http://social.microsoft.com/Forums/en-US/partnermsgexchange/thread/b0bd546b-a31f-49a6-b101-2baa2a54e6c7

(From the partner forums)

Overview
The purpose of this document is to explain the new procedures to use to restore deleted Exchange directory objects for Exchange Server 2007. It also applies to the legacy products Exchange 2000 Server and Exchange Server 2003.

 

We will explain how Exchange objects can be deleted, what the new procedures are to restore the objects, and provide specific steps to restore deleted Exchange directory objects.

 

Typical Causes

Ordinarily, an Exchange server object may be deleted using Exchange System Manager (ESM) or when an Organizational Unit (OU) containing user accounts associated with mailboxes is deleted using Active Directory Users and Computers (ADUC).  When it is discovered that there is a need to bring the deleted Exchange server or OU back, there can be confusion in the proper method to restore the objects required.

 

Generally, this is done through an Authoritative Restore using the Active Directory tool NTDSUtil.exe.

 

What’s New in Restoring Deleted Exchange Directory Objects
Beginning with Windows Server 2003 SP1, functionality was added to the Ntdsutil.exe command-line tool to help Administrators more easily restore the backlinks of deleted objects.

 

Two or more files are generated for each authoritative restore operation. One file contains a list of authoritatively restored objects. The other file or files are .ldf file that is used with the Ldifde.exe utility. This file is used to restore the backlinks for the objects that are authoritatively restored. In Windows Server 2003 SP1 and Windows Server 2008, an authoritative restoration of a user object also generates LDIF files with the group membership backlinks. This method avoids a double restoration. Before Windows Server 2003 SP1, you had to restore Exchange servers and user accounts first and then restore group memberships in a second restore operation.

 

When you perform authoritative restore on a domain controller that is running Windows Server 2003 with SP1 or Windows Server 2008, Ntdsutil creates the following new files that you can use to recover group membership for Active Directory user accounts associated with Exchange mailboxes:

ar_YYYYMMDD-HHMMSS_links_Domain.ldf, which is an LDIF file that is generated for the domain in which you perform the authoritative restore procedure. This file contains back-link information for the restored objects. If you perform the procedure on a global catalog server, a separate .ldf file is created for each domain in the forest. You can use this file with the Ldifde command-line tool to import the back-links to recover universal and global group memberships in environments that include pre-LVR groups.

For environments that do not include pre-LVR groups, the Ntdsutil tool recovers group memberships automatically in the recovery domain and in the forest (for universal groups) if the recovery domain controller is a global catalog server. If the restore includes security principals that can have memberships in domain local groups in other domains, a text file that is also generated during authoritative restore is required to restore the memberships in the additional domains.

 

ar_YYYYMMDD-HHMMSS_objects.txt, which is a text file that contains a list of the authoritatively restored objects. This file is generated for each individual object or container that you mark as authoritative. You can use this file to generate an .ldf file that you can use to recover memberships in domain local groups and universal groups (if you are not restoring a global catalog server) in other domains.

This file is created on any domain controller that you authoritatively restore. Global catalog servers do not store the member attribute of domain local groups. Therefore, even if you perform the restore on a global catalog server, you must always use this file to generate an .ldf file in any domain where there are domain local groups of which restored security principals might be members. You must create a separate .ldf file for each object or container that you mark as authoritative.


Best regards,

Ryan Ye
Partner Online Technical Community
—————————————————————————————–
We hope you get value from our new forums platform! Tell us what you think:
http://social.microsoft.com/Forums/en-US/partnerfdbk/threads
——————————————————————————————
This posting is provided “AS IS” with no warranties, and confers no rights.

 

Comments are closed.