2008 R2	
> 
> AD Recycle bin not enabled (it can be enabled only on Dom.Level
> 2008R2)

It is also simply not functional in any Samba version.  It is so broken
that if enabled, it actually just makes it much harder to restore
objects. 

> Previous week one of our administrators delete computer accounts from
> AD 
> by accident, and we are not able to restore it.

Given that the password would have been deleted with the account, and
that can not be recovered automatically, the solution is to just re-
join the affected machine.

> I googling and find that deleting attributes when move it to
> "deleted 
> objects" are controlled by "searchflags" attribute, as listed here:
> https://msdn.microsoft.com/en-us/library/ms679765(v=vs.85).aspx#windo
> ws_server_2003_r2
> If I set for some attribute in schema an "8 (0x00000008)" value (in
> sum 
> with other) that attribute must saved.  But for edit the schema i
> must 
> set special permissions,
> are worth it?

Please don't do that.  

> Or I need to enable recycle bin and not to mess with schema editing
> and 
> searchflags (additionaly I don't know which attributes I need to
> preserve)?

Please also don't do that.  Thanks for reminding us to get that script
removed from the existing Samba versions, it only causes dangerous
confusion. 

> Third question:
> What are right sequence for raise functional level for domain with 
> samba-tool domain level raise --domain-level=2008_R2 ?
> Run it on DC with no FSMO roles and then on DC with it, and that's
> done?

You should only need to do it once, it will replicate.

> What about a changelog for samba 4.5: "Samba now supports tombstone 
> reanimation, a feature in the AD DC allowing tombstones, that is
> objects 
> which have been deleted, to be restored with the original SID and
> GUID 
> still in place."
> But are this "tombstone reanimation" conflicts with enabled "recycle 
> bin" ? (#10371 comment 25)
> wiki stated that "Windows Tools for Restoring Deleted Objects Does
> Not 
> Work", but #1071 comment says about working "adrestore -r" ?

The windows tools should work now.  But as I said at the start, re-
joining the client machine is the correct option here. 

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba mailing list