I have a small Windows domain which became "a little bit" corrupted over time. Now I want to cleanup using an older VM of a DC (WinSrvr 2008R2) with a healthy AD structure. For this I removed the existing DCs physically from the network without downgrading them to normal servers. Then I started up the virtual DC and created some non-DCs successfully. Existing non-virtual workstations, which had been added to the domain after the reanimated server was sent to sleep, allow successful login. I assume that this is possible because the domain users are allowed to login from anywhere. However, these machines cannot access the new VMs besides the reanimated server because they are not known to the domain which is obvious. Also some services run under some domain identities do not start up because these identities are not known to the reanimated server. Now I read that since WinSrvr 2008R2 it is possible to restore deleted objects from the AD recyle bin. So my hope is it will be possible to restore the objects (users, groups, computers, an possibly some others) from the AD recycle bin. For this, the following procedure appears feasible to me:
- Start one of the isolated DCs leaving it isolated
- Remove the objects of interest from AD
- Export the recycle bin to a file
- Import the recycle bin from this file to the reanimated DC
- Recover objects from the recycle bin on the reanimated DC
While all this looks consistent to me, I have no idea how to perform steps 3 and 4. Do there exist any experiences of how to do that? I would be really glad.
Correction:
Login from later added computers is not possible anymore. Probably cached credentials expired.
