In the last article in this series, I recapitulated briefly how Active Directory objects have to be restored in Windows Server 2003/2008. Today, I will explain how the new Active Directory Recycle Bin feature works and the changes that comes with it. Let's see first in what way the Recycle Bin improves AD object restores.
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
Advantages of Active Directory Recycle Bin
There are three advantages in using the new Recycle Bin feature:
- You can restore the state of Active Directory objects that they had at the time they were deleted, and not just the state of the last available backup.
- You don't have to disable the directory services during the restore process, as with authoritative restores.
- In contrast to tombstone reanimation, the object will be restored with all its attributes.
Active Directory Recycle Bin requirements
There are four requirements that have to be fulfilled so that an Active Directory object with Recycle Bin can be restored:
- At least one domain controller is running Windows Server 2008 R2
- The functional level of Active Directory has to be Windows Server 2008 R2
- Active Directory Recycle Bin is enabled
- The deleted object lifetime of the AD object hasn't expired
Deleted object lifetime
The deleted object lifetime is a new concept in Window Server 2008 R2. It determines the time period a deleted object stays in the Deleted Objects container- the Recycle Bin. By default, the deleted object lifetime is 180 days. After this time period, the object is recycled (see graphics below). Note that in an Active Directory with functional level Windows Server 2008 R2 where the Recycle Bin has not been enabled, everything works just as in Windows Server 2003/2008, i.e. there are no deleted objects, etc.
Recycled object vs. tombstone object
Like a tombstone object, a recycled object lacks most of the attributes of the original object. However, there are two fundamental differences between recycled and tombstone objects. Recycled objects can't be reanimated and you can't restore these objects from a backup. The purpose of recycled objects is to ensure the information about the deletion of the object is replicated in the whole domain.
As with the tombstone life time, the recycled object life time determines the time period the originating domain controller retains knowledge of the recycled object, and thereby, defines the time period a domain controller can be offline or may experience replication failures.
It is important to note that once you enable Recycle Bin, all tombstone objects will become recycled objects. As mentioned above, this implies that you can no longer restore those objects from a backup, even if the former tombstone life time hasn't expired yet. Tombstone objects don't exist in an Active Directory with enabled Recycle Bin.
Subscribe to 4sysops newsletter!
I suppose you understand now why the functional level has to be raised for this feature and why it has to be explicitly enabled. I will tell you how this can be done in my next post.
AD Recycle bin is a nice feature but has some limitations such as
No GUI, no ability to restore changed objects(only deleted), windows 2008 forest functional level,etc.
What the AD Recyclebin Does Not Do
Yes, that is absolutely right. Recycle Bin does not replace third party AD backup tools.