Rescue Deleted Objects with the AD Recycle Bin
The accidental deletion of objects is a problem with which most Active Directory administrators are far too familiar. Prior to Windows Server 2008 R2, recovering from an accidental deletion required an authoritative restore, a time-consuming process. However, the Active Directory Recycle Bin, which is a new feature in Windows Server 2008 R2, allows administrators to recover Active Directory objects that were accidentally deleted in a timely manner.
The Four States of the Active Directory Recycle Bin
The Active Directory Recycle Bin, once enabled, changes the lifecycle of Active Directory objects, as shown in the following figure.
The Lifecycle of Active Directory Objects
The Active Directory object lifecycle consists of four states once the Active Directory Recycle Bin is enabled.
Live State: The Live state represents the state of an Active Directory object when it is live the directory.Deleted State: When an object is deleted from the Active Directory, the object is put into the Deleted state, and the object is logically deleted from the directory. A logical deletion consists of the following:
- The object's link-valued and non-linked valued attributes are preserved
- The object's distinguished name is mangled
- The object is moved to the Deleted Objects container
The object will remain in the Deleted state for the duration of the deleted object lifetime, which is 180 days by default. While an object is in the Deleted state, the object can be put back into the Live state by using the Active Directory Recycle Bin and by performing an authoritative restore.Recycled State: When the deleted object lifetime expires, most of the object's attributes are stripped, and the object is automatically moved from the Deleted state to the Recycled state. An object will remain in the Recycled state for the duration of the recycled object lifetime - 180 days by default. While an object is in the Recycled state, the object cannot be recovered using the Active Directory Recycle Bin or by reanimating the object.Physically Deleted State: Lastly, when the recycled object lifetime expires, the garbage-collection process physically deletes the recycled object from the database.
Enabling the Active Directory Recycle Bin
The Active Directory Recycle Bin is considered an optional feature and is not enabled by default. However, before you can go ahead and enable the Active Directory Recycle Bin, there are a few things to consider.
First, the Active Directory Recycle Bin requires a forest-functional level of Windows Server 2008 R2, which means all current and future domain controllers must have at least Windows Server 2008 R2 installed, and your domains must have a domain-functional level of Windows Server 2008 R2.
If you meet the forest-functional level prerequisite, there is one more important consideration you must be aware of before you go ahead and enable the Active Directory Recycle Bin. In Windows Server 2008 R2, you can lower the functional level back to Windows Server 2008, provided you have not enabled the Active Directory Recycle Bin. Therefore, you must be absolutely certain you will not lower the functional level before you go ahead and enable the Active Directory Recycle Bin feature.
Once you meet the prerequisite, and you are ok with limiting yourself from lowering the functional level in future, you can use the Enable-AD OptionalFeature PowerShell cmdlet, which is included with the Active Directory Module for Windows PowerShell, to enable the Active Directory Recycle Bin.
Using the Active Directory Recycle Bin
Microsoft has not included any new graphical tools that can be used with the Active Directory Recycle Bin. However, a number of PowerShell cmdlets included in the Active Directory Module for Windows PowerShell are useful when using the Active Directory Recycle Bin. The Restore-ADObject PowerShell cmdlet is what you use to restore deleted objects using the Recycle Bin.
John Policelli (Microsoft MVP for Directory Services, MCTS, MCSA, ITSM, iNet+, Network+, and A+) is a solutions-focused IT consultant with over a decade of combined success in architecture, security, strategic planning and disaster recovery planning. John has designed and implemented dozens of complex directory service, e-Messaging, web, networking, and security enterprise solutions. John is the author of Active Directory Domain Services 2008 How-To (Sams Publishing). He maintains a blog at http://policelli.com/blog.
Article courtesy of Enterprise IT Planet