Troubleshooting granular restore issues

Some granular restore situations require additional steps to fully restore the objects. In other situations, a granular restore of some part of the Active Directory is not possible.

Table: Troubleshooting restore issues describes potential problems for granular restores.

Table: Troubleshooting restore issues

Restores that are disabled

When user and computer accounts are restored from a granular Active Directory restore, they are sometimes disabled.

The following are possible reasons why the accounts can be disabled:

  • When objects in Active Directory are deleted, they are removed from their current Active Directory or ADAM/AD LDS container. They are converted into tombstones and placed in the Active Directory Deleted Objects container where their tombstone lifetime is monitored. By default, NetBackup restores deleted objects from this container if the tombstone lifetime has not passed.

    After the tombstone lifetime passes, the tombstones are purged from the Active Directory Deleted Objects container. Purging the tombstones has the effect of permanently deleting the objects from the Active Directory and ADAM/AD LDS databases.

  • When restoring user objects, you must reset the object's user password and enable the object's user account:

    • For Active Directory user objects, use the Microsoft Active Directory Users and Computers application.

    • For ADAM/AD LDS user objects, use ADSI Edit.

    In Active Directory, computer objects are derived from user objects. Some attributes that are associated with a computer object cannot be restored when you restore a deleted computer object. They can only be restored if the attributes were saved through schema changes when the computer object was originally deleted.

  • Computer object credentials change every 30 days and the credentials from the backup may not match the credentials that are stored on the actual computer. When a computer object is restored it is disabled if the userAccountControl property was not preserved in the deleted object.

    Use the Microsoft Active Directory Users and Computers application to reset the account of a computer object:

    • Remove the computer from the domain.

    • Re-join the computer to the domain. The security identifiers (SID) for the computer remains the same since it is preserved when a computer object is deleted. However, if the tombstone expired and a new computer object was recreated, the SID is different.

Group and member objects

To restore Active Directory group membership links may require that the restore job be run twice.

For example, consider the case where a group and its member objects are deleted.

If a restore job contains both group objects and member objects, the job restores the objects in alphabetical order. However, the group that is restored has a link dependency on a member that does not exist yet. When the group is restored, the link cannot be restored.

Run the restore again to restore all forward and backward links.

Group policy objects

NetBackup does not support granular restores of Group Policy Objects.