Nakivo Backup & Replication Active Directory objects recovery


Nakivo Backup & Replication solution supports the Active Directory objects recovery capability in case of accidental deletion of users, OUs or groups.

A complete restore of the Domain Controller could be an option to fix the issue limiting the time spent for troubleshooting but, for a single or few objects, a faster and easier solution is prefereable.

Mistakes happen and it's a critical part of the administrators' job. Managing Active Directory environments, users, OUs or groups can be accidentally deleted any time.


When an AD object has been deleted, the first effect you may face is the services disruption for the user related to that object.


A good backup strategy can save your day. Backup is your best friend when a situation like this occurs.


To restore AD objects, Active Directory can be recovered in two ways:

  • Non-Authoritative Recovery - it restores the domain to the state at the time the backup was taken allowing the replication to update objects changes made afterwards. This is the default method to recover Active Directory.
  • Authoritative Recovery - it's a two steps process with a first non-authoritative recovery from the backup followed by an authoritative recovery. This recovery type makes authoritative changes in objects and their attributes in the entire directory.


Recovery Active Directory objects

If you backup the Domain Controller on regular basis, Nakivo provides the capability of restoring Active Directory objects through the built-in function Microsoft Active Directory objects. Of course if the last backup has been taken ages ago, the deleted object may not be available for recovery.


From the available backups, select the Domain Controller which contains the deleted object and the restore point to use. Leave Automatically locate application databases option enabled to automatically detect the Active Directory database. Click Next.


When the database has been detected, expand the AD domain to locate the objects to recover.


Select the object to restore then click the Recover button. Selecting the Download option, a zipped .LDF file is downloaded to the computer.


Click Recovery settings link to configure the attributes of selected objects.


In the Recovery of User object drop-down menu choose one of the available options then click Download.

nakivo-active-directory-objects-recovery-10The file is downloaded to your computer.


Copy the zipped file to the Domain Controller and extract the files.


Two files are extracted from the zip file: ad.ldif and password.txt that contains the actual password of the recovered object.


To import objects in Active Directory, the connection and management of the objects made through LDAP via SSL requires the Certificate Authority role enabled in the AD environment. Before proceeding with the object restore, make sure the Domain Controller has a CA role installed.


From the Domain Controller you have to run the Windows PowerShell as Administrator and go to the unzipped directory with the items to recover.


From PowerShell, run the following command:

PS C:\> ldifde -i -t 636 -f ad.ldif -k -j C:\restore\log

Where ad.ldif is the ldif file downloaded from Nakivo Backup & Replication and C:\restore\log is the path to the folder where logs will be stored.


When the command has been completed, looking at the Active Directory Users and Computers snap-in you may see the recovered object.


With a working Domain Controller backup available, the Nakivo's Microsoft Active Directory objects feature allows to quickly recover AD objects without disrupting services limiting the downtime.