> Essential > Applications > Active Directory > Configuration

Enabling the Ability to Restore Passwords and SIDHistory for Active Directory

You must run the adLdapTool.exe on the client computer before you perform your first backup to enable restores of user and computer passwords and the SIDHistory attribute.

The adLdapTool sets the following values to the searchFlags attributes of Unicode-Pwd and SID-History found under CN=Schema, CN=Configuration:

  • Value for Unicode-Pwd: 0x00000008

  • Value for SID-History: 0x00000009

These settings can also be manually changed in the Active Directory schema without running the tool.

Note

  • The configuration settings instruct Active Directory to preserve these attributes in the object’s tombstone when the object is deleted. By default, the retention period for deleted objects is 180 days during which time the objects can be restored along with these attribute values.

  • The settings must be applied once on each AD domain to preserve the attributes on deletion. Changing the settings on only the parent domain will NOT apply the settings to child domains.

  • If either of these attributes are configured to be stored in the object tombstone, only the last value of the attribute before the object was deleted can be restored.

  • It is not possible to perform a point-in-time restore to rollback either of these attributes to previous values when the object has not been deleted as Commvault does not backup or store these sensitive attributes.

Before You Begin

Verify that you have credentials for a user account that has administrative privileges for modifying the Active Directory schema. By default, a member of the Schema Admins group will have this privilege.

Procedure

  1. Log on to the server using the user account that has administrative privileges.

  2. On the command line, go to software_installation_directory/Base, and then type the following command:

    Note

    To handle passwords that contain special characters, use double inverted commas.

    For example, if the password is ABC"DE"F, specify the same as "ABC""DE""F".

     
    adLdapTool.exe <domain_name\schema_admin_user_name> <password> -hostserver <fully_qualified_directory_host_server_name> -port <LDAP_port_number, default 389> -setschema 1

Loading...