In the last post of this series, I outlined the changes that the Active Directory Recycle Bin introduces to Windows Server 2008 R2 when it comes to restoring Active Directory objects. Today, I will give you an overview of how the Recycle Bin can be used.
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
Upgrade the Active Directory functional level to Windows Server 2008 R2
Before you can work with the Recycle Bin, you have to raise the functional level of your Active Directory. Basically, you have to run ADPREP /FORESTPREP on the forest Schema Master and then ADPREP /DOMAINPREP on the Infrastructure Master, with the ADPREP version on the Windows Server 2008 R2 DVD. I recommend that you read James Bannan's guide to migrate the Active Directory functional level to Windows Server 2008 R2.
Enable Active Directory Recycle Bin
Raising the functional level alone does not make the Active Directory Recycle Bin available. This feature has to be explicitly enabled. Not that this process is irreversible. Once you have enabled Active Directory Recycle Bin, you can't disable it again. Since this step will affect your backup strategy, you should fully understand how Recycle Bin works, before going ahead.
There are two ways to enable the Recycle Bin. You can use PowerShell or Ldp.exe, a GUI tool to manage Lightweight Directory Access Protocol (LDAP). The process with LDP.exe is quite long-winded; I therefore recommend that you go for the PowerShell option:
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘domain.com’
You can just copy this line and replace the parts I have highlighted with the corresponding names of your domain. This command has to be entered at the Active Directory Module for Windows PowerShell, which you can find in the Administrative Tools folder of the Start Menu on the Windows Server 2008 R2 domain controller. Don't forget to start the shell as administrator (right click on the icon).
Restore Active Directory objects with Recycle Bin
Microsoft also describes two ways of restoring AD objects with the Recycle Bin (PowerShell, Ldp.exe). Both methods are quite inconvenient, in my view. If you want to quickly restore an accidentally deleted Active Directory Object, then you don't want to type monster PowerShell commands. Using the Ldp.exe GUI doesn't really make it more convenient. Seven steps with a lot of typing are necessary to restore just one object. If you have to restore multiple objects, you won't have much fun this way.
The good news is that there is a much easier way to restore AD objects from the Recycle Bin. You can use the free tools, Quest Object Restore for Active Directory or ADRestore.NET, to restore an AD object with just a mouse click. Both tools were developed to restore tombstone objects, but they also work for deleted objects in a Windows Server 2008 R2 domain. If you use them in a pre-Server-2008-R2 domain or in a Server 2008 R2 domain where the Recycle Bin hasn't been enabled, you can only restore tombstone objects, i.e. objects where most attributes have been stripped off, with those tools. However, in an Active Directory with enabled Recycle Bin, they will restore deleted objects with all attributes. Both tools have similar functionality.
PowerShell can be useful, if you want to restore a large number of objects. Microsoft offers a sample script for this. However, if you want to restore only a couple of objects, it will be a lot faster with one of the tools mentioned above.
Changing the deleted object life time
You can restore deleted objects only during the deleted object life time, which is 180 days by default. This is usually enough for restoring accidentally deleted objects from the Recycle Bin. However, the deleted object life time also determines the time period in which you can restore Active Directory objects from a backup. In some environments, 180 days might be too short.
Many backup strategies work with one-year-old backups. These backups are more or less useless if you want to restore particular objects and the deleted object life time is only 180 days. It is possible to change the object life time, though. The process is a bit longwinded, but since you have to do this only once, it won't be a big deal.
I think, this new Active Recycle Bin feature is a great improvement in Windows Server 2008 R2. Accidentally deleting an Active Directory object can cause a lot of trouble, because those objects can't be restored as easily as files. In my view, the Recycle Bin feature is reason enough to upgrade the functional level to Server 2008 R2, as soon as possible. You might regret it sooner or later, if you don't.
Subscribe to 4sysops newsletter!
Nevertheless, the Recycle Bin feature doesn’t make third party Active Directory recovery tools such as Blackbird Recovery or Quest Recovery Manager obsolete. Disaster Recovery, attribute rollback or GPO recovery are just a few examples of features that Recycle Bin lacks.
Want to write for 4sysops? We are looking for new authors.