Hi everybody.
I am trying to clarify myself the topic of “Resultant Backup Lifetime” of windows server backups. Given that:
- this thoughts are related to active directory objects, not to normal data
- it seems to me quite as “philosophy about active directory”, instead of real-life scenarios, since for active directory objects, the importance of backups seems to be (IMHO) inversely proportional with the age of the backups (it is much more likely to have the need to restore recent errors than old errors, as deletions), so I feel it is not so likely to have the need to restore objects whose age is near the end of the tombstone (or the deletion) lifetime.
However, I’d like to understand in depth the issues about the RBL since my organization is preparing for a thorough AD recovery plan. I have read:
- Scenario Overview for Restoring Deleted Active Directory Objects:https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379542(v=ws.10)
- Useful shelf life of a system-state backup of Active Directory:https://support.microsoft.com/en-us/help/216993/useful-shelf-life-of-a-system-state-backup-of-active-directory
- msds-deletedobjectlifetime and tombstoneLifetime:https://social.technet.microsoft.com/Forums/windowsserver/en-US/ba602a0c-4d13-4d1e-b33a-669cbf0c504f/msdsdeletedobjectlifetime-and-tombstonelifetime?forum=winserverDS
Ok, understood the msDS-deletedObjectLifetime and the tombstoneLifetime attributes and their meaning.
In “useful shelf life of a system-state…” it is stated that in a multi-domain forest the non-authoritative restore is not feasible if the backup is older than tombstone. Why? I suppose that during the synchronization, the recovered server would need some information about other domains that is no more retained by the AD infrastructure longer than the tombstone period. I suppose that this holds also in case of selected object restoration using authoritative restore, right?
So, supposing that in the case of a multi-domain forest the restoration would fail, let’s talk about a single-domain forest: what is the RBL in this case? The principle of the smaller value still holds?
I mean, if I take a backup, it is more or less as taking a photo about the current active directory state, right? So, I have all the AD objects, the deleted ones, and the recycled ones at the time in which the backup was taken.
So, all the AD objects, except for the recycled ones, are fully readable ad recoverable. But, isn’t it so as long as the backup is saved, readable and accessible? What really prevents the use of an authoritative restore (maybe limited to just some selected objects) for a backup older than the tombstone period in order to restore:
- AD objects that were not deleted at the backup creation time? Or instead in this case, the restoration is feasible?
- AD objects that were in the deleted status, not recycled, at the backup creation time? In this case, wouldn’t it be simple to just restore the deleted object as the recycle bin would do, and then set as authoritative the object?
Thanks,
Diegus