Daniel Ramawidjaja Blog

June 22, 2009

Restore Deleted Objects from Active Directory Database Using Tombstone Reanimation (AdRestore.exe and ADRestore.NET)

By using AdRestore.exe or ADRestore.NET, you can implement tombstone reanimation method to restore deleted objects from Active Directory database easily. So it basically do the same as using LDP in my previous post, Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

I wrote the previous post to make deep understanding of the tombstone reanimation concept.

Formerly Sysinternals and now Microsoft, Mark Russinovich has created a command-line freeware application called ADRestore. The tool enumerates all of the currently tombstoned objects in a domain and allows you to restore them selectively, and provides a convenient command-line interface for using the Active Directory reanimation functionality.

You can download this tool from here:



Restoring objects with ADRestore.net
Guy Teverovsky has written a GUI version that allows you to easily restore deleted AD objects.
I found this tool will help you a lot when you need to restore more than one deleted objects, for example, an OU contains some objects.

You can download the ADRestore.NET here:

Here the demo steps:
I deleted an OU named Accounting contained some objects including users and groups.
Delete an OU

Enumerating Tombstones

First restore the OU.

Then restore the other objects one by one.

Until the last object

Then view the result
ADRestore.NET - The Result

You can see from the steps above that using ADRestore.NET will be a lot of easier to restore more than one objects.


Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

This tip has been tested that it works for Windows Server 2003, Windows Server 2008, or later.
For Windows Server 2008 R2, it is recommended to use Active Directory Recycle Bin feature. It’s more efficient method and can do complete restore of the previous deleted objects.

What Is a Tombstone?
When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object’s isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object’s naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations.

Obviously, objects don’t remain in the CN=Deleted Objects container forever. The default tombstone lifetime is 60 days for forests initially built using Windows® 2000 and Windows Server 2003, and 180 days for forests that were initially built with Windows Server 2003 SP1. You can change the tombstone lifetime by setting the tombstoneLifetime attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC= object.

Every 12 hours, each domain controller starts a garbage collection process. (This can be changed by setting a new value for the garbageCollPeriod attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC= object.) This garbage collection scans all of the tombstones on the DC and physically deletes any that are older than the tombstone lifetime.

The Deleted Objects container is hidden and can not be viewed by using Active Directory Users and Computers and ADSIEDIT.MSC. But you can use LDP.EXE.

For example, in this documentation, I delete an account with distinguishedName: CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com.
That account will be stored in Deleted Objects container in the form:
CN=Jenny GatesADEL:c7f41f06-7f02-42c9-8701-d5ad5ee3a7d0,CN=Deleted Objects,DC=Microship,DC=com
and with the attribute isDeleted is set TRUE.

To restore the user account, you have to use LDP.EXE to modify the properties of the deleted objects.
Here the snapshots


The previous condition
Jenny Gates (username: JennyG) has the following attributes:

Tombstone Reanimation - Before Deletion

Tombstone Reanimation - Before Deletion

Jenny has permissions set to C:\Data\Marketing folder.

Tombstone Reanimation - Before Deletion

Delete the user account Jenny

Tombstone Reanimation - Deletion

As the Result of Deletion
The Jenny’s previous account will be shown in the folder as her old SID. If you create a new user, it actually create a new object with the new SID for the user. That’s why you have to use the Tombstone Reanimation method to restore the old object.

Tombstone Reanimation - Impact of Deletion


For preparation to restore the deleted object, you have to install Windows Server 2003 Support Tools. From the Windows Server 2003 Installation CD, it is located on \SUPPORT\TOOLS\SUPTOOLS.MSI
You do not need to follow this step, if using Windows Server 2008.

Tombstone Reanimation - Support Tools


Process to Restore the Deleted Object
Run LDP.exe.
On LDP window, click Connection menu, click Connect, type the appropriate server name and port.
Click Connection menu, click Bind, and type the Administrator account and password.

Click Options menu, click Controls.
On Load Predefined, select Return deleted objects.
This option will show the Deleted Objects container that is hidden by default.

Tombstone Reanimation

Click View menu, click Tree, and then select the distinguished name of the domain name.
On the left, select DC=Microship,DC=com.
Then expand the Deleted Objects container, and find Jenny Gates.

Right click on the Jenny account, then click Modify.

Tombstone Reanimation

In the Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter.
In the Attribute box, type distinguishedName, in the Values box, type CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com. Under operation, click Replace, and then click Enter.
Select the Extended check box, and then click Run.

Tombstone Reanimation

The result of restoring deleted objects using Tombstone Reanimation procedure is not perfect. You will restore a disabled account with all attributes has been stripped. You have to set the password and enable the account.

Tombstone Reanimation - The Result

But as you can see from the following picture that the permissions for Jenny has been restored.
Now Jenny can access the shared folder.

Tombstone Reanimation - The Result

The next pictures show that, although you can restore the object, but many attributes has gone including the membership of the user.

Tombstone Reanimation - The Result

Tombstone Reanimation - The Result

If you want to have a successful restore including all attributes of the user, you should consider to do Authoritative Restore that need you to restore from backup. and you can not restore the active directory database from backup without restarting to Active Directory Restore Mode.

June 17, 2009

Error in Windows Server 2008 SP2 Installation

Filed under: Windows Server 2008 — Daniel Ramawidjaja @ 4:56 pm

If you experience errors when installing Windows Server 2008 SP2, such as

Error in Installing Windows Server 2008 SP2

You need to download and install the System Update Readiness Tool.
Here the download link


The result after installing the System Update Readiness Tool

Windows Server 2008 SP2 installed successfully

Windows Server 2008 SP2 has been installed successfully

Windows Server 2008 SP2

Filed under: Windows Server 2008 — Daniel Ramawidjaja @ 4:28 pm

just a copy paste from

Windows Server 2008 SP2

Windows Server 2008 Service Pack (SP) 2 is the latest service pack for Windows Server 2008. SP2 supports new types of hardware and emerging standards that will grow in importance in the coming months and years. Building on the solid foundation and proven security benefits of SP1, SP2 includes the latest set of system updates, ensuring your system is as secure and reliable as possible. SP2 simplifies administration by enabling IT administrators to deploy and support a single service pack for clients and servers.


What’s New in SP2?

  • P2 adds support for 64-bit central processing unit (CPU) from VIA Technologies
  • SP2 introduces an improved power management policy that is up to 10% more efficient than the original in some configurations (both on the server and the desktop), and includes the ability to manage these settings via Group Policy
  • SP2 adds support for UTC timestamps to the exFAT file system, enabling correct file synchronization across time zones
  • SP2 adds the ability to natively record data on to Blu-Ray media
  • SP2 increases the authentication options for WebDAV redirector, enabling Microsoft Office users greater flexibility when authenticating custom applications using the WebDAV redirector
  • SP2 provides the Hyper-V virtualization environment as a fully integrated feature of Windows Server 2008, enabling customers to run one instance of the OS in the virtual operating environment (VOSE) with Windows Server 2008 Standard license, four instances of the OS in the VOSE with Windows Server 2008 Enterprise license and an unlimited number of OS instances in the VOSE with Windows Server 2008 Datacenter license.
  • SP2 improves backwards compatibility for Terminal server license keys
  • Additional Power Improvements over Windows Server 2008 RTM


You can download the Windows Server 2008 SP2 here:

June 7, 2009

Remote Server Administration Tools on Windows Vista

If you want to do remote management using Windows client computers, you should install RSAT. Unfortunately, this tool only available for Windows Vista.

You can download and find more detailed information from here:

Install the RSAT

RSAT Setup

While updating process still run, I examine the Administrative Tools on Windows Vista to show you the previous condition.

Administrative Tools before RSAT Installed

Go to Control Panel, Programs, Programs and Features, and then click Turn Windows features on or off. You will see the differences.

Turn Windows Features On or Off after RSAT

Here is the Administrative Tools program group after I turned on some of the RSAT features.

Administrative Tools After RSAT Installed

June 6, 2009

Change the Local Administrator Password Using Group Policy

Filed under: Group Policy,Windows Server 2008 — Daniel Ramawidjaja @ 11:41 pm
Tags: ,

This tip can be implemented if you have already install Group Policy Client Side Extensions (CSEs) on targetted computers. If not, download from here: http://support.microsoft.com/?kbid=943729
The minimum supported is Windows XP SP2.

By following the steps on the pictures below, you can configure the Group Policy to change local administrator’s password on multiple machines.

Group Policy Preference to Change Admin Local Password - 1

Group Policy Preference to Change Admin Local Password - 2

Group Policy Preference to Change Admin Local Password - 3

June 3, 2009

Configure IPv6 Using Group Policy

Filed under: Group Policy,Windows Server 2008 — Daniel Ramawidjaja @ 7:56 am
Tags: ,

Actually this is a test of solution offered from this site:
How to Configure IPv6 Using Group Policy

You can download the Active Directory template here:

Read the original web site for more information. Here I just test the solution using group policy.

The result on Group Policy Management Editor



Testing on Windows Vista
Before the policy applied:


After run gpupdate /force and restart the computer:


ADMX Migrator

ADMX Migrator, which is created and supported by FullArmor, enables you to convert ADM files to the ADMX format and take advantage of the additional capabilities that it provides. The new XML-based format includes multilanguage support, an optional centralized datastore, and version control capabilities.

ADM is
Administrative Template files included by default in Windows operating system and service pack releases, beginning with Windows 2000, for managing group policy.

If you’ve started using Windows Vista and Windows Server 2008 in your environment, you may have noticed the new Group Policy ADMX format. This new format for Group Policy templates takes advantage of new features and capabilities.
The new ADMX format for displaying registry-based policy settings are defined using XML now, instead of the proprietary format that ADM files used. The new templates come with a lot more settings, almost 2,400 in Windows Vista, which is several hundred more than Windows XP.

ADMX Migrator
I need this tool when I want to convert a customized ADM files to ADMX format that is used in Windows Server 2008.

You can download ADMX Migrator here:

An Example of ADM File

This is the content of my ADM file:

CATEGORY !!DisableWindowsTour

	KEYNAME "Software\Microsoft\Windows\CurrentVersion\Applets\Tour"

	POLICY !!DisableWindowsTour

		VALUENAME "RunCount"



DisableWindowsTour="Disable Windows Tour"

Migrate the ADMX File Using ADMX Migrator


No problem with this warning. You can add the support information later.


When prompted to load it to ADMX Editor, click Yes.

By default, the template was saved to the current userprofile, you can save as to your preferred folder.


Verify the template



Enter the supported definition




Copy the ADMX file to %SystemRoot%\PolicyDefinitions and en-US\ADML file to %SystemRoot%\PolicyDefinitions\en-US


Here is the result when opening Group Policy Management Editor.



June 2, 2009

Upgrade Windows Server 2008 from Evaluation Version to Technet Version

Filed under: Windows Server,Windows Server 2008 — Daniel Ramawidjaja @ 6:39 pm

Because of Technet Subscription I got recently for a successful MCT 2009 renewal, I can use the Windows Server 2008 legally. Then I decided to convert the existing Windows Server 2008 evaluation version virtual machine guest to Technet version that will not expire.

As the result of upgrading, there are two folders: $INPLACE.~TR and $WINDOWS.~Q. I deleted those folders and I did not see any problems after deletion.


Blog at WordPress.com.