Enabling the AD Recycle Bin

A lot of information can be found at the following link for enabling the AD Recycling bin.  –> https://technet.microsoft.com/en-us/library/dd379484(v=ws.10).aspx

Key Notes:

  • Functional level of your Active Directory forest will need to be Windows Server 2008 R2.
  • Enterprise Admins, or equivalent, is the minimum required to complete these procedures.
  • The process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, it cannot be disabled.
  • Enabling the recycling bin will remove the ability to drop the FFL and DFL to 2008.
  • Expect to see growth in your AD Database after enabling the feature.
  • Do not attempt to recover a recycled object through an authoritative restore from a backup of AD DS. Instead, we recommend that you recover deleted objects with Active Directory Recycle Bin during the deleted object lifetime.
  • By default, a “recycled object” in Windows Server 2008 R2 preserves the same set of attributes as a “tombstone object” in Windows Server 2003 and Windows Server 2008.

Functions:

  • After the “deleted object” lifetime expires, the logically “deleted object” is turned into a “recycled object” and most of its attributes are stripped away. A “recycled object,” which is a new state in Windows Server 2008 R2, remains in the Deleted Objects container until its “recycled object” lifetime expires. After the recycled object lifetime expires, the garbage-collection process physically deletes the recycled Active Directory object from the database.

 

  • The deleted object lifetime is determined by the value of the msDS-deletedObjectLifetime attribute. The recycled object lifetime is determined by the value of the legacy tombstoneLifetime attribute. By default, msDS-deletedObjectLifetime is set to null. When msDS-deletedObjectLifetime is set to null, the deleted object lifetime is set to the value of the recycled object lifetime. By default, the recycled object lifetime, which is stored in the tombstoneLifetime attribute, is also set to null. In Windows Server 2008 R2, when tombstoneLifetime is set to null, the recycled object lifetime defaults to 180 days. In your case I think it is set to 60 days.

 

  • You can use Active Directory Recycle Bin to restore all deleted objects that were previously stored in AD DS. However, if you use Active Directory Recycle Bin to restore deleted Group Policy objects (GPOs) or Exchange-related objects that were previously stored in AD DS, any application-specific data for these objects that was not stored in AD DS will not be restored.

 

Enabling the Recycling Bin:

To enable the recycling bin from Powershell (note: elevation is required):

 

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,,DC=corp,DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘corp.contoso.com’

 

Restore a Deleted Object:

More examples can be found here: https://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx

 

To restore a deleted object in 2008R2 Powershell must be used (note: elevation is required). In 2012+ the Active Directory Administrative Center (dsac) can be used for recovery GUI and/or Powershell. (NOTE: you can use the RSAT tools for a workstation to get these functions).

 

To view the Object prior to recovery:

Get-ADObject -Filter {displayName -eq “Mary Jones”} –IncludeDeletedObjects

 

or to View the Previous OU of an object before it was deleted (to confirm if the OU was removed).

Get-ADObject -Filter {displayName -eq “Mary Jones”} -IncludeDeletedObjects -Properties lastknownparent

 

To recover Object:

Get-ADObject -Filter {displayName -eq “Mary Jones”} -IncludeDeletedObjects | Restore-ADObject

 

Note – additional steps would be required to restore an entire OU Steps are included in the link above.

 

Leave a Reply