Since the initial times of Windows 2003, things have changed. Restoring AD objects, including DNS Zones become simpler with each release of Windows Server. Therefore let’s see how you can restore users, computers, organizational units and DNS zones nowadays.
Restoring AD objects for standard classes
Since Windows 2008 R2, Get-ADObject has a nice switch called IncludeDeletedObjects which may be of help.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
Import-module activedirectory # If you are under Windows 2008(R2) # Get the object(s) for the zone by using $obj = Get-ADObject -filter 'samaccountname -eq "myuser" ' -includedeletedobjects # $obj = Get-ADObject -filter 'name -like "*myuser*" ' -includedeletedobjects # Display matching object(s) for checking purposes $obj # Restore it $zone | Restore-ADObject # Restore the records # At this stage, the zone is still named ..Deleted-zone Get-ADObject -filter 'isdeleted -eq $true -and lastKnownParent -like "DC=..Deleted-*,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydomain,DC=local"' -includedeletedobjects -searchbase "DC=ForestDnsZones,DC=contoso,DC=com" | restore-adobject Get-ADObject -filter 'isdeleted -eq $true -and lastKnownParent -like "DC=..Deleted-*,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydomain,DC=local"' -includedeletedobjects -searchbase "DC=DomainDnsZones,DC=contoso,DC=com" | restore-adobject # Rename the zone 'MyZone' Rename-ADObject "DC=..Deleted-myzone,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydomain,DC=local" -newname "myzone" # or Rename-ADObject "DC=..Deleted-myzone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local" -newname "myzone" #end |
Also, In Windows 2012(r2), the Administrative Center has also an interface to do so.
Restoring AD objects for DNS zones and records
To restore DNS records, there is a difference you should know. Before being moved to the Active Directory deleted objects containers, the zone is first renamed with a ‘..Deleted’ prefix. And there is no GUI as of today.
Therefore to restore such a zone, you must:
- Find the ‘..Deleted’ zone object
- Restore that object
- Restore every deleted record object in that zone
- Rename the zone to its previous name
Examples of command are then:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
Import-module activedirectory # If you are under Windows 2008(R2) # Get the object(s) for the zone by using one of the following $zone = Get-ADObject -filter 'isdeleted -eq $true -and name -like "*..Deleted-*"' -includedeletedobjects -searchbase "DC=ForestDnsZones,DC=mydomain,DC=local" -property * #if Forest wide $zone = Get-ADObject -filter 'isdeleted -eq $true -and name -like "*..Deleted-*"' -includedeletedobjects -searchbase "DC=DomainDnsZones,DC=mydomain,DC=local" -property * #if domain wide # Display matching object(s) $zone # Restore it $zone | Restore-ADObject # Restore the records # At this stage, the zone is still named ..Deleted-zone Get-ADObject -filter 'isdeleted -eq $true -and lastKnownParent -like "DC=..Deleted-*,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydomain,DC=local"' -includedeletedobjects -searchbase "DC=ForestDnsZones,DC=contoso,DC=com" | restore-adobject Get-ADObject -filter 'isdeleted -eq $true -and lastKnownParent -like "DC=..Deleted-*,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydomain,DC=local"' -includedeletedobjects -searchbase "DC=DomainDnsZones,DC=contoso,DC=com" | restore-adobject # Rename the zone 'MyZone' Rename-ADObject "DC=..Deleted-myzone,CN=MicrosoftDNS,DC=ForestDnsZones,DC=mydomain,DC=local" -newname "myzone" # or Rename-ADObject "DC=..Deleted-myzone,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local" -newname "myzone" #end |
It is interesting to note that as long as the DNS zoned is called ‘..Deleted-XXX’ it doesn’t appear in any DNS management tools.
This is impressive, thank you Dimitri