Latest posts by Kyle Beckman (see all)
- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
The Active Directory Recycle Bin isn’t a new feature in Windows Server 2012, but it has gotten a much needed enhancement since it was first made available in Windows Server 2008 R2: a GUI interface. The Active Directory Recycle Bin allows you to restore recently deleted AD objects without having to perform an authoritative restore of your AD or a restore of tombstoned objects. The AD Recycle Bin also has the added bonus of retaining object group membership and attributes so that you don’t have to manually restore settings like you do with tombstoned objects.
Previously, objects in the AD Recycle Bin could only be accessed using PowerShell. In Windows Server 2012, you can now access deleted objects in the Active Directory Administrative Center (ADAC) using a GUI. By default – even if you’re creating a new Forest or Domain – the AD Recycle Bin is disabled by default. Once you turn it on, you’re stuck with it. And, because this feature makes changes to how AD stores deleted objects, you’ll definitely want to test this with a copy of your production AD first so you can see how it affects replication and database for your environment.
To get started, you’ll need the following:
- At least one Domain Controller running Windows Server 2012 with the Active Directory Administrative Center enabled.
- All Domain Controllers (or servers running AD LDS) must be running Windows Server 2008 R2 or higher.
- The Forest must be running at Windows Server 2008 R2 functional level.
Forest Functional Level ^
First, let’s verify that our Forest is running at the correct Forest Functional Level. The quickest way to do this is with the PowerShell Cmdlet Get-ADForest. Run the command Get-ADForest yourdomain.local.
Forest Functional Level
As you can see in my PowerShell window, my Forest is running in the Windows 2008 mode and will need to be raised to at least the Windows Server 2008 R2 level. To do this, we’ll run the Set-ADForestMode Cmdlet. Run the command Set-ADForestMode -Identity yourdomain.local -ForestMode Windows2008R2Forest.
After confirming that you want the command to run, you’re done! If we re-run Get-ADForest yourdomain.local, we should be able to confirm that the Forest Functional Level is now at the minimum level to enable the AD Recycle Bin.
Windows Server 2008 R2 Forest Mode
Enable Active Directory Recycle Bin in Windows Server 2012 ^
Now that the Forest Functional Level is at the minimum level, we can enable the AD Recycle Bin. Once again, the quickest, easiest way to do this is with a PowerShell command. The command is:
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ad,DC=4sysops,DC=com’ –Scope ForestOrConfigurationSet –Target ‘ad.4sysops.com’
Confirm the action and the Active Directory Recycle Bin is enabled.
Enable Windows Server 2012 Active Directory Recycle Bin
In my next post I will explain how to use AD Recycle Bin Windows Server 2012.