Your network contains an Active Directory domain named contoso.com. The domain contains domain
controllers that run Windows Server 2008, Windows Server 2008 R2 Windows Server 2012, and Windows
Server 2012 R2.
A domain controller named DC1 runs Windows Server 2012 R2. DC1 is backed up daily.
During routine maintenance, you delete a group named Group1.
You need to recover Group1 and identify the names of the users who were members of Group1 prior to its
deletion. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do first?
A.
Perform an authoritative restore of Group1.
B.
Mount the most recent Active Directory backup.
C.
Use the Recycle Bin to restore Group1.
D.
Reactivate the tombstone of Group1.
Explanation:
The Active Directory Recycle Bin does not have the ability to track simple changes to objects. If the object itself
is not deleted, no element is moved to the Recycle Bin for possible recovery in the future. In other words, there
is no rollback capacity for changes to object properties, or, in other words, to the values of these properties.
There is another approach you should be aware of. Tombstone reanimation (which has nothing to do with
zombies) provides the only way to recover deleted objects without taking a DC offline, and it’s the only way to
recover a deleted object’s identity information, such as its objectGUID and objectSid attributes. It neatly solves
the problem of recreating a deleted user or group and having to fix up all the old access control list (ACL)
references, which contain the objectSid of the deleted object.
Restores domain controllers to a specific point in time, and marks objects in Active Directory as being
authoritative with respect to their replication partners.
I’m confused…
Group1 is deleted thus making it available in the Recycle Bin. Restoring from Recycle Bin would restore group members prior to its deletion, thus you just view membership after restore.
C
3
3
i ma guessing that because the question deosnt specify if the recycle bin is enable it goes for the authorize restore
0
0
This is an awful question, but let’s break it down.
D cannot be right. When a group object becomes a tombstone it loses attributes such as its members.
C cannot be right because the question doesn’t specify if AD recycle bin has even been enabled in the first place.
So, it comes down to a coin toss between A and B.
Here’s the problem with B – it says backups are performed daily, which is fine, but what if I performer the group deletion at 10 AM, and the backup kicks in at noon? Remember, it says the most recent backup. So is this a trick?
The problem with A is that it feels like more administrative effort than the rest, although it would work for the purpose we’re looking at. It would also **restore** the group throughout the domain, and is that really what the question is asking us to do? It’s the fine line between recover and restore, and whether these words are simply interchangeable.
2
0
Also on authoritative restore you can select which group or user you can restore unlike on mounting the most recent backup. 🙂
correct me if im wrong 🙂
0
0
Questions states minimum amount of administrative effort, I would say
B, Mount the most recent Active Directory backup.
If you did authoritative restore, the DC would have to be taken offline first, correct me if im wrong
0
1
Sorry, not B because we need to recover.
Not C 2008 does not support rc bin
I think A is the answer
3
0