Active directory
Results 1 to 7 of 7

Thread: Active directory

  1. #1
    Senior Member
    Join Date
    Mar 2004
    Posts
    113

    Active directory

    Hi,

    I am new to active directory infact to the win 2000 server environment.
    Can some one tell me if I were to delete a distribution list from the active directory , then is it possible to recover that.

    Thanks in advance,

    MRG.

  2. #2
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Distribution list for email?

    The distribution list is most likely part of exchange, go into exchange manager and they will be listed there in the management console.

    Oh hold on You can do it from Active Directory Users and Computers or maybe right in outlook by getting the properties of the group.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  3. #3
    Junior Member
    Join Date
    Jun 2004
    Posts
    1
    The short answer is no.

    You could restore AD from a backup made when you had that distribution still in AD, though this is a hairy operation and is not something I would want to try if I were new to AD. Heck, I don't even want to try it and I have been working with AD almost since it came out. Too many things can go horribly wrong to mess with it IMHO.

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Hmm, you could move them to another exchange server. Do what you need and move them back.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Roadclosed- I believe you are getting the way exchange5.5 works confused with the way exchange2k works. There is no directory service in exchange 2k so all address book entries(read distribution lists) live in AD..

    The idea of a distribution list really went away with AD, they are now called groups. You either have global security groups and universal security groups. The security groups can be used to do a wide variety of things. You can assign NTFS permissions through groups, or you can use them as a distribution list in combination with E2k. You can also have groups that are not security groups, but I have found that making all groups security groups is much easier in the long run as you can use them universally for DL's or applying permissions.

    Therefore, you cannot "move" a distribution list from one exchange server to another. The "physical" location of the group is inside of the AD directory and it will be replicated amongst all GC/DC's. Hell, even in Exchange5.5 you could not move a distribution list as the list was homed to a site, and not any particular server.

    The easiest way I have found to work with groups, ie. recovering groups and things of that nature, is to use MMS- microsoft metaserver.. MMS is designed to allow you to import external directories into AD, or to import AD information out to other directory services. For instance, at my company we have a corporate HR database that contains all employee information. We then populate AD with the information in that database using the HR database. This way if an employees phone number changes all you have to do is make the change in the HR database and then all of the downstream directories are updated with 24 hours.

    The side benefit of doing this is that we have a snapshot of just about everything inside of AD, in terms of users and groups, taken everyday. We store that data for several days. Then if somebody accidentally deletes and extremely large group, we can use an LDAP call to push all of that information back into AD. The one problem with this is that the SID of the group will change, so you will have to reassign permissions if you were using the group as a security group. If you were only using that group as a distribution list it will appear back into the GAL exactly as it did before.


    The short answer is that no, there is no type of recovery for AD groups automatically. If you were to delete the user account associated with an Exchange mailbox you can recreate the AD user account and reassociate the mailbox to the account within 30days(I believe that is the default setting.) However, once again the SID has changed, so you would have to reassociate any permissions to the account.


    The other option, what I believe UXO is referring to, is called an authoritative restore. What you do here is restore the AD database on a GC and specify an authoritative restore. Once that restore is done the GC will tell the other dc/gc's in your environment that they all need to match what is in that newly restored GC. The other GC/DC's roll back all changes that have occured past the last USN(update sequence number) on the newly restored AD database. This results in all changes that have occured to AD to be lost past the point of the backup being taken. If you are operating in an extremely small environment that has very little changing in your AD, this may be a legitimate option.
    how to do an auth. restore-
    http://support.microsoft.com/default...b;en-us;241594
    potential impacts of an auth. restore-
    http://support.microsoft.com/default...b;en-us;216243

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    If you are not sure, just rename the group (or object) to keep it with its default attributes (except name of course)
    For example you have a group name AtlantaSalesDept
    if u want to maintain it and would like to have a fault back option:
    rename AtlantaSalesDept to other name --> bkp_AtlantaSalesDept
    Create the new one or copy bkp to AtlantaSalesDept
    if u want to rollback just delete new and rename old back
    its kinda stupid but it will work

    its really better than an AD restore, even with a tool that can restore object one by one.
    (traumma with AD restore here)
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Thanks for some clarity mohaugan. I don't use them and assumed they are tied in as part of the information store? You can move that, rebuild the box and move it back. So there was my line of thinking.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides