Issue After restoring the deleted computer objects using AD Granular Level Restore Tool from ASBU r16.0 SP1, when we try to login to the same computer using domain credentials we see the following error "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found."

Cause The above message is received because, the secure channel is broken between the client computer and the AD (Active Directory). The secure channel is rebuilt automatically if we perform an Authoritative Restore. Looks like we are NOT performing an Authoritative Restore here; we are using a tool something similar to the AD Restore Tool from Microsoft to restore the computer object from the deleted objects container of the AD (Active Directory). Need some clarity Our CA Active Directory Object Level Restore tool restores the object from the backup? Or does it restore the objects from the deleted objects container in the AD? When we enable debug to Level 3 in our tool as shown below, we have a log adrestorew.log created in the Client Agent for Windows Directory (C:\Program Files\CA\ARCserve Backup Client Agent for Windows).

Extract from the log: 08/01/2014 05:59:38.090 2964 DBG [[P-3700]:(T-2964)] 0 ADRestoreItem::GetObjectStatus() Leaved. 08/01/2014 05:59:38.090 2964 DBG [[P-3700]:(T-2964)] 0 ADRestoreItem::RestoreDeletedObject() Entered. 08/01/2014 05:59:38.106 2964 DBG [[P-3700]:(T-2964)] 0 IsObjectExisted() Entered. 08/01/2014 05:59:38.106 2964 DBG [[P-3700]:(T-2964)] 0 BindToObjectByDN() Entered. 08/01/2014 05:59:38.106 2964 DBG [[P-3700]:(T-2964)] 0 Ready to open object, path = LDAP://CN=VASSA02-U102956,CN=Computers,DC=JUMANI,DC=COM.

Reason for the Secure Channel being broken - The secure channel is broken because there is a mismatch in machine password (pwdLastSet attribute) before and after the AD Object restore. When the object is moved to the deleted objects container, all the attributes are not maintained in deleted objects container and if we restore it from there will not re- store the secure channel (related attributes) and we have to reset the machine password - secure channel manually. Normally an object would have the below attributes (38 attributes)

Attributes maintained when the object is moved to the deleted objects container (15 attributes)

Attributes seen after the object is restored (42 attributes - Additional 4 attributes)

objectClass cn description instanceType whenCreated displayName nTSecurityDescriptor name userAccountControl codePage countryCode homeDirectory homeDrive dBCSPwd localPolicyFlags scriptPath logonHours userWorkstations unicodePwd ntPwdHistory pwdLastSet primaryGroupID supplementalCredentials userParameters profilePath objectSid comment accountExpires lmPwdHistory sAMAccountName sAMAccountType operatingSystem operatingSystemVersion operatingSystemServicePack dNSHostName servicePrincipalName objectCategory isCriticalSystemObject

cn displayName nTSecurityDescriptor codepage countryCode localPolicyFlags primaryGroupID accountExpires sAMAccountName operatingSystem operatingSystemVersion operatingSystemServicePack dNSHostname servicePrincipalName objectCategory (NOTE: pwdLastSet is not preserved when the object is moved to the deleted container)

objectClass cn description instanceType whenCreated displayName nTSecurityDescriptor name userAccountControl codePage countryCode homeDirectory homeDrive dBCSPwd localPolicyFlags scriptPath logonHours userWorkstations unicodePwd ntPwdHistory pwdLastSet primaryGroupID supplementalCredentials userParameters profilePath objectSid comment accountExpires lmPwdHistory sAMAccountName sAMAccountType operatingSystem operatingSystemVersion operatingSystemServicePack dNSHostName servicePrincipalName objectCategory isCriticalSystemObject lastKnownParent isDeleted operatorCount adminCount

The below table gives us a clear understanding of the various attributes

Value of the attribute before Restore

USN Before The Resto

re

Version

before

Restore

Attribute

Version

After Restore

USN After The

Restore

Value of the attribute before Restore

Attr Seen in AD Restore

Tool

VASSA02-U102956 21093 13 cn 15 21405 VASSA02-U102956 YES

4 16443 1 instanceType 1 16443 4

20140106090401.0Z 16443 1 whenCreated 1 16443 20140106090401.0Z

VASSA02-U102956$ 21094 14 displayName 16 21406 VASSA02-U102956$ YES

4096 21389 29 userAccountControl 31 21412 4096

0 21091 13 codePage 15 21403 0 YES

0 21091 13 countryCode 15 21403 0 YES

0 21095 13 localPolicyFlags 15 21407 0 YES

130341475907849000 21390 19 pwdLastSet 21 21403 0

515 21091 13 primaryGroupID 15 21403 515 YES

AQUAAAAAAAUVAAAAifrfzT9sinyRr8m6WAQAAA==

16443 1 objectSid 1 16443 AQUAAAAAAAUVAAAAifrfzT

9sinyRr8m6WAQAAA==

0 21091 13 accountExpires 15 21403 0 YES

VASSA02-U102956$ 16443 1 sAMAccountName 1 16443 VASSA02-U102956$ YES

805306369 21091 13 sAMAccountType 15 21403 805306369

Windows Server 2003 21096 13 operatingSystem 15 21408 Windows Server 2003 YES

5.2 (3790) 21097 13 operatingSystemVersion 15 21409 5.2 (3790) YES

Service Pack 2 21098 13 operatingSystemServicePac

k 15 21410 Service Pack 2 YES

vassa02-U102956.JUMANI.COM

16448 1 dNSHostName 1 16448 vassa02-

U102956.JUMANI.COM YES

HOST/VASSA02-U102956, HOST/vassa02-

U102956.JUMANI.COM 21099 13 servicePrincipalName 15 21411

HOST/VASSA02-U102956, HOST/vassa02-

U102956.JUMANI.COM YES

CN=Computer,CN=Schema, CN=Configuration,DC=JUMAN

I,DC=COM 21090 13 objectCategory 15 21402

CN=Computer,CN=Schema, CN=Configuration,DC=JUMAN

I,DC=COM

FALSE 21370 13 isCriticalSystemObject 15 21412 FALSE

CN=Computers,DC=JUMANI,DC=COM

21089 6 lastKnownParent 7 21400 CN=Computers,DC=JUMANI,D

C=COM

0 21091 11 operatorCount 13 21403 0

Solution We would have to rebuild the secure channel. This can be done by logging into the specific machine (whose computer object is being restored) as the local administrator and executing the below commands on the command prompt. Netdom remove Machine_name /DOMAIN: /USERD:\ /PASSWORDD: Netdom join Machine_name /DOMAIN: /USERD:\ /PASSWORDD: /REBOOT Drawback The computer whose object is being restored has to undergo a reboot.

More Information In case you dont have any system state backup, you can use ADRestore to restore tombstoned objects. ADRestore is a command-line utility that lists and lets you restore deleted Windows Server 2003 AD objects. User accounts, groups, computers, OUs or other objects in domain accidentally deleted. No system state backup available for authoritative restoration. No other DC's available. Using ADRestore tool to restore deleted objects http://blogs.technet.com/b/asiasupp/archive/2006/12/14/using-adrestore-tool-to-restore-deleted-objects.aspx Step 2: Restore a Deleted Active Directory Object http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx AdRestore v1.1 http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx If you have valid system state backup, you can refer to the following knowledge - How to restore deleted user accounts and their group memberships in Active Directory http://support.microsoft.com/?id=840001

Performing an Authoritative Restore of Active Directory Objects http://technet.microsoft.com/en-us/library/cc779573(v=ws.10).aspx#BKMK_after_deletions