Step by step - restore active directory objects from Windows backup

I accidentally deleted some active directory objects when I was deleting some Exchange mailboxes.  Chaos ensued, but I had to restore the active directory users.

Here's what Microsoft helped me do (step by step).

Boot into Directory services restore mode.  (see here for how: https://blogs.technet.microsoft.com/activedirectoryua/2008/11/20/how-to-start-in-directory-service-restore-mode-dsrm-in-windows-server-2008-and-windows-server-2008-r2/)

Log in

Open an elevated command prompt

type "wbadmin get versions"
This will give you all the backups that you can restore from.
Pay attention to the version identifier as this will define what backup you're working with.

type "wbadmin start systemstaterecovery -version:10/01/2016-04:30" where 10/01/2016-04:30 will vary based on the actual version that you are restoring from that you found when you ran "wbadmin get versions"

Choose yes twice.

Now, you'll need to wait 45 to 90 minutes while the system preps itself.  Ugh.

Next, you'll restore organization units (OUs) as a whole to the version the the OUs were at the time of the backup.  So for example, if I have an OU named accounting and I'm doing a restore on October 3, 2016 where the backup I'm restoring from is October 1, 2016 - all changes from 10/1/16 to 10/3/16 will be lost.

This gets less intuitive here.  After the system has loaded the backup, the system will ask you to reboot the server.  Don't do it.

Instead, launch a command prompt, type ntdsutil, and then press Enter.

1 .           Type activate instance ntds and press Enter.

2.            Type authoritative restore and press Enter.

3.            At this point, determine whether you're restoring an OU or an object. The previous table showed the syntax to restore either an OU or an object. Type the restore command and press Enter.

For example, to restore a user object, use the following format:

•             restore object dn

•             restore object "cn=Sally,ou=sales,dc=pearson,dc=pub"

Or, to restore an OU, use the following format:

•             restore subtree dn

•             restore subtree "ou=sales,dc=pearson,dc=pub"

NOTE

This increments the update sequence number (USN) so that all other DCs consider it the most recent change.

4.            Type quit and press Enter twice to exit ntdsutil.

5.            Restart the DC normally.

As an example. if you were restoring an OU called distribution groups which sits under an OU called MyBusiness, you'd type:

restore subtree "OU=distribution groups,OU=MyBusiness,DC=contoso,DC=local"
if you're not familiar with LDAP syntax (which I'm not), some googling and trial and error will help you find what you need.  If you type in the wrong values, the process willl just fail.

This is what a successful restore looks like.  Look at "successfully updated records"

What's weird for me in the two times I've tried this is that I rebooted once, and my 2008 R2 server had no internet connectivity and no restored AD items on first reboot.  I had reboot again to get my items and to get internet connectivity.  So weird.

autocomplete on Outlook 2011 connected to SBS 2008 not working

I had a user with Outlook 2011 for Mac (running on OS X 10.8) connected to his Exchange account.  The server runs SBS 2008, fully patched (running Exchange 2007 SP 3).

The Outlook account was set up using autodiscover when the user was on the same LAN as the Exchange server.  When the user was not on the same LAN as the Exchange server, autocomplete did not work.

I troubleshot this problem off-site where I was able to replicate the problem.

I'm not sure exactly what I did to fix the problem, but I'm going to document what I did and what I saw.

First, I investigated the user's settings.  Interestingly, the field for server under directory services was blank.  I wasn't sure if there was supposed to be something there.  I assumed yes.

I created a new identity in Outlook 2011 and created a new Exchange account in that new identity that pointed to my personal Office365 account.  I let autodiscover create the Outlook connection settings.  Interestingly, there was nothing there in the server field for directory services either.  The autocomplete was not working in this Outlook profile/account either.

I logged out as the user and logged in as another user (another local account on the Mac).  I opened Outlook and Office update told me there was an update to install (perhaps 10.2.5 - I'm not sure).  I let that update install.  I opened Outlook and set up an Exchange account for a complete separate client that also has an SBS 2008 server (fully patched).  I let autodiscover create the settings.  Autocomplete was not working on this account either, but I did notice that there was a value in the server field in directory services. The value was set to servername.domainname.local.  Clearly, this server would not resolve since the server was not local and there was no route to the server.  This make some logical sense to me that my client's autocomplete was working in the office when he was on the same LAN as the server so Outlook must have been able to route to the server in some way to pull autocomplete data.  So I replaced servername.domainname.local with the FQDN of the server - remote.contoso.com.  I checked the box for SSL.  Directory services said it would use port 3269 so I went to the firewall of my SBS 2008 server and redirected port 3269 to the local IP of my SBS 2008 box.  I closed Outlook and reopened it.  Outlook complained of a certificate mismatch (directory services was pointing to remote.contoso.com but the cert was for servername.domainname.local).  I allowed Outlook to use the server anyway despite the certificate mismatch.  And lo and behold, autocomplete began working.

In addition, Office 2011 also notified me of another update, 10.2.6 i believe - which I allowed to install.

But this is where it gets weird.

I go back into my the user's original profile and autocomplete is working.  I made no changes to his Exchange account.  None at all.  All I did was get aucomplete working on another Exchange account in a completely different Mac profile.  There is no reason that would have any effect on the user's profile.  Autocomplete also began working on my Office365 profile as well.

I rebooted the Mac and the changes persisted (autocomplete still working).  I disconnected from the WLAN the Mac was on and connected the Mac to my iphone's personal hotspot and the changes persisted (autcomplete still working).

I can't narrow this down to a specific thing I did to fix it, but it's working.