Restoring Active Directory Objects

This all started with a discussion with a person in Dinosaur Provincial Park.  A great place to explore and in fact meet fellow IT people.  When you protect your Active Directory domain controllers with Veeam it provides some very interesting opportunities.  As you might guess you can recover your DC’s without issue but that is something likely you should not do as it is safer to restore what you need.  Restoring a DC works much better in vSphere 6 and Windows 2012 but it is still something to be wary of.  The issue BTW was in the past in particular if you restored a DC that had older information then the rest of the AD domain there could be conflicts.  In theory this is managed properly now but still something I like to avoid.

So in this article I am going to step through restoring a deleted user.  It could be a user, group, group policy object or any other AD object.  It is quick and easy, and so why would you restore a whole virtual machine if you don’t need to?

Something to be aware of

If you use the Veeam console – like I do on my Windows 7 desktop you will hit a snag during the configuration of the AD object restore.


This primarily occurs with the AD Explorer so for restoring AD objects you should do that on a platform that is of the same or later OS version as your domain controllers.  In my case it was the actual Veeam server I did the work on and it worked fine – both my DC and Veeeam servers were Win2K12 R2.

To make this all possible …

We need to make sure that application-aware backup of our domain controllers is occurring. If you edit your job that covers off the AD servers you need to ensure that Enable application-aware processing is in fact enabled – as seen below.


If you are enabling this for the first time, make darn sure to use the Test Now button found in the lower right corner and make sure it works!

I will delete a user by the name of John Doe.  Remember this might be a GPO object, or OU or whatever.


Now that we have successful backups, and in fact a deleted user, we can start our recovery of that deleted object.

Restoring out lost object

We work in the console, and expand the Backups view, and expand the Active Directory backup, and right + click on the DC we wish to work with.


As you can see above, we have clicked on logan, and right+click to select Restore application items, and we select our Microsoft Active Directory objects choice.  We will be offered a selection of Restore Points to work with.


I use the most current I can.

After Next you can select Finish.

Now the Explorer starts up. We just navigate to the Home Lab – users folder where all my users are.  We select the one we see that we know is missing.


We see an option of Restore to which is what we need.  It doesn’t take long and we see the results.


We check back in AD to see if the user is there.


The user is there, and I can log in as him.  So all good!

When we were going to restore, there was another option of View attributes.  I think it is quite useful as it shows a lot of info.


I hope that this shows how easy and useful the Veeam AD Explorer is.  You can find out more about this feature in this help document. The functionality you see in this article is Enterprise or higher.

So, I think that if you are not using this capability and you have Veeam, you should remember what you saw and use it as needed in the future.  And if you don’t have Veeam, you should wonder when your backup software will do this for you!

As always, questions or comments welcome!  If there is something you would like to see from Veeam, let me know!


=== END ===

Leave a Reply