The Active Directory Recycle Bin in Windows Server 2008 R2 by Jonathan Medd : http://www.simple-talk.com/sysadmin/exchange/the-active-directory-recycle-bin-in-windows-server-2008-r2/
Since Active Directory was included as part of Window Server 2000, administrators have often asked for a simple way to roll back mistakes, whether that is the incorrect deletion of the wrong user account to the accidental removal of thousands of objects by deleting an OU. Before the release of Windows Server 2008 R2 there were a number of ways using built-in or third-party methods to restore Active Directory objects, but typically they were not as quick or complete as say retrieving a deleted email or file.
Microsoft has included with their release of Windows Server 2008 R2 the facility, under the correct conditions, to enable a Recycle Bin for Active Directory and allow simple restoration of objects which have been erroneously removed. In this article we will briefly cover some of the options prior to 2008 R2 and then examine how to enable the new Recycle Bin and restore objects from it.
Pre-Windows Server 2008 R2
The 2008 R2 Recycle Bin for Active Directory is a great motivating point for upgrading your forest and domain(s) to the latest version, but this is not always a quick process in many enterprises so it is worth knowing what options are available prior to this version. Like many things it’s a lot better to examine and plan for possible resolutions before a significant mistake happens that you need to deal with. Retrieving Active Directory objects typically falls into two available categories, authoritative restore from a backup or tombstone reanimation.
The Microsoft KB article 840001(http://support.microsoft.com/kb/840001) details how to perform the restoration of a user account using a system state backup of a domain controller. Typically, you would use a global catalog so that you can also restore all group membership information.
The above article also details how to recover an account when you don’t have a system state backup by using tombstone reanimation which was introduced with Windows Server 2003 – you can retrieve objects from the Deleted Objects container where they are kept after deletion until their tombstone period expires. Obviously regular system state backups of Active Directory are critical for your full disaster recovery procedures, but taking advantage of tombstone reanimation means you can get objects back quicker than having to go through the full authoritative restore process.
You could use the procedure in the article which utilises the ldp.exe tool, but there are other methods around which you may find simpler.
The article itself links to a Sysinternals tool, ADRestore (http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx), which is a command line tool for reanimating objects.
The free ADRestore.Net, a GUI tool made by Microsoft PFE Guy Teverovsky. http://blogs.microsoft.co.il/blogs/guyt/archive/2007/12/15/adrestore-net-rewrite.aspx.
Quest produces a freeware product Object Restore for Active Directory, an easy to use GUI tool. http://www.quest.com/object-restore-for-active-directory/ (Note: there is a commercial version with more features, Recovery Manager for Active Directory.)
Quest also produces a cmdlet library for managing Active Directory with Windows PowerShell (http://www.quest.com/powershell/activeroles-server.aspx). As of version 1.2 a number of the cmdlets had a Tombstone parameter added to them so that a search of objects would also include items which have been tombstoned. These results could then be piped through to the new cmdlet Restore-QADDeletedObject to undelete the object represented by the tombstone. For instance the command Get-QADUser –Tombstone -LastChangedOn ((Get-Date).adddays(-1)) | Restore-QADDeletedObject would restore all user accounts deleted yesterday.
The drawback with tombstone reanimation is that because most of the object’s attributes are removed at the time of the object’s deletion, a restored object using this method requires many properties of the account, such as address fields and group membership, to be manually repopulated. Whilst this is obviously preferable to re-creating an account from scratch it does not make for a quick overall process. However, you will at least get back the objectGUID and objectSid attributes which means there would be no need to re-configure a user’s workstation profile.
The original release of Windows Server 2008 introduced snapshot backups for Active Directory. You can take point-in-time snapshots of your Active Directory with the NTDSUTIL command line utility which utilizes Volume Shadow Copy to provide a snapshot. It is then possible to mount this snapshot using different ports on the same domain controller as the live Active Directory database and use standard tools to compare the two. This could really make the tombstone reanimation a lot simpler because after restoring the object you could view two versions of Active Directory Users and Computers side by side and view the properties of the restored object from a previous time, so making it simpler to repopulate properties.
The Directory Service Comparison Tool (http://lindstrom.nullsession.com/?page_id=11) takes advantage of these snapshots and makes the repopulation process more streamlined.
For those with Microsoft Exchange messaging environments, once you have the Active Directory account back, you can use the Reconnect Mailbox feature within Exchange to tie the restored account back up with the mailbox. This is of course providing you have a similar tombstone retention period for mailboxes that you do for AD accounts.
Active Directory Recycle Bin
The real reason you decided to read this article though was not so that we could spend time going over all the possible options for how you can piece together restored AD objects, but rather to find out how the Recycle Bin is going to make your life as an Active Directory administrator easier without necessarily the need for these different tools. The key differences from previous versions of Windows Server are that by default you get all of the attributes back and the tools to use are PowerShell cmdlets, which are quickly becoming a more essential part of every Windows administrator’s standard toolkit.
Firstly though the Active Directory Recycle Bin is not enabled by default and has certain domain and forest wide requirements before it can be enabled.
- Firstly, all domain controllers within the Active Directory forest must be running Windows Server 2008 R2.
- Secondly, the functional level of the Active Directory forest must be Windows Server 2008 R2.
Naturally organizations are typically cautious when upgrading Active Directory and these types of infrastructure projects don’t tend to happen quickly, but the Recycle Bin could be one of the features which gives you more weight behind a decision. You should also be aware though that enabling the Recycle Bin is a onetime only move, there’s no easy way to disable it again, so careful consideration of this decision must be taken.
It’s worth noting that if you are making a fresh forest install of Windows Server 2008 R2 the Active Directory schema will already include all of the necessary attributes for the Recycle Bin to function. If however you are upgrading your domain controllers from previous versions of Windows Server then you will need to run the well known procedure of adprep /forestprep and adprep /domainprep (for each domain) and possibly adprep /domainprep /gpprep (for Group Policy preparation)
before you can introduce Windows Server 2008 R2 domain controllers into the environment.
So let’s go ahead and run through all the steps we need to get the Recycle Bin enabled. Firstly, ensure that all of your domain controllers are running Windows Server 2008 R2 and then we need to use PowerShell; the great news with Windows Server 2008 R2 is that version 2 of PowerShell is installed by default and is placed directly on your taskbar.
After you have installed Active Directory Domain Services the Active Directory specific cmdlets are available to use via a module; modules essentially are the evolution of snapins from version 1 of PowerShell. To access these cmdlets you can either open the Active Directory specific version of the PowerShell console from the Administrative Programs menu, or the method I would prefer, use the Import-Module cmdlet. (Tip: You could add the below expression to your PowerShell profile so that the cmdlets are available every time you open PowerShell)
PS> Import-Module activedirectory
Once complete all of the Active Directory cmdlets will be at your fingertips. As previously discussed we now need to get the functional level of the forest up to the level of Windows Server 2008 R2. The most common way to do this previously was through Active Directory Domains and Trusts.
Now though we can do this through PowerShell. The Get-ADForest cmdlet will return information about your forest and the Set-ADForestMode cmdlet will enable you to raise the current functional level – since it is such a significant change to your environment you will be prompted to confirm that you wish to go ahead.
PS> Get-ADForest | Set-ADForestMode –ForestMode Windows2008R2Forest
Now that our forest is at the correct functional level we can enable the Recycle Bin, to do so we use the Enable-ADOptionalFeature cmdlet. This must be either run on the DC with the Domain Naming Master FSMO role or directed at that server with the –server parameter. Again you will be prompted to confirm your command since the action is irreversible.
PS> Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -target ‘test.local’