In the last article in this series, I recapitulated briefly how Active Directory objects have to be restored in Windows Server 2003/2008. Today, I will explain how the new Active Directory Recycle Bin feature works and the changes that comes with it. Let's see first in what way the Recycle Bin improves AD object restores.

Latest posts by Michael Pietroforte (see all)

Advantages of Active Directory Recycle Bin

There are three advantages in using the new Recycle Bin feature:

  • You can restore the state of Active Directory objects that they had at the time they were deleted, and not just the state of the last available backup.
  • You don't have to disable the directory services during the restore process, as with authoritative restores.
  • In contrast to tombstone reanimation, the object will be restored with all its attributes.

Active Directory Recycle Bin requirements

There are four requirements that have to be fulfilled so that an Active Directory object with Recycle Bin can be restored:

  • At least one domain controller is running Windows Server 2008 R2
  • The functional level of Active Directory has to be Windows Server 2008 R2
  • Active Directory Recycle Bin is enabled
  • The deleted object lifetime of the AD object hasn't expired

Deleted object lifetime

The deleted object lifetime is a new concept in Window Server 2008 R2. It determines the time period a deleted object stays in the Deleted Objects container- the Recycle Bin. By default, the deleted object lifetime is 180 days. After this time period, the object is recycled (see graphics below). Note that in an Active Directory with functional level Windows Server 2008 R2 where the Recycle Bin has not been enabled, everything works just as in Windows Server 2003/2008, i.e. there are no deleted objects, etc.

Recycled object vs. tombstone object

Like a tombstone object, a recycled object lacks most of the attributes of the original object. However, there are two fundamental differences between recycled and tombstone objects. Recycled objects can't be reanimated and you can't restore these objects from a backup. The purpose of recycled objects is to ensure the information about the deletion of the object is replicated in the whole domain.

As with the tombstone life time, the recycled object life time determines the time period the originating domain controller retains knowledge of the recycled object, and thereby, defines the time period a domain controller can be offline or may experience replication failures.

It is important to note that once you enable Recycle Bin, all tombstone objects will become recycled objects. As mentioned above, this implies that you can no longer restore those objects from a backup, even if the former tombstone life time hasn't expired yet. Tombstone objects don't exist in an Active Directory with enabled Recycle Bin.

Subscribe to 4sysops newsletter!

I suppose you understand now why the functional level has to be raised for this feature and why it has to be explicitly enabled. I will tell you how this can be done in my next post.

Articles in seriesActive Directory Recycle Bin
  1. Active Directory Recycle Bin – Restore AD objects in Windows Server 2003/2008
  2. How to use and enable Active Directory Recycle Bin
  3. Active Directory Recycle Bin – Restoring deleted AD objects in Windows Server 2008 R2
  1. kamran 14 years ago

    AD Recycle bin is a nice feature but has some limitations such as
    No GUI, no ability to restore changed objects(only deleted), windows 2008 forest functional level,etc.

    What the AD Recyclebin Does Not Do

  2. Yes, that is absolutely right. Recycle Bin does not replace third party AD backup tools.

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account