Performing Active Directory Tombstone Reanimation
October 10, 2018
With the exception of dynamic objects, when an object is deleted in Active Directory it is not immediately removed from the database. Instead a “tombstone” of the object containing a subset if attributes, including the SID, is placed in a hidden container called “Deleted Objects”. This allows for the possibility of restoring the user account, although this method should only be used if an authoritative restore and recycle bin cannot be used.
The length of time tombstones are kept depends on the operating system which created the forest to begin with. For Windows Server 2000 and 2003 it is 60 days. Whereas for Windows Server 2003 SP1 and above were set to 180 days. By default every 12 hours the garbage collector service comes along on each DC to permanently remove tombstones which have exceeded this duration. These values can be altered in ADSI Edit.
Tombstones can be “reanimated” using LDP, which is able to access the Deleted Objects container. Be aware that this will only restore a disabled account which with missing attributes and can produce unexpected results. Once restored a new password needs to be set and the account enabled. The process of reanimation requires making the following attribute amendments:
|distinguishedName||Replace||DN to the destination OU of the user e.g. CN=John Smith,OU=Accounts,DC=example,DC=com|
Follow these steps to recover a deleted user account using LDP.exe:
- Run “ldp.exe” on a DC, click “Connection”, “Connect…”, for the server specify the server name to connect to and click “OK”.
- Click “Connection” and choose “Bind…”, use the default option to connect as the current user and click “OK”.
- Click “Options”, “Controls” and then under “Load Predefined” choose “Return deleted objects” and click “OK”.
- Click “View”, “Tree” and set the “BaseDN” to “CN=Deleted Objects,DC=Your Domain” and click “OK”
- Expand the tree view for deleted objects and look for the object to reanimate.
- Right click on the object and choose “Modify”.
- In the “Attribute” textbox type “is Deleted”, select the “Delete” radio button and then click “Enter”.
- Clear the Attribute text box and enter “distinguishedName”, in the “Values” textbox enter the new DN for the user, e.g. CN=John Smith,OU=Accounts,DC=example,DC=com if the user was John Smith from accounts, click Enter and then “Run”.
- In AD Users and Computers you can find the account in a disabled state ready to have the password reset and enabled again.
Windows Deployment Services Error 7024 + 268 (3238134273)
September 5, 2018
I recieved error 7024 (3238134273) when trying to start the WDS service on a server without DHCP running on it.
The description for Event ID 7024 from source Service Control Manager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.System Event Log
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Windows Deployment Services Server
The locale specific resource for the desired message is not present
An error occurred while refreshing Image Cache. The Windows Deployment Services server will not process incoming client requests.Application Event Log
Error Information: 0xC1020201
After taking a look online all I could find were posts about the error being caused by a port conflict with both WDS and DHCP trying to use UDP port 67. As this server did host DHCP this was clearly not the cause in this case.
I tried removing the latest install image I had added and the service started normally again.