Your network consists of a single Active Directory forest. The forest contains one Active Directory domain. The domain contains eight domain controllers. The domain controllers run Windows Server 2003 SP2.
You upgrade one of the domain controllers to Windows Server 2008 R2.
You need to recommend an Active Directory recovery strategy that supports the recovery of deleted objects.
The solution must allow deleted objects to be recovered for up to one year after the date of deletion.
What should you recommend?
A. Increase the tombstone lifetime for the forest.
B. Increase the interval of the garbage collection process for the forest.
C. Configure daily backups of the Windows Server 2008 R2 domain controller.
D. Enable shadow copies of the drive that contains the Ntds.dit file on the Windows Server 2008 R2 domain controller.
Correct Answer: A
Explanation/Reference:
RESTORATION OF DELETED AD OBJECT
Authoritative Restore by using the ntdsutil from the backups taken by Windows Server Backup. It is required to be performed in Directory Services Restore Mode(DSRM), i.e. the domain controller needs to be offline.
Tombstone Reanimation has been introduced since Windows Server 2003. Active Directory kept the deleted objects in the database for a period of time (180 days by default) before physically removing them. The deleted object’s distinguished name (also known as DN) was mangled, most of the object’s non-link-valued attributes were cleared, all of the object’s link-valued attributes were physically removed, and the object was moved to a special container in the object’s naming context (also known as NC), named Deleted Objects. The object, now called a tombstone, became invisible to normal directory operations.
Active Directory Recycle Bin, introduced in Windows Server 2008 R2, helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting AD DS, or rebooting domain controllers. When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion.
The "restorable" period is determined by Deleted Object Lifetime (determined by msDS-deletedObjectLifetime attribute, null by default) and Recycled Object Lifetime (determined by tombstoneLifetime attribute, 180 by default in Windows Server 2003 SP1 or later). These 2 values can be modified by ADSI Edit, LDP and Active Directory Module for Windows Powershell. Microsoft recommends the "restorable" period should be 180 days or more.
http://technet.microsoft.com/en-us/library/dd379542(v=WS.10).aspx
http://technet.microsoft.com/en-us/library/dcf3431a-c562-447f-a591-4742d2bcdbfa(v=ws.10)#BKMK_1
