This is my first blog post, so be gentle on me 🙂 Yes it’s a long one… hopefully someone does read this to the end.
So the title of this is a bit of a giveaway. I admit it, I did something I really should have double checked before doing. Sit down in front of the glow of your computer screen, and read a tale of sorrow, pain, and frustration… all caused by a small oversight.
It was a sunny morning, or so the desktop widget told me (for I have no windows in my office.. no not Windows, I do have that). As my Windows 7 testing progressed, I decided it was time to clean up AD a little. I moved all my shiny new GPO’s into the root of the domain, and set them to apply to Windows 7 computers only. Rather safe, nobody would get any wacky new settings. So it was also time to clean up that Windows 7 OU I’d created to do some testing. I had a look, and there were 2 users listed. My boss, and a test account. I moved both accounts into a general ‘IT’ OU, and being the good Sys Admin that I am, also decided to delete the OU.
Now, this is where it all goes wrong. I get a very informative popup saying the OU is protected from accidental deletion. That was good of me to set that (or does it just do it by default? I’ll take credit for now). So I go in and remove that pesky tickbox, stopping me from taking out the trash. I then try to delete the OU a second time – this time, another informative popup. I’ll paraphrase here: “Stuff in this OU will be friggen DELETED so you better want this gone, punk”. I think for a second, and yes I removed the accounts visible, so I click the “No worries” button and it’s a job well done.
That is, until I start to realise something’s wrong. My Communicator dropped offline. My Outlook is offline. I can’t click on other OU’s in AD. That feeling when you lean too far back on your chair had hit me. What’s wrong with my account? A quick search of AD by RDPing to a DC and searching for my username confirms the worst. GONE!
Tip 1. Always know of another domain admin account in case yours gets screwed somehow. Maybe just expired, disabled, whatever.
At this stage, I can’t work out how I missed my own account. The OU was empty??
Tip 2. Always refresh your view in AD Users & Computers before you delete an OU
After thinking about this for a minute, I remember that AD accounts are just tombstoned. So why don’t I just recover it? Google FU! Good news, Microsoft’s KB about what to do in this exact situation is the first hit, so I eagerly open the linkhttp://support.microsoft.com/kb/840001 and my eagerness turns to dread.
Seriously, all that just to recover an AD account? A few minutes and a few commands, and I decide there must be a better way than this giant process. I could go to backup tape, but no lets stick with trying to get it back without that first. Thanks for the detail Microsoft 🙁
Google FU! Attempt two gets a much better result: http://www.petri.co.il/recovering-deleted-items-active-directory.htm – now this is much better, giving me a nice little program called ADRestore.net with simple instructions on restoration. I somehow manage to restore the OU and my AD account… somewhat.
Tip 3. You can’t restore an account from a deleted OU which has been Tombstoned, unless you restore the OU first.
So, there’s my old account back in AD. Sweet…. except hang on, all the details are missing, almost every field is blank and my pants are feeling a little damp. What’s going on?
According to the article, I ‘should’ have had all the settings back. At this stage, I just deal with it and start setting myself up again – no biggie. A few groups here, a few phone numbers there and tada! It looks like it’s old self. Oh, don’t forget to put email back on it!
At this stage, my brain had not just fizzled out by stupidity, but had turned off the lights, gone out, left the door open for a stray cat to wander in and went to watch a 3D movie. For SOME reason, I had the memory that in Exchange 2007, if you remove someone’s email account, just recreate a new one and it’ll link up the old and new.
Tip 4. Don’t just recreate a new email account if you want to link a user back up to their old email account on Exchange 2007.
I don’t realise this yet, so I launch Outlook. Strange, it is saying “Offline”. OK fine, I’ll just export everything, recreate my profile and then import it. Minutes pass of many progression bars for exporting and importing. But I get to the end, and think surely that’s the end of it?
I also ‘should’ have gone to the deleted mailboxes, and just rejoined my mailbox to my AD account. That would have saved so much time. But then I wouldn’t have spent the next few hours working pulling my hair out, which is actually a bad thing, so I’m not sure why I’m pointing this out.
All is quiet for a while, and everything works. Then, I get a call. “How come your email is bouncing, I wondered if you were fired?” Hmm maybe I should have been for the above stupidity, but no that wasn’t the case. A few test emails later and I couldn’t work out what was wrong. I got the person to delete the cached entry for me in Outlook, and great it worked. A few other people called, and I sorted them out too.
Tip 5: Cases normally aren’t closed when you expect them to be.
That is, until the next day. Another call from the same person as the day before “I’m still getting bouncebacks, what’s going on? Where am I? Are you my daddy?” I might be remembering the conversation differently, but it’s probably not too far off the truth. For some reason, the same people were getting bouncebacks again? What THE!? Other testing shows it’s OK. The bouncebacks they were getting was that my email address didn’t exist. But it did, and I quadruple checked that it was all set up correct.
It then takes me a few hours of research to eventually discover a few people saying ‘Make sure your account has an entry for “legacyExchangeDN” by using ADSI edit. I look, and yeah I can see my details there so it can’t be that. A few circles are followed, often taking me back to that field. I check again, and this time I scroll all the way to the end. And then I see it, that moment of grasping the situation by the dangly bits, and realising THAT THERE IS THE PROBLEM MISTER! It has my full email address, with a 1 on the end. A little 1. Nowhere could I see this 1, because it was never referenced by anything. The bouncebacks, my email address in Exchange console and so on, were all correct. But this field wasn’t. I deleted that naughty numeral, and got those confused users to try emailing me again…
Tip 6: Check fields even if you think they are correct, they could be 1 character wrong (or one character extra on the end!)
So, that’s the end of my tale. Sometimes it’s good to go through these things to remind you why you normally double check things before taking action. And I’m really glad it was my own account and nobody else’s.
I hope you enjoyed reading this, and pointed and laughed at me because I deserve it.