I was at first over joyed when I read for the first time that the Microsoft is going to incorporate this Active Directory Recycle bin in Windows 2008 R2..We all know how Windows recycle Bin have helped us in innumerous occasions. Wow.. a similar thing with Active directory, where we can restore the deleted object with ease… In this blog we can check how far first impression that any IT admin have when he hears this term “AD Recycle bin” is correct.
As you guys are already aware, earlier IT administrators can retrieve the deleted AD objects using Authoritative restore, Non-Authoritative restore (system state restore) and Tombstone Reanimation. All these restoration methods have common draw back. I.e. it will not restore all the AD object attributes back by default. You will need to do some sort of recovery mechanism to get the attributes back. In spite of this, all the above process are complex and time time-consuming task.
The fact that gives the restoration using AD recycle bin a cutting edge is that it can restore the AD objects with all the attributes preserved. Let’s check how Microsoft makes this possible. This is actually made possible by 2 new AD object states.
1. Deleted AD object state (The default lifetime is 180 days): It actually replaces Tombstone AD state. The important difference of this state is that it leaves all the AD objects attributes intact.
2. Recycle AD object state: A new object state introduced with windows 2008. When the Deleted AD object state expires the object goes into Recycle AD object state. However, the some of the AD objects attributes will be stripped at this state.
Once the Recycle AD object state is expires the space occupied by the AD object is freed and will be recovered form AD DB during next online defragmentation of AD database.
Another interesting point to note is that AD recycle bin is not enabled by default. We need to enable it manually. Also you need to ensure that Domain and forest functional level are at the Server 2008 R2 functional level.
Contrary to the Windows Recycle bin, AD recycle bin is not represented by a MMC. The deleted objects will not be accessible from AD management tools. Most preferred way for accessing them will be by using PowerShell cmdlets
You can enable AD recycle bin feature by using following cmdlet. Make sure that you replaces <your forest root domain name> with your actual forest root domain name.
PS: Process of enabling AD recycle bin is irreversible.
Enable-ADOptionalFeature –Identity “CN=‘Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DN=<your forest root domain name>” –Scope ForestOrConfigurationSet –Target “<your forest root domain name>”
The below cmdlet can be used to get a list of all the deleted objects with its attributes.
Get-ADObject –filter ‘isdeleted –eq $true –and name –ne “Deleted Objects“‘ –includeDeletedObjects –property *
To restore an AD object, you need to know the objects distinguished name or GUID. Now, run the following cmdlet with the one of above parameter as argument.
If you find this power shell commands hard to tame, there are couple of third party tools available. Overallsolutions’ ADrecyclebin and PowerGUI’s AD Recycle Bin.( I havent got a chance to test both of them !)
I hope this will help you guys to perform a restore using AD recycle bin feature incase needed
Blog by Harivishnu