Exchange config backup and restore with LDIFDE

The problem: You’re making changes to Exchange, and it’s scary because the settings are all in AD and if you break something you’re going to have to restore from a System State backup. You want to be able to back up and restore the configuration without having to take down your domain controller.

The solution: A magical little tool called LDIFDE – this allows you to import and export Active Directory objects for backup and restore, migration to another domain, you name it. As the Exchange Configuration is stored almost entirely in AD objects, it can be used to back up your configuration before you make changes. This gives us an easy restore option, however you should always have a System State backup in case things go south.

In this example, we’ll look at editing a Receive Connector;

Backup

  1. Open up Exchange Management Shell, run the Get-Whatever command for the object you are going to edit and obtain the DistinguishedName attribute. For example;

Get-ReceiveConnector | fl Name,DistinguishedName

The Distinguished Name represents the location of the object in Active Directory. You should see something like this;

Name : Receive from exchange
DistinguishedName : CN=Receive from exchange,CN=SMTP Receive Connectors,CN=Protocols,CN=SERVERNAME,CN=Servers,CN=Exchange Administrative Group (ABCDEFGH12ABCDE),CN=Administrative Groups,CN=CompanyName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=example,DC=com,DC=au

If you open ADSI Edit on a Domain Controller, you can browse to the above location and see the AD object for the connector in there. You need to connect to the ‘Configuration’ naming context;

Image 1565

Image 1566

Image 1567

 

We will use this DN in the next step to back up the Exchange object. If you wish to back up your entire Exchange configuration, just use the DN “CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=example,DC=com,DC=au”

  1. Use LDIFDE to export the object from from Active Directory to an LDF file.

Open an elevated command prompt and run the below command:

ldifde -d “CN=Receive from exchange,CN=SMTP Receive Connectors,CN=Protocols,CN=SERVERNAME,CN=Servers,CN=Exchange Administrative Group (ABCDEFGH12ABCDE),CN=Administrative Groups,CN=CompanyName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=example,DC=com,DC=au” -p subtree -o “uSNCreated,uSNChanged,objectguid,whencreated,whenchanged” -f filename.ldf

We’ll break down the different parts of this command;

  • -d “CN=Receive from exchange…”: The distinguished name (DN) of the object we are backing up
  • -p subtree: This specifies that we wish to back up any child objects under the specified DN
  • -o “uSNCreated…”: This part is important – this instructs LDIFDE to exclude any system-owned values such as the GUID and USN numbers. This ensures that the object can successfully be re-created from the LDF file.
  • -f: This specifies the filename for your exported file

The resulting file is in plain text, and can be edited with any text editor. If you wish you can use it as a reference for any settings contained within the exported object, as it displays similar information to the “Get-ReceiveConnector | fl” command.

  1. Edit the object as needed

Complete your changes and test, confident in your easy rollback method.

Restore

Should you run into any issues with your change, the best rollback is generally to have a process to reconfigure Exchange back to the original settings either through the console or shell, however this is not always possible. If you need to restore from your LDIFDE export, the process is very simple.

  1. Import the LDIFDE file to Active Directory

Log into your domain controller and launch an administrative command prompt, then enter the below command, specifying the filename of your exported LDF file:

ldifde -i -f C:\filename.ldf

The -i switch specifies that it is an import, and the -f switch specifies the filename for the LDF file to import. This will overwrite any existing objects with the same DN.

  1. Restart Exchange services if required

You may need to restart Exchange services or reboot your Exchange servers to apply this rollback method, depending on what you have restored.

So there you have it! These same principles can be applied to other types of AD changes, however always test your rollback method in a lab environment wherever possible to ensure it will work. LDIFDE can also be used to migrate AD objects to another domain, amongst other things. See here for some more background information on LDIFDE.

As always, this advice is provided as-is with no guarantees of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *