Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange



Please consider donating: https://www.corelan.be/index.php/donate/


6,219 views | This page as PDF

Restoring 2003 AD Objects using Windows 2008 Server

Anyone managing an Active Directory knows about the administrative troubles and work that can be caused when an object (such as a user) gets deleted.† The admin needs to either restore the object, and then manually fill out the attributes (such as password, group membership and so on), or restore a backup of the ntds.dit file, take down a DC, and perform an authoritative restore of the object… Pfffew – I wish they could make that easier J

Windows 2008 will help admins to recover object in a more convenient way.† Well, at least you don’t need to shut down a DC to do an authoritative restore (which will still work if you want to do it this way), and you don’t need to have records of what was in the attributes of the object prior to deletion. All you need is† a backup of the .dit file that contains the object and its attributes.

First of all, recover the object using the de-tombstone functionality (adrestore.exe from SysInternals, now Microsoft, will do this for you – (http://www.microsoft.com/technet/sysinternals/utilities/AdRestore.mspx)). Next, a new feature in 2008 will allow you mount the restored dit file, so you can connect to it using ldap, and list the attributes of the recovered object. Additionally, you can write a script that will pull op the the attributes of the original object and write them to the recovered object.

This is how it works :

  • restore the .dit file from backup
  • mount the .dit file using the Active Directory Services (ldap) engine, but to different ldap/gc ports
  • connect to these ldap ports using ldap
  • bind to the AD database
  • locate the object (which will show you the contents of the fields, so you can type them over)

There’s a little catch : by default, you cannot restore a bkf file from within 2008. You need to restore the dit file on a 2003 server and then transfer the file to the 2008 server. Microsoft has built a version of ntbackup for Vista and 2008 (basically allowing you to restore bkf files) however recovering the System State (even to an alternate location) does not work within 2008, and restoring just the .dit file ends up with a corrupted dit file.

As stated before, you can write a powershell script to connect to the ldap server, locate the user object, go through each field, take the value and put it in the corresponding field in the live AD.†† Such a script can be made generic, so it would be easy to recover a deleted object without any real loss (except for the password, which is the most important field that cannot be copied back). I’ll elaborate more on that powershell script later on.

So in theory, the only "hard" task that is left, is getting the .dit file restored, which can take some time.† (In case you are already using a 2008 based AD, you can take advantage of some interesting backup features, including full system backup, Bare Metal restore, and the feature to ‘snapshot’ .†† Using this snapshot technology, you could snapshot AD every hour if you wanted to, and by simply mounting a snapshot, you can retrieve a more up-to-date .dit file in a swift manner.

Anyways : what if we are running a 2003 AD ?

In this example, my lab consists of a Windows 2003 SP1 Domain Controller (Socrates), domain name† corelan.be, and a Windows 2008 domain member server with AD Services Role installed (not a DC, and I don’t think it really needs to be a member server either. It can be a standalone server as well)

In my 2003 AD, I have created a test user called† test.user, in a OU called TestOU OU

071507_1222_Restoring201

I filled out the Company name field (which is what we will try to get back)

Next, I used NTBackup to create a backup of the System State on the DC (which includes ntds.dit)

After creating the backup, I have deleted the user account.

Getting the user account back is not really hard. Just run adrestore and the object will be back, however you will notice two things :

  1. The object is disabled (because the password was not recovered. Since an AD object cannot have a blank password, the object is disabled). No big deal.
  2. The object does not contain the old data (Company name in our example). Big deal.This is what the adrestore looks like :
C:\>adrestore

AdRestore v1.1
by Mark Russinovich
Sysinternals - www.sysinternals.com

Enumerating domain deleted objects:
cn: Test User
DEL:9589f166-927e-464a-8143-84fc9ce705b6
distinguishedName: CN=Test User\0ADEL:9589f166-927e-464a-8143-84fc9ce705b6,CN=Deleted Objects,DC=corelan,DC=be
lastKnownParent: OU=TestOU,DC=corelan,DC=be

Found 1 items matching search criteria.

C:\>adrestore -r "Test User"

AdRestore v1.1
by Mark Russinovich
Sysinternals - www.sysinternals.com

Enumerating domain deleted objects:

cn: Test User
DEL:9589f166-927e-464a-8143-84fc9ce705b6
distinguishedName: CN=Test User\0ADEL:9589f166-927e-464a-8143-84fc9ce705b6,CN=Deleted Objects,DC=corelan,DC=be
lastKnownParent: OU=TestOU,DC=corelan,DC=be

Do you want to restore this object (y/n)? y

Restore succeeded.

Found 1 item matching search criteria.

The object is back, but it is disabled, and the fields are empty

071507_1222_Restoring202

Next, I have restored the .dit file from the backup. Note : when you do this, don’t restore to original location !† Select "Alternate location" and specify a folder to save the restored files into.

After locating the .dit file in the folders in my "restored" folder, I have copied over the .dit file to my Longhorn server (Plato)

In 2008, I have mounted the ntds.dit file using dsamain :

C:\restored>dsamain -dbpath:c:\restored\ntds.dit -ldapport:60000 -sslport:60001 -gcport:60010 -gcsslport:60011 -allowUpgrade

EVENTLOG (Informational): NTDS General / Service Control:

Microsoft Active Directory Domain Services startup complete, version 6.0.6001.16 510

(the last switch (-allowupgrade) was needed because I’m trying to access a .dit file from a 2003 domain in 2008)

Note : if you see the following error when trying to mount the .dit file, then you’ll have to repair the file first :

Error value: -544 JET_errSoftRecoveryOnBackupDatabase, Soft recovery is intended on a backup database. Restore should be used instead

Repair procedure : run "esentutl /p" on the database; and click "OK" on the warning

D:\restored>esentutl /p "d:\restored\ntds.dit"

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.0
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initiating REPAIR mode...
        Database: d:\restored\ntds.dit
  Temp. Database: TEMPREPAIR1084.EDB

Checking database integrity.

The database is not up-to-date. This operation may find that
this database is corrupt because data from the log files has
yet to be placed in the database.

To ensure the database is up-to-date please use the 'Recovery' operation.

                     Scanning Status (% complete) 

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ................................................... 

Initiating DEFRAGMENTATION mode...
            Database: d:\restored\ntds.dit
      Temp. Database: TEMPREPAIR1084.EDB 

                  Defragmentation Status (% complete) 

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ................................................... 

Moving 'TEMPREPAIR1084.EDB' to 'd:\restored\ntds.dit'... DONE! 

Note:
  It is recommended that you immediately perform a full backup
  of this database. If you restore a backup made before the
  defragmentation, the database will be rolled back to the state
  it was in at the time of that backup. 

Operation completed successfully in 55.786 seconds.

After repairing the file, remove the logfiles from that folder (not the dit file itself of course). Next, run the dsamain again and disregard all warnings.

Next, I’ve used ldp (on 2008) to connect to that ldap instance ("Connection" – "Connect")

071507_1222_Restoring203

071507_1222_Restoring204

All that is left, is to "bind"† to the ldap connection ("Connection" – "Bind")

071507_1222_Restoring205

Now, I can pull up the tree by going to ‘View’ – ‘Tree’

071507_1222_Restoring206

This way, I can get to the details of the user object, and type over the contents of the missing fields ("Company" in our example)

071507_1222_Restoring207

As stated before, this can be scripted as well, so all you would need to do is create a ldap listener on the restored .dit file (dsamain), run the script (which would connect to the ldap server), get to the object, run through the attributes and use another ldap connection to put the object’s values into the production AD.

© 2007 – 2015, Corelan Team (corelanc0d3r). All rights reserved.

Related Posts:

One Response to Restoring 2003 AD Objects using Windows 2008 Server

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories