[Samba] Right way to restore deleted objects (in samba 4.1 or newer with or without "ad recycle bin")

Wed Nov 2 17:43:51 UTC 2016

On Tue, 2016-11-01 at 22:53 +0400, Mike Lykov via samba wrote:
> 01.11.2016 21:33, Andrew Bartlett пишет:
> 
> > 
> > > 
> > > I operate two-dc domain, based on samba 2:4.1.9+dfsg-1~bpo70+1
> > 
> > First, please upgrade to Samba 4.5.  This is particularly important
> > if
> > you wish to try and restore a deleted object.
> 
> by the way, what way to upgrade are better:
>   - stop samba, install new deb package, do some actions recommended
> in 
> changelogs and start samba again (on one dc and than on another), OR
>   - do not stop samba, start a new dc with new version, join it as dc
> to 
> domain, repeat with one more new dc with new version, transfer fsmo 
> roles to new version, stop dc with old version?

Unless you need continuous availability or a new underlying OS, I
prefer the first, just upgrade the package in-place.  Moving FSMO roles
around is best avoided right now, until we fix the bugs with the RID
Manager role.

https://bugzilla.samba.org/show_bug.cgi?id=12394
https://bugzilla.samba.org/show_bug.cgi?id=9954

(I'll get those fixed in master this week, but it will still take time
to get into a release). 

> > 
> > Given that the password would have been deleted with the account,
> > and
> > that can not be recovered automatically, the solution is to just
> > re-
> > join the affected machine.
> 
> after try to restore objects I got it in the ADUC console without 
> passwords and group membership (not deleted objects are in "domain 
> computers" group and have a "primary group"), and then I rejoin
> machines 
> sucessfully.
> But computer objects still not have a group membership, does this
> affect 
> anything?

Yes.  If you want the object restored to 'how it was before' then you
need to figure out what else it is missing.  Otherwise, re-create the
objects by the same procedure you used to construct them in the first
place.  It is very likely that the group memberships do matter,
otherwise why where they there in the first place?

> > 
> > The windows tools should work now.  But as I said at the start, re-
> > joining the client machine is the correct option here.
> 
> After all, now the right way are this:
>   - upgrade to ver 4.5.1
>   - raise domain level to 2008r2 (or 2012?, or it is not need?)

2008R2 is the highest supported version. 

>   - use windows tools to restore tombstoned objects
>   - do not enable "ad recycle bin" any way?

Yes. 

> what about a "losing attributes when delete without recycle bin" in
> 4.5.1?

The stripping of most attributes is a standard, required and expected
part of deleting objects.  The only reason they don't go away totally
is to ensure replication integrity. 

> I would like to know how to act in "need to restore objects"
> situation 
> in future.

It is best to assume, at this point, that delete means delete in AD,
and not delete things you want back.  

Things may be better when we implement a recycle bin, but we don't have
that right now, and it would be a development task to add it.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba