Accidentally deleted entire Active Directory

Question

While re-partitioning a Server 2003 R2 domain controller, we accidentally deleted the partition that held the Active Directory database folder (D:\AD\Data). The D:\ was a partition on a disk shared with C:\.

We eliminated the D:\ drive not realizing that it housed the Active Directory data folder. We have no other domain controllers and no backups of this Active Directory data.

Is there any chance of restoring the AD?

I personally did not set up the environment, and come to find out, while we do have backups of `C:\ ` , we do not have backups of `D:\ ` — matalaweb, Feb 24 '16 at 21:06
I understand it's late now, but next time please do an extra backup and (super important!) extra test restore before messing with partitions. — rvs, Feb 24 '16 at 21:11
Or, it's 2003 and out of support. Build two new DCs and do it properly on a supported operating system. — Michael Hampton, Feb 24 '16 at 21:17
Think of this as a blessing in disguise. You get to build a greenfield AD environment (because you have no other options), but you can build it ***right***, this time. Oh, and you also have a good start on what *not* to do this time around (I count 3 biggies), so there's another silver lining. — HopelessN00b, Feb 24 '16 at 21:20
Did you did a system-state backup ? just to be sure, as it can include the active directory even if you didnt know it was backuped. — yagmoth555, Feb 24 '16 at 21:33
you could try and use a drive recovery tool. I doubt that the data was fully wiped (unless you decided to do that too) — CobaltHex, Feb 24 '16 at 22:01
BTW, even if you had a D: backup, it would be probably useless (or very hard to recover from). You need a *system state* backup in order to restore AD. — Massimo, Feb 24 '16 at 22:38
And please, *PLEASE*, regardless of how many backups you take, always have at least two domain controllers. **ALWAYS**. — Massimo, Feb 24 '16 at 22:40
Assuming that you just deleted the partition, you are not using any kind of volume manager and you did nothing with the space the partition was in after. It should just be as simple as readding its entry to the MBR/GPT and it would come back... — Vality, Feb 25 '16 at 00:27
WHY did you repartition an important machine without ensuring it was backed up? — Thorbjørn Ravn Andersen, Feb 25 '16 at 07:44
@MichaelHampton this will depend on what the DC is doing. Of course, 2003 is not supported anymore, but for a lot of companies, especially smaller ones, it's difficult to justify the cost of upgrading when all it handles if user authentication. If you're doing more stuff, then ya, it's probably worth the upgrade. Just make sure to keep it from getting internet access directly. — SnakeDoc, Feb 25 '16 at 19:56
So, since you've been back since you asked, perhaps you would be kind enough to clarify whether or not you allocated the space freed up by deleting this partition, and/or anything else that was done on the machine in question since that fateful event, so that we might settle the question of whether or not there's any chance of data recovery. — HopelessN00b, Feb 25 '16 at 20:39
Is running a server in a real company without doing any backup accidental too ? — user2284570, Feb 25 '16 at 21:20

score 49 · Answer 1 · edited Feb 25 '16 at 15:05

49

If you just deleted the partition and did not create a new partition, it is likely possible to recover.

First things first - pull the drive, put it in a Linux box and do a raw clone. The first rule of data recovery is that you do your work on a clone, not the original.

Now on the clone run a linux tool called testdisk. If the filesystem hasn't been obliterated this should re-create the partition table entry and allow it to be accessed again.

If you did create a new partition, or if testdisk can't find the filesystem then your chances of successful recovery are much lower. You might want to consider talking to data recovery specialists at this point.

edited Feb 25 '16 at 15:05

sleske

9,851
4
33
44

answered Feb 25 '16 at 04:21

Peter Green

4,056
10
29

1

Using a boot disk like Hiren's Boot CD will include all the tools needed to do every step you listed, including testdisk: http://www.hirensbootcd.org/download/ – SnakeDoc Feb 25 '16 at 18:52
I should point out, besides being the best answer for this question, it is possible in some cases where software can scan hard drive disks and recover those deleted files with time (can take a while to scan and recover). Besides searching for recovery software that can restore deleted files, there's no guarantee any of those will work (especially if they rely on the filesystem to be intact). The only way to guarantee you don't lose anything is to backup often and/or call a recovery specialist who specializes in hard drive repair & recovery (not forensics and recovery). – dakre18 Feb 25 '16 at 21:36
Even if you *did* create a new partition, testdisk will be able to determine how far the filesystem was stretching, effectively allowing to re-create the old partition. If the new partition was not just created but also formatted, chances are nowhere as good. – the-wabbit Feb 25 '16 at 21:40

score 20 · Answer 2 · answered Feb 24 '16 at 21:11

20

No. You deleted data for which you have no backups. It is gone.

answered Feb 24 '16 at 21:11

HopelessN00b

53,385
32
133
208

2

Unless he has a system state backup. But it doesn't seem likely... – Massimo Feb 24 '16 at 22:37
1

OP did say he had a C: drive backup; hopefully SysState was either selected by default or it got checked. – user339468 Feb 25 '16 at 00:18
7

Deleting a partition deletes no data. In fact, all the data are 100% recoverable, even if the other partitions are being used, because no partition will EVER write outside their allocated space... that's just utterly retarded if it happens. – Nelson Feb 25 '16 at 05:08
@HopelessN00b: You might have stated what felt obvious to you, but what you think is obvious couldn't be farther from the truth, as already elaborated by Nelson. – Aleksi Torhamo Feb 25 '16 at 09:25
4

@Nelson This is technically accurate, but only relevant if the space wasn't reallocated. As there is generally no reason to delete a partition unless you are reallocating its space, odds are overwhelmingly high that this is what happened. Feel free to request clarification from the OP, or provide an answer of your own based on the possibility that the only action taken was deleting the partition, but this strikes me as a scenario so unlikely that I didn't feel it was worth considering. – HopelessN00b Feb 25 '16 at 10:30
@HopelessN00b perhaps you should adjust your answer. As-is, it's a hard line "it's all gone", but that may not be the case. The question was if there was a way to recover, and the answer is yes, as Peter has detailed above. – SnakeDoc Feb 25 '16 at 18:54
@SnakeDoc Yeah, it is a hard line answer. That's deliberate. – HopelessN00b Feb 25 '16 at 20:35
2

This answer is derisive and factually incorrect, not "hard line". Yes the OP screwed up, but the only thing this answer is good for is your rep. – Lilienthal Feb 25 '16 at 20:46
@Lilienthal Uhuh. Well, I'll make a note to gloat in your general direction when/if the OP updates us with what we already know - that he reallocated the space and his AD data is gone. – HopelessN00b Feb 25 '16 at 20:49
1

@HopelessN00b it's rather odd that you take this attitude, over a deliberately wrong answer. ya, you sound cool to your sys admin buddies who laugh at someone nuking a partition, but it's not a helpful or constructive answer. It's deliberately hostile, and that behavior is not welcome on SE. You've been around long enough to know this. The question was "is data recover possible", and the only correct answer is flatly, "yes". – SnakeDoc Feb 26 '16 at 00:02
@SnakeDoc Anything is technically possible. Quantum mechanics tells us there's a chance that your entire body could spontaneously teleport to the other side of the country. "Oh, you lost your 512 bit AES key to your full disk encryption? No, the data's not gone, you should try brute forcing it, because you might get astronomically lucky a trillion years from now!" What you fools are holding out as a "correct answer" doesn't have a snowball's chance in hell. Anything is technically "possible," but that doesn't make it the right answer. The data's gone; time to move on. – HopelessN00b Feb 26 '16 at 01:31
@HopelessN00b if the partition was merely deleted, it can be restored. it's not rocket science. Further, the data can be recovered with even rudimentary data recover utilities. The question was "is data recovery possible" and, the answer remains "yes". Perhaps you're not well versed in data recovery, but it's certainly nothing like quantum mechanics -- it takes a *lot* of effort to fully destroy data. You're answer remains passively aggressive, and your comments are no better. Why not try to help the poor guy out instead of getting cheap laughs? – SnakeDoc Feb 26 '16 at 02:40
@SnakeDoc The partition wasn't merely deleted and an Active Directory database isn't simply a file. This isn't undeleting someone's porn after they hit the delete key, we're talking about recovering a complicated database that must be damn near perfectly consistent to function, from a volume that has been "re-partitioned", according to the OP. Data recovery is difficult enough when it's files you can tolerate some corruption or data loss in. In this case, odds are worse than the PowerBall. So it *is* helping to advise the OP not to waste his time or money on an astronomical longshot. – HopelessN00b Feb 26 '16 at 03:11
@HopelessN00b The data is not gone until it's been overwritten, and even then you may still recover (albeit with less integrity). Making a new partition will not destroy all the data (or any, really). He'd have to run Dban or something for this scenario, and he did notice it immediately, so chances are great the data is still there. An AD database is nothing special - it's literally a file (ntds.dit), and there's absolutely no reason it could not be recovered just like a png or jpeg. It's unlikely it was being changed while they nuked the partition, so integrity is probably OK. – SnakeDoc Feb 26 '16 at 04:27
@HopelessN00b Further, there are plenty of processes to repair partially corrupt AD databases. I'm just pointing out, while your advice may ultimately be the only option, it is the last option that should be tried - the OP asked what his options were essentially and you said none - which is not correct. If the old AD setup was that important - it's absolutely worth trying before ditching it all and starting fresh. – SnakeDoc Feb 26 '16 at 04:29
@SnakeDoc Yes, you've made your position clear. We had an EoL Active Directory instance running on a single domain controller, with no backups that got re-partitioned. To you, spending thousands of dollars and weeks of effort to *attempt* a data recovery that *might* permit the OP to *attempt* an unsupported restore that *could* restore an Active Directory forest that will then be unsupported in three different ways is an option that should be considered. OK. Good luck with that. Buy a PowerBall ticket while you're at it. You've got a 1 in ~300 million chance that *that* will work out too. – HopelessN00b Feb 26 '16 at 04:42
@HopelessN00b Very good data recovery software is available for free, or low cost (few hundred bucks at most). GetDataBackNTFS, StellarPheonix (hint, this is the stuff the "pros" run when the drive still mechanically works), etc. Regardless, if he just created a new partition, then his chances of restoring the old partition are pretty good - TestDisk will do that, is available for free, and takes minutes to run. If he posted here, clearly it's important enough to not just start fresh from the get-go. So it's worth a try, at the very least... making Peter Green's answer correct. – SnakeDoc Feb 26 '16 at 04:49
This is going nowhere. Neither of you is likely to convince the other of your positions, so move on. – Michael Hampton Feb 26 '16 at 04:57

score 18 · Answer 3 · edited Apr 13 '17 at 12:14

18

Just to emphasize and clarify yagmoth's comment - Active Directory is not backed up by a file system backup - it is backed up by a System State Backup. If you have one, just look up the Active Directory Directory Restore Mode instructions and you may have a shot. You'll have to know the Directory Restore password.

You might have to manually recreate the D: Drive first, but if you do, that will interfere with efforts of a manual disk recovery service's efforts if you decided to pursue that option. Doing a sector-level raw cloning of the drive first would not be a bad idea.

edited Apr 13 '17 at 12:14

Community

1

answered Feb 24 '16 at 22:04

user339468

358
2
12

5

+1 for clone. Go into full forensic procedures -- pull the drive and clone it and only try to rescue from the clone. Theoretically I believe you should be able to recreate the partition -- maybe under Linux -- and the underlying filesystem might still be in place. – rrauenza Feb 24 '16 at 22:21
While you're not wrong, I know I certainly wouldn't trust a forest that had been recovered and restored via data recovery techniques such as one might do on a low-level clone/copy of a formatted drive. – HopelessN00b Feb 24 '16 at 22:31
4

@HopelessN00b: Then you have trust issues. Deleting a partition only changes a few bytes in the 512-byte MBR at the start of the disk, and in no way touches the actual data. Figuring out the correct values to restore the partition is not rocket science, and even if you somehow got them wrong, you wouldn't get magically slightly corrupted data, you'd get no data, as the filesystem wouldn't be found at all. All your "advice" on this question is downright harmful. – Aleksi Torhamo Feb 25 '16 at 09:34
1

@AleksiTorhamo No, what's downright harmful is basing the backbone of a corporate computer environment on recovered data, the integrity of which cannot be validated. That kind of reckless practice is exactly what got them into this precarious position in the first place, running a domain on a single domain controller, with no backups, on a platform that is end of life. That said, your comment should be an answer, so make it one, and the OP will be able clarify whose assumptions are correct, yours, or mine. – HopelessN00b Feb 25 '16 at 10:35
@HopelessN00b: Making it seem that some important data is irrevocably lost or somehow magically corrupted and untrustworthy, when it is in fact easily recoverable, is obviously harmful. Fixing the infrastructure is an entirely separate matter. The way you speak about "the integrity of the recovered data" makes it obvious you have no idea how partitions and filesystems work under the hood. The data's integrity is exactly what it was prior to deleting the partition, as deleting the partition does not touch the data, at all. Also, Peter Green's answer conveys what I'd say very well, already. – Aleksi Torhamo Feb 25 '16 at 10:35
Guys, take it to chat, or even better just knock it on the head. This isn't the place for a pissing contest. – BlueCompute Feb 25 '16 at 11:04
1

@HopelessN00b: Fair enough. I'm not a native speaker. :) (Not that I'm particularly good at communication even in my native language...) The analogy is a bit backwards though, since he talked about "BB pellets" and you assume "a .45". Given your last comment on your own answer, though, the assumption that you're making is quite a reasonable one. If your answer was prefixed with "Assuming that in addition to deleting the partition, you allocated a new partition and formatted it, ...", making the [reasonable, but dangerous if wrong] assumption explicit, I'd have had no qualms about it. – Aleksi Torhamo Feb 25 '16 at 12:21
1

@BlueCompute Actually, hashing out details and making clarifications is exactly what comments are intended for by SE overlords. – HopelessN00b Feb 25 '16 at 13:24

score 1 · Answer 4 · answered Feb 24 '16 at 22:28

1

Depends what its worth to you, and factoring in timeliness. If you deleted the partition and nothing more, there are data recovery companies that will "undelete" files for you.

This is totally dependent on not writing any data to the disk blocks. So if you've created a partition or expanded the C drive, all recovery bets are off.

Note that continued use of the drive will decrease the probability of recovery, so if you want to do this, hard-power off now. Don't even do a safe shutdown.

But timeliness comes into it too - you're looking at days/weeks to do any sort of commercial recovery.

Otherwise its your perfect opportunity to build a new supported AD from scratch, and clear out all the old stale rubbish. Silver lining on a dark cloud.

answered Feb 24 '16 at 22:28

Criggie

2,219
13
25

3

It's dependent on more than just not overwriting the data. Data recovery is a tricky (and expensive and time consuming) business with no guarantees. – Todd Wilcox Feb 24 '16 at 22:34
1

@ToddWilcox absolutely agree with all your points. My intent was to show the user can make recovery even harder by faffing about instead of isolating the device. – Criggie Feb 25 '16 at 03:51
2

Just because you've created a new partition doesn't mean all recovery bets are off. Please do more research on the matter before making a vague statement like that. – Marc DiMillo Feb 25 '16 at 15:24
@MarcDiMillo As I said to Todd, "My intent was to show the user can make recovery even harder by faffing about instead of isolating the device." – Criggie Feb 25 '16 at 22:11

Accidentally deleted entire Active Directory

4 Answers4