Rescue Deleted Objects with the AD Recycle Bin

The accidental deletion of objects is a problem with which most Active Directory
administrators are far too familiar. Prior to Windows Server 2008 R2, recovering from an
accidental deletion required an authoritative restore, a time-consuming process. However,
the Active Directory Recycle Bin, which is a new feature in Windows Server 2008 R2,
allows administrators to recover Active Directory objects that were accidentally deleted
in a timely manner.

The Four States of the Active Directory Recycle Bin

The Active Directory Recycle Bin, once enabled, changes the lifecycle of Active
Directory objects, as shown in the following figure.

The Active Directory Objects Lifecycle
The Lifecycle of Active Directory Objects

The Active Directory object lifecycle consists of four states once the Active
Directory Recycle Bin is enabled.

Live State: The Live state represents the state of an Active Directory object
when it is live the directory.Deleted State: When an object is deleted from the
Active Directory, the object is put into the Deleted state, and the object is logically
deleted from the directory. A logical deletion consists of the following:

  • The object’s link-valued and non-linked valued attributes are preserved
  • The object’s distinguished name is mangled
  • The object is moved to the Deleted Objects container

The object will remain in the Deleted state for the duration of the deleted object
lifetime, which is 180 days by default. While an object is in the Deleted state, the
object can be put back into the Live state by using the Active Directory Recycle Bin and
by performing an authoritative restore.Recycled State: When the deleted object
lifetime expires, most of the object’s attributes are stripped, and the object is
automatically moved from the Deleted state to the Recycled state. An object will remain
in the Recycled state for the duration of the recycled object lifetime – 180 days by
default. While an object is in the Recycled state, the object cannot be recovered using
the Active Directory Recycle Bin or by reanimating the object.Physically Deleted
State:
Lastly, when the recycled object lifetime expires, the garbage-collection
process physically deletes the recycled object from the database.

Enabling the Active Directory Recycle Bin

The Active Directory Recycle Bin is considered an optional feature and is not enabled
by default. However, before you can go ahead and enable the Active Directory Recycle Bin,
there are a few things to consider.

First, the Active Directory Recycle Bin requires a forest-functional level of Windows
Server 2008 R2, which means all current and future domain controllers must have at least
Windows Server 2008 R2 installed, and your domains must have a domain-functional level of
Windows Server 2008 R2.

If you meet the forest-functional level prerequisite, there is one more important
consideration you must be aware of before you go ahead and enable the Active Directory
Recycle Bin. In Windows Server 2008 R2, you can lower the functional level back to
Windows Server 2008, provided you have not enabled the Active Directory Recycle Bin.
Therefore, you must be absolutely certain you will not lower the functional level before
you go ahead and enable the Active Directory Recycle Bin feature.

Once you meet the prerequisite, and you are ok with limiting yourself from lowering
the functional level in future, you can use the Enable-AD OptionalFeature PowerShell
cmdlet, which is included with the Active Directory Module for Windows PowerShell, to
enable the Active Directory Recycle Bin.

Using the Active Directory Recycle Bin

Microsoft has not included any new graphical tools that can be used with the Active
Directory Recycle Bin. However, a number of PowerShell cmdlets included in the Active
Directory Module for Windows PowerShell are useful when using the Active Directory
Recycle Bin. The Restore-ADObject PowerShell cmdlet is what you use to restore deleted
objects using the Recycle Bin.

John Policelli (Microsoft MVP for Directory Services, MCTS, MCSA, ITSM, iNet+,
Network+, and A+) is a solutions-focused IT consultant with over a decade of combined
success in architecture, security, strategic planning and disaster recovery planning.
John has designed and implemented dozens of complex directory service, e-Messaging, web,
networking, and security enterprise solutions. John is the author of Active Directory
Domain Services 2008 How-To (Sams Publishing). He maintains a blog at http://policelli.com/blog.

Article courtesy of Enterprise IT Planet

Latest Articles

Follow Us On Social Media

Explore More