In this two post series, I’ll discuss the Active Directory Recycle Bin in Windows Server 2012. In part 1, I’ll cover the prerequisites for the AD Recycle Bin and how to enable the feature.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

The Active Directory Recycle Bin isn’t a new feature in Windows Server 2012, but it has gotten a much needed enhancement since it was first made available in Windows Server 2008 R2: a GUI interface. The Active Directory Recycle Bin allows you to restore recently deleted AD objects without having to perform an authoritative restore of your AD or a restore of tombstoned objects. The AD Recycle Bin also has the added bonus of retaining object group membership and attributes so that you don’t have to manually restore settings like you do with tombstoned objects.

Previously, objects in the AD Recycle Bin could only be accessed using PowerShell. In Windows Server 2012, you can now access deleted objects in the Active Directory Administrative Center (ADAC) using a GUI. By default – even if you’re creating a new Forest or Domain – the AD Recycle Bin is disabled by default. Once you turn it on, you’re stuck with it. And, because this feature makes changes to how AD stores deleted objects, you’ll definitely want to test this with a copy of your production AD first so you can see how it affects replication and database for your environment.

To get started, you’ll need the following:

  • At least one Domain Controller running Windows Server 2012 with the Active Directory Administrative Center enabled.
  • All Domain Controllers (or servers running AD LDS) must be running Windows Server 2008 R2 or higher.
  • The Forest must be running at Windows Server 2008 R2 functional level.

Forest Functional Level ^

First, let’s verify that our Forest is running at the correct Forest Functional Level. The quickest way to do this is with the PowerShell Cmdlet Get-ADForest. Run the command Get-ADForest yourdomain.local.

Windows Server 2012 Active Directory Recycle Bin - Forest Functional Level

Forest Functional Level

As you can see in my PowerShell window, my Forest is running in the Windows 2008 mode and will need to be raised to at least the Windows Server 2008 R2 level. To do this, we’ll run the Set-ADForestMode Cmdlet. Run the command Set-ADForestMode -Identity yourdomain.local -ForestMode Windows2008R2Forest.

Windows Server 2012 Active Directory Recycle Bin - Forest Mode

Forest Mode

After confirming that you want the command to run, you’re done! If we re-run Get-ADForest yourdomain.local, we should be able to confirm that the Forest Functional Level is now at the minimum level to enable the AD Recycle Bin.

Windows Server 2012 Active Directory Recycle Bin - Windows Server 2008 R2 Forest Mode

Windows Server 2008 R2 Forest Mode

Enable Active Directory Recycle Bin in Windows Server 2012 ^

Now that the Forest Functional Level is at the minimum level, we can enable the AD Recycle Bin. Once again, the quickest, easiest way to do this is with a PowerShell command. The command is:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ad,DC=4sysops,DC=com’ –Scope ForestOrConfigurationSet –Target ‘ad.4sysops.com’

Confirm the action and the Active Directory Recycle Bin is enabled.

Enable Windows Server 2012 Active Directory Recycle Bin

Enable Windows Server 2012 Active Directory Recycle Bin

In my next post I will explain how to use AD Recycle Bin Windows Server 2012.

Win the monthly 4sysops member prize for IT pros

0
Share
1 Comment
  1. Ngan 6 years ago

    This is the old powershell 2 way with Windows 2008R2 to enable the recycle bin. It needs writing the long Identity DN. With Windows 2012 Powershell 3.0 It's easier and you don't need to write the DN of the recycle bin feature.
    Here is the way to do it:
    Enable-ADOptionalFeature "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "<>" -Confirm:$false

    There I suppose you will be running it on a Domain Controller you may even not need to know the name of your Domain FQDN and write it down, you can leave Powershell do it for you. Here is therefore this option:
    Enable-ADOptionalFeature "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target (Get-ADDomain).DnsRoot.ToString() -Confirm:$false

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account