Accepted Solutions
problem was solved as follow
Restoring Active Directory objects
The following procedure describes how to restore objects from an Active Directory backup in a non-disaster recovery situation:
To restore individual objects from an Active Directory backup
- Open the NetBackup Backup, Archive, and Restore client interface.
- Select File > Select Files and Folders to Restore.
- 3 Expand and browse the Active Directory node.
- Select the objects to be restored. Do not select both granular and non-granular objects. When a user explores and expands selections, a delay can occur during communication with the NetBackup server. The delay is a result of dynamically determining the contents from the image on the media server.
The approach prevents the NetBackup catalog from unanticipated growth due to numerous granular entries.
- Select Action > Restore.
- If an Active Directory object is selected, the RestoreMarkedFiles dialog box contains two tabs:
- General tab
When an Active Directory object is selected, the Restore Destination Choices are disabled in the General tab. Configure the other restore options as needed.
- Active Directory tab\
The Active Directory tab contains an option to recreate the objects that have been deleted: Recreatedeletedobjects thatcannotberestoredfrom the Active Directory Deleted Objects container.
Active Directory granular backups and recovery The Active Directory tab contains an option that lets administrators recreate the objects whose tombstone lifetimes have passed. The objects have also been purged from the Active Directory Deleted Objects container. To allow this capability, enable the option labeled Recreatedeletedobjects that cannot be restored from the Active Directory Deleted Objects container.
- Click Start Restore in the Restore Marked Files dialog box. Some restore situations require additional steps, depending on what is restored.
Restore issues
The following sections describe additional information about granular restores. Some situations require additional steps to fully restore the objects. In some situations, a granular restore of some part of the Active Directory is not possible. Restores that are disabled at times, when user and computer accounts are restored from a granular Active
Directory restore, they are disabled. The following topics describe possible reasons why the accounts can be disabled.
Deleted objects
When objects in Active Directory are deleted, they are removed from their current Active Directory or ADAM/ADLDS container. They are converted into tombstones and placed in the Active Directory Deleted Objects container where their tombstone lifetime is monitored. By default, NetBackup restores deleted objects from this container if the tombstone lifetime has not passed. After the tombstone lifetime passes, the tombstones are purged from the Active Directory Deleted Objects container. Purging the tombstones has the effect of permanently deleting the objects from the Active Directory and ADAM/AD LDS databases.
User objects
When restoring user objects, you must reset the object's user password and enable the object's user account:
- For Active Directory user objects, use the Microsoft Active Directory Users and Computers application.
- For ADAM/AD LDS user objects, use ADSI Edit.
In Active Directory, computer objects are derived from user objects. Some attributes that are associated with a computer object cannot be restored when you restore a deleted computer object. They can only be restored if the attributes were saved through schema changes when the computer object was originally deleted.
Computer objects
Computer object credentials change every 30 days and the credentials from the backup may not match the credentials that are stored on the actual computer. When a computer object is restored it is disabled if the userAccountControl property was not preserved in the deleted object.
Use the Microsoft Active Directory Users and Computers application to reset a computer object.
To reset a computer object's account
- Remove the computer from the domain.
- Re-join the computer to the domain. The security identifiers (SID) for the computer remains the same since it is preserved when a computer object is deleted. However, if the tombstone expired and a new computer object was recreated, the SID is different.
Group and member objects
To restore Active Directory group membership links may require that the restore job be run twice.
For example, consider the case where a group and its member objects are deleted. If a restore job contains both group objects and member objects, the job restores the objects in alphabetical order. However, the group that is restored has a link dependency on a member that does not exist yet. When the group is restored, the link cannot be restored.
Run the restore again to restore all forward and backward links.
Group policy objects
NetBackup does not support granularrestores of Group Policy Objects.
regards
problem was solved as follow
Restoring Active Directory objects
The following procedure describes how to restore objects from an Active Directory backup in a non-disaster recovery situation:
To restore individual objects from an Active Directory backup
- Open the NetBackup Backup, Archive, and Restore client interface.
- Select File > Select Files and Folders to Restore.
- 3 Expand and browse the Active Directory node.
- Select the objects to be restored. Do not select both granular and non-granular objects. When a user explores and expands selections, a delay can occur during communication with the NetBackup server. The delay is a result of dynamically determining the contents from the image on the media server.
The approach prevents the NetBackup catalog from unanticipated growth due to numerous granular entries.
- Select Action > Restore.
- If an Active Directory object is selected, the RestoreMarkedFiles dialog box contains two tabs:
- General tab
When an Active Directory object is selected, the Restore Destination Choices are disabled in the General tab. Configure the other restore options as needed.
- Active Directory tab\
The Active Directory tab contains an option to recreate the objects that have been deleted: Recreatedeletedobjects thatcannotberestoredfrom the Active Directory Deleted Objects container.
Active Directory granular backups and recovery The Active Directory tab contains an option that lets administrators recreate the objects whose tombstone lifetimes have passed. The objects have also been purged from the Active Directory Deleted Objects container. To allow this capability, enable the option labeled Recreatedeletedobjects that cannot be restored from the Active Directory Deleted Objects container.
- Click Start Restore in the Restore Marked Files dialog box. Some restore situations require additional steps, depending on what is restored.
Restore issues
The following sections describe additional information about granular restores. Some situations require additional steps to fully restore the objects. In some situations, a granular restore of some part of the Active Directory is not possible. Restores that are disabled at times, when user and computer accounts are restored from a granular Active
Directory restore, they are disabled. The following topics describe possible reasons why the accounts can be disabled.
Deleted objects
When objects in Active Directory are deleted, they are removed from their current Active Directory or ADAM/ADLDS container. They are converted into tombstones and placed in the Active Directory Deleted Objects container where their tombstone lifetime is monitored. By default, NetBackup restores deleted objects from this container if the tombstone lifetime has not passed. After the tombstone lifetime passes, the tombstones are purged from the Active Directory Deleted Objects container. Purging the tombstones has the effect of permanently deleting the objects from the Active Directory and ADAM/AD LDS databases.
User objects
When restoring user objects, you must reset the object's user password and enable the object's user account:
- For Active Directory user objects, use the Microsoft Active Directory Users and Computers application.
- For ADAM/AD LDS user objects, use ADSI Edit.
In Active Directory, computer objects are derived from user objects. Some attributes that are associated with a computer object cannot be restored when you restore a deleted computer object. They can only be restored if the attributes were saved through schema changes when the computer object was originally deleted.
Computer objects
Computer object credentials change every 30 days and the credentials from the backup may not match the credentials that are stored on the actual computer. When a computer object is restored it is disabled if the userAccountControl property was not preserved in the deleted object.
Use the Microsoft Active Directory Users and Computers application to reset a computer object.
To reset a computer object's account
- Remove the computer from the domain.
- Re-join the computer to the domain. The security identifiers (SID) for the computer remains the same since it is preserved when a computer object is deleted. However, if the tombstone expired and a new computer object was recreated, the SID is different.
Group and member objects
To restore Active Directory group membership links may require that the restore job be run twice.
For example, consider the case where a group and its member objects are deleted. If a restore job contains both group objects and member objects, the job restores the objects in alphabetical order. However, the group that is restored has a link dependency on a member that does not exist yet. When the group is restored, the link cannot be restored.
Run the restore again to restore all forward and backward links.
Group policy objects
NetBackup does not support granularrestores of Group Policy Objects.
regards
