POLL: POWERSHELL VS. GUI - DO YOU WANT TO BE A DEVOP OR AN ADMIN?
Active Directory Recycle Bin – Restore AD objects in Windows Server 2003/2008
By Michael Pietroforte - g+ - Fri, September 25, 2009 - 0 comments Michael Pietroforte is a Microsoft Most Valuable Professional (MVP) with more than 28 years of experience in system administration.
Active Directory Recycle Bin is a new Windows Server 2008 R2 feature that allows you to easily restore accidentally deleted Active Directory objects. When I first heard about this feature, I thought that the Active Directory User and Computer Interface (ADUC) would just provide a Recycle Bin like the one we know from Windows Explorer. However, things are a lot more complicated with the Active Directory Recycle Bin. This is why I need two posts only to summarize the essentials that every Windows administrator has to know.
Before I describe how the Recycle Bin works, however, I will recapitulate how the restoration of Active Directory objects works with previous Windows versions. This makes it easier to understand the changes that were introduced in Windows Server 2008 R2.
In previous Windows versions there are basically two ways to restore deleted AD objects. You can run an authoritative restore of an Active Directory backup, or you can perform a tombstone reanimation of the deleted objects.
Authoritative restores
Authoritative restore of an Active Directory backup allows you to restore particular objects. Authoritative means that the state of the restored objects will overwrite information on other domain controllers in the domain. Nonauthoritatively restored objects will appear as old data to the Active Directory replication system. An authoritative restore has two downsides. First, you can only restore the state of the objects they had at the time when the last backup was running. Second, the procedure of authoritative restores is a bit inconvenient, to say the least. You have to take the catalog service offline by restarting it in Directory Services Restore Mode (DSRM). This means no directory services will be available during the time period of the restore.
Tombstone reanimation
Tombstone reanimation of deleted AD objects can be performed while Active Directory is online. However, its biggest disadvantage is that most attributes are stripped off when an object is deleted from Active Directory. The main purpose of the tombstone objects is to ensure that the information about deleted objects is replicated to all domain controllers. However, you can configure Active Directory to store additional attributes in tombstone objects. But this is only a workaround. You will see that the new Active Recycle Bin is much more convenient. You can easily reanimate tombstones with free tools: Quest Object Restore for Active Directory and ADRestore.NET.
Tombstone Life time
It is important to note that another function of tombstone objects is to make authoritative restores possible. You can only perform authoritative restores and tombstone reanimations as long as the tombstone objects are not physically deleted by the Garbage Collection Process. In Windows Server 2003/2008, the tombstone lifetime is 180 days by default. You can’t use Active Directory backups to restore single objects that are older than the tombstone lifetime. If you want your backups to be valuable for a longer time, you have to change the tombstone life time.
If Recycle Bin is enabled in Active Directory, things are fundamentally different, as we will see shortly. In my next post I will summarize the theory behind Recycle Bin, and in the last and third post in this series, I will show you how the Recycle Bin can be used. I can already tell you that it is much easier than Microsoft’s documentations make it seem.