We make heavy use of Microsoft's file share virtualization technology - Distributed File System (DFS). Today, one of our root DFS shares got deleted and we had to scramble to get it back. Here's what we tried and what worked.
Since the object seemed to reside in AD, under the CN=System container in our domain AD, the first thing we tried was an Active Directory undelete. A recycle bin was added to AD in Win2k8. We tried several tools and methods to restore the object. Here's a list
- Using LDP.exe with guidance from Petri at Manually Undeleting AD objects (cache)
- Using AdRecycleBin (cache)
- Using ADRestore.Net (cache)
- Using the Restore-ADObject (cache) cmdlet in Powershell
Each of these failed with a similar error. It appears that the AD object had some key attributes removed when it was deleted and so the object in the deleted items container was not a valid AD object (and hence would not restore. My guess is that Microsoft has not designed all AD object deletions with restoration in mind.
So here's what we did that worked
- We restored one of our virtualized DCs to a new VM with no network connection
- Since the DFS root was not on this DC, we created an identical DFS root on that DC
- AD magically repopulated the DFS shares that were configured below the deleted root. We suspect this because the DC's AD still thought it existed
- Exported the configuration using dfsutil
- Shut down the vm and opend the VHD so we could copy out the files dfsutil created
- Edited the DFSUtil output to remove the entry for the new DC
- Imported the dfs config using dfsutil with the /Set switch
- We are considering a scheduled task to export the DFS config using dfsutil
- We set the "Protect object from accidental deletion" on each of the DFS objects in AD
Note: I doubt this is a Microsoft approved solution, so, YMMV.
If you have thoughts on this, leave a comment here or on Twitter (I'm @uSlacker)