1. The Field of the Invention
The present invention relates to backup and recover operations. More particularly, the present invention relates to rapid recovery of an active directory container object and/or its children.
2. The Relevant Technology
Active Directory is a directory service used to store information about network resources across a domain. Its main purpose is to provide central authentication and authorization services for Windows-based computers. Active Directory also allows administrators to assign policies, deploy software, and apply critical updates to an organization. Active Directory stores information and settings in a central database.
An Active Directory structure is a hierarchical framework of objects. The objects fall into three broad categories: resources (e.g. printers), services (e.g. e-mail) and users (e.g., user accounts and groups). The Active Directory provides information on the objects, organizes the objects, controls access and sets security. Certain objects can also be containers of other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object can contain—defined by a schema, which also determines the kind of objects that can be stored in the Active Directory.
Typically, the highest object in the hierarchy is the domain. The domain can be further sub-divided into containers called Organizational Units. Organizational units give a semblance of structure to the organization either based on administrative structure or geographical structure. The organizational unit is the common level at which to apply group policies, which are Active Directory objects themselves called Group Policy Objects. Policies can also be applied to individual objects or attributes as well as at the site level (i.e., one or more IP subnets).
In Active Directory, every object has a Distinguished Name. For example, an object called “container1” in the domain “guru.com,” would have the distinguished name: /DC=guru,DC=com/CN=Users/CN=container1.
When a container object is deleted from Active Directory, all its children in this hierarchical sub branch are removed as well. When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object's is Deleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object's naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations and is set to be deleted at a later point in time.
Up until the object is actually deleted from the database, a deleted object can be recovered. However, in order to recover, for example, one of the children of the container object, the user is required to know the distinguished name of the object. When the child is placed in the repository, the distinguished name is changed, making it difficult for a user to find a child item and restore it. In addition, if a user is able to restore an object, the attributes of the object must be recovered separately.
Where an Active Directory can be quite complex, varying from a small installation with a few hundred objects, to a large installation with millions of objects, with potentially many levels of hierarchy, it would be advantageous to be able to recover a container and its children at any depth.