Rubrik : Active Directory Recovery

Background

Have you ever tried to restore a Microsoft Active Directory object ? Painful mmh ? I tried as well and did not found any suitable tool that can definitely nailed it correctly without having a massive corruption after couple of days. Then, I heard Rubrik was able to deal with that. This is about the right time to give it a try !

Rubrik Active Directory Recovery Tool

You will tell me : "This is not new, this functionality exists for years" Correct ! available in GA since Dec 2020, but this is the most hidden gem in the Rubrik ecosystem. No advert, no use case, no blog post, nothing ... Let's try to change this now with this little humble article.

Get the tool

First, you need to get the tool from the support portal. Yes, this is well hidden : 

➡️ Documentation and Download ➡️ Misc Documentation and Software ➡️ Rubrik AD Object Recovery Tool v1.0.2.2. 
At the time I'm writing these lines, the latest version is 1.0.2.2 from April, 11th 2022.

You need to install this software on any AD member server or workstation. You need to have your AD server protected with Rubrik (of course).

⚠️ if you do not start the tool with admin credentials AND enable the "Run as Administrator" functionality, it will never work.



⚠️ I'm not responsible for any loss of data in your environment, I'm doing my tests on a non production environment. AD DB are sensitive, be careful.


Let's make sure we have at least one operation backup of our DC server before proceeding, better take an on-demand to be safe.

Understand AD DB

Actually, active directory is nothing more than a database, storing every aspects of the domain : users, groups, objects like printers, computers, DNS, shares, Group Policy elements, .... and many more. Since AD is multi site, and generally replicated across all domain controllers in the "forest" you need to have some sort of transaction logs to maintain coherence in the updates.
Let's say one admin in US is modifying an object and another one in EU is doing another change, you want the change to be applied in the right order. This is why every changes have a sequence, written in a log and upon restore, you have to re-play the logs to maintain consistency. This is how transactional DB are working.

The AD DB is present in each Domain Controllers and located in C:\Windows\NTDS


The DB file is called ntds.dit. The files named edb* are the transaction logs. Both the database and the logs are required for restoring an items from the AD.

Situation before restoration

This is the object I have created for the purpose of this test : An OU, 2 contacts and 1 group.


Now, I have secured a backup of the DC containing this structure. Let's delete it !



Of course, the goal is now to recover the deleted items :)

Finding the files to recover deleted objects

The tool developed by Rubrik can operate in two different flavors : 


  1. The tool can directly connect to Rubrik and do the restore job within the app. It only works if the machine where the Rubrik recovery tool has access to the Rubrik cluster. This is not my case, so I need to use option 2.
  2. You already have recovered the Active Directory Database and you have transferred the files to the machine where the Rubrik recovery tool is installed.
So, let's quickly jump to the Rubrik CDM and select the files we would like to restore. So, when selecting the right snapshot, you need to export files. Do a search for NTDS and select the C:\Windows\NTDS folder .


Next select Download and wait for the set of files to be created and available for download.

This will generate a file called NTDS.zip. Let's go and transfer that file on the machine where the  Rubrik Recovery tool is installed.





Rubrik Active Directory Recovery Tool

It is now time to start the Rubrik recovery tool (do not forget : Run as Administrator). Choose Guided Setup option and I have my own files.

Now, we need to specify the folder with the NTDS.dit file (as well as the logs but, they are in the same folder). I have placed the extracted files on the Desktop for easiness.
Click next, the tool is analyzing the files and then come back with a settings screen. You have to select your AD name from the drop down list and chose to use AD and in my specific case I have to select LDAPS as connection method. By default LDAPS is not used, you can leave it as default.



Click next. You should see a confirmation that you are connected to your AD : 

The next screen is showing you the AD tree, navigate up to the point where you have deleted the folder "Safe to Delete". You should see it in the tree as well as the objects part of that container : 
There is a grave icon in front of the container, it means the status is "Tombstoned". If you are trying to recover a user, nce restored, you will have to enable the object. This is not our case here.

In order to restore the object, right click it and select Restore to Active Directory :

This will only restore the OU, you need to repeat this step with all the contained objects.


Our objects are back at their original place and will be synced again with all the DC in the organization.

This process is using LDIFDE in the backend. If you are encountering an error during this process, you can have a look at the logs of the recovery tool, they are located here : %appdata%/Rubrik/Active Directory Object Recovery Tool/logs.

You can also enable debug logs within the application itself to have more verbosity if required. From the app, go to About and tick the debug option : 


Sometimes, AD is tricky to recover, this solution is not perfect, but seems to offer a good level of recovery.

Restoring a single attribute

We are in a situation where specific or even custom attribute has been applied to an object. You have no idea about the attribute and you would like to revert to the original situation. 

First, let's add a specific value in an attribute of an object in our environment. For the sake of the example, I will add a description on the Rubrik Group.

It is a good practice to tweak the filters to be sure you see all writable attributes


Then search for the description :


And click Edit :



Now, let's take a snapshot of that VM !


When the snapshot is completed, we can remove the attribute :


Next, we are ready to export the NTDS folder as before and transfer the zip file to the target machine where the Rubrik Recover tool is installed. When the zip ius extracted, we can start the tool and browse the AD structure exactly we did previously.

Now, when we have found the object, we can proceed restoring a single attribute. I don't know if you have spotted in the Recovery Tool UI ? the description is there ;)

And then selecting the attribute we want to restore :



The action button is labeled Export and not Restore. The reason is because this action will actually generate a LDIF file that requires you to use LDIFDE to add the attribute back to the AD. I don't know the reason behind it, but that's the workflow.

Here is the generated LDIF file : 


Next, using LDIFDE in an elevated cmd window ("Run as Administrator") we see the attribute is restored to its original value.


I know, this example is stupid and easy to recover manually, but some more trickier use cases are coming to mind ... right ?

I'm in touch with Rubrik to understand the tool more and more, there are some cool adjustments that can be done, but I really think this is a good start.

I hope this helps ;) 






Comments

What's hot ?

RClone : Mount Google Drive on any File System