You must run the adLdapTool.exe on the client computer before you perform your first backup to enable restores of passwords for users and computers.
The adLdapTool sets the following values to the searchFlags attributes of Unicode-Pwd and SID-History found under CN=Schema and Cn=Configuration:
Value for Unicode-Pwd: 0x00000008
Value for SID-History: 0x00000009
Due to this setting, Active Directory will preserve these two attributes on deletion.
If the unicodepwd attribute is preserved, you can restore the last stored password before the user was deleted. Point-in-time restores are not supported as the password is not stored in Commvault backup operations. For more information, see Microsoft article unicodePwd.
The tool enables the Active Directory tombstone from schema level. After the schema is updated, the Active Directory reserves the deleted objects rather than deleting the object directly. By default, the retention period for deleted objects is default 180 days.
The command must be run on each domain. Running the command is a one-time job. Changing only the parent domain will NOT apply settings to the child domain.
Before You Begin
Verify that you have credentials for a user account that has administrative privileges for the domain and Active Directory Schema.
Log on to the server using the user account that has administrative privileges.
On the command line, go to software_installation_directory/Base, and then type the following command:
adLdapTool.exe <domain_name\domain_administrator_user_name> <password> -hostserver <fully_qualified_directory_host_server_name> -port <LDAP_port_number, default 389> -setschema 1