Your network contains an Active Directory domain named contoso.com. The domain
contains domain controllers that run Windows Server 2008, Windows Server 2008 R2
Windows Server 2012, and Windows Server 2012 R2.
A domain controller named DC1 runs Windows Server 2012 R2. DC1 is backed up daily.
During routine maintenance, you delete a group named Group1.
You need to recover Group1 and identify the names of the users who were members of
Group1 prior to its deletion. You want to achieve this goal by using the minimum amount of
administrative effort.
What should you do first?
A.
Perform an authoritative restore of Group1.
B.
Mount the most recent Active Directory backup.
C.
Use the Recycle Bin to restore Group1.
D.
Reactivate the tombstone of Group1.
Explanation:
The Active Directory Recycle Bin does not have the ability to track simple changes to
objects. If the object itself is not deleted, no element is moved to the Recycle Bin for possible
recovery in the future. In other words, there is no rollback capacity for changes to object
properties, or, in other words, to the values of these properties.
There is another approach you should be aware of. Tombstone reanimation (which has
nothing to do with zombies) provides the only way to recover deleted objects without taking a
DC offline, and it’s the only way to recover a deleted object’s identity information, such as its
objectGUID and objectSid attributes. It neatly solves the problem of recreating a deleted
user or group and having to fix up all the old access control list (ACL) references, which
contain the objectSid of the deleted object.
Restores domain controllers to a specific point in time, and marks objects in Active Directory
as being authoritative with respect to their replication partners.