What is Active Directory Recycle Bin?
While using Active Directory (AD), administrators tend to accidentally delete objects such as users, computers, groups or organizational units (OUs). This may cause complications in the network functionality and affect the productivity of the organization as a whole. For instance, if an administrator accidentally deletes a user account, that user will not be able to access basic resources such as their computers, email services, shared folders and other systems. Recovering and restoring the deleted objects is a tedious task for the system administrators. Hence, the AD Recycle Bin was introduced by Microsoft to simplify the process.
While the AD Recycle Bin in Windows Server 2008 R2 was difficult to manage, it is simplified in Windows Server 2012 R2. This is due to the fact that in the former version, the Recycle Bin could be enabled and used only by means of command-line using either Ldp.exe or Windows PowerShell cmdlets. But in Windows Server 2012 R2, the administrators can easily enable and manage restoration of deleted objects in Recycle Bin by using the Graphical User Interface (GUI) based Active Directory Administrative Center (ADAC). This allows administrators to locate the deleted objects visually and then restore them to their original locations.
How does the Active Directory Recycle Bin work?
When the Recycle Bin is enabled, the deleted object is placed in the Deleted Object container for a certain period of time called the Deleted Object Lifetime. All its attributes are left unchanged. The object can be restored along with all its attributes and links within the Deleted Object Lifetime, by restoring it from the Recycle Bin. This period is usually set at 180 days by default.
But once this period expires, the object is transferred to the Recycled Object state, where it is stripped of most of its attributes. The object remains in this state for a certain period of time called the Recycled Object Lifetime. Once an object enters this state, it cannot be restored from the AD Recycle Bin. It cannot be restored by other methods such as Tombstone Reanimation either. As soon as the Recycled Object Lifetime expires, the object is removed from the database by means of the AD garbage collection process. It thus becomes a removed object and cannot be recovered.
Using ADAC to enable the Recycle Bin and to restore deleted objects
The AD Recycle Bin is not installed by default and has to be enabled manually using several steps. This is done by raising the forest functional level of the AD DS environment to Windows Server 2008 R2 or higher. Once the AD Recycle Bin is enabled, it cannot be disabled. It can be enabled using the ADAC in Windows Server 2012.
Enabling Recycle Bin with ADAC
As mentioned earlier, the first step in enabling the Recycle Bin is to raise the forest functional level on the target forest to at least Windows Server 2008 R2. This is done as follows.
Open the ADAC by choosing Tools from the management console.
Select Manage-->Add Navigation Nodes. In the Add Navigation Nodes dialog box, select the target domain and click OK.
Click on the target domain from the left navigation pane and click on Raise the Forest Functional Level from the Tasks menu.
Select a forest functional level that is either Windows Server 2008 R2 or higher and click OK to raise the forest functional level.
Once the forest functional level is raised, the next step is to enable the Recycle Bin using ADAC. This can be done by following the steps given below.
Open the ADAC by choosing Tools from the management console.
Select Manage-->Add Navigation Nodes. In the Add Navigation Nodes dialog box, select the target domain and click OK.
From the Tasks menu, select the Enable Recycle Bin option and click OK for confirmation.
Refresh ADAC by pressing F5.
The Enable Recycle Bin option appears grayed out, which can be used to check if the recycle bin has been enabled.
Restoring deleted objects from Recycle Bin using ADAC
Objects that have been deleted can be recovered from the Deleted Objects container using Recycle Bin, back to their original locations. Restoration can be done before the tombstone lifetime of the object expires. A deleted object can be recovered from the Recycle Bin by following the steps given below.
Open the ADAC and navigate to the Deleted Objects container which holds all the AD objects that have been deleted.
Find the deleted object that needs to be restored and right click on it.
There are four options that are available on the Tasks menu. They are:
Restore- this option is used to restore the deleted object to its original location
Restore To- this option is used to restore the deleted object to the desired container
Local Parent- this option is used to obtain the original location of the object before deletion
Properties- this option is used to view the properties of the object such as name, ObjectClass, Update Sequence Number (USN), etc.
Select the Restore option after right clicking on the object that needs to be restored.
The deleted object is now restored back to its original container.
PowerShell Commands
While using the ADAC provides a simplified procedure to enable Recycle Bin and restore deleted objects, the same functions can be performed using Windows PowerShell commands.
To raise the functional level of a forest
Set-ADForestMode -Identity zylker.com -ForestMode Windows2008R2Forest -Confirm:$false
To enable Recycle Bin
Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=zylker,DC=com' -Scope ForestOrConfigurationSet -Target 'zylker.com'
To restore deleted objects
Get-ADObject -Filter 'Name -Like "*test*"' -IncludeDeletedObjects | Restore-ADObject
What are the advantages and disadvantages of using the AD Recycle Bin?
AD Recycle Bin offers advantages in terms of simplifying the restoration of a deleted object as opposed to other methods such as Authoritative Restoration and Tombstone Reanimation. It also does not require the server to be booted in the DSRM mode.
However, there are also certain difficulties faced while using this feature, which are listed as follows.
- It increases the size of the Directory Information Tree (DIT).
- All the domain controllers have to be upgraded to Windows Server 2008 R2.
- This feature does not work on Group Policy Objects.
- The search for deleted objects is time-consuming.