When your Active Directory forest is operating in the Windows Server 2008 R2 or higher mode, you can use the Active Directory Recycle Bin. The Active Directory Recycle Bin adds an easy-to-use recovery feature for Active Directory objects. When you enable this feature, all link-valued and non-link-valued attributes of a deleted object are preserved, allowing you to restore the object to the same state it was in before it was deleted. You can also recover objects from the recycle bin without hav- ing to initiate an authoritative restore. This differs substantially from the previously available technique, which used an authoritative restore to recover deleted objects from the Deleted Objects container. Previously, when you deleted an object, most of its non-link-valued attributes were cleared and all of its link-valued attributes were removed, which meant that although you could recover a deleted object, it was not restored to its previous state.
Preparing Schema for the Recycle Bin
Before you can make the recycle bin available, you must update Active Directory schema with the required recycle bin attributes. You do this by by preparing the forest and domain for the Windows Server 2008 R2 functional level or higher. When you do this, the schema is updated, and then every object in the forest is updated with the recycle bin attributes as well. This process is irreversible once it is started.
After you prepare Active Directory, you need to upgrade all domain control- lers in your Active Directory forest to Windows Server 2008 R2 or higher and then raise the domain and forest functional levels to the Windows Server 2008 R2 level or higher. Optionally, you can update Active Directory schema in your forests and domains for Windows Server 2012 to enable the enhanced recycle bin.
After these operations, you can enable and access the recycle bin. Once Recycle Bin has been enabled, it cannot be disabled. Now when an Active Directory object is deleted, the object is put in a state referred to as logically deleted and moved to the Deleted Objects container. Also, its distinguished name is altered. A deleted object remains in the Deleted Objects container for the period of time set in the deleted object lifetime value, which is 180 days by default.
NOTE: The msDS-deletedObjectLifetime attribute replaces the tombstone- Lifetime attribute. However, when msDS-deletedObjectLifetime is set to $null, the lifetime value comes from the tombstoneLifetime. If the tombstoneLifetime is also set to $null, the default value is 180 days.
Recovering Deleted Objects
If you elect not to use the recycle bin, you can still recover deleted objects from the Deleted Objects container by using an authoritative restore and other techniques I’ll discuss in this section. The procedure has not changed from previous releases of Windows Server. What has changed, however, is that the objects are restored to their previous state with all link-valued and non-link-valued attributes preserved. To perform an authoritative restore, the domain controller must be in Directory Services Restore Mode.
Rather than using an authoritative restore and taking a domain controller offline, you can recover deleted objects by using the Ldp.exe administration tool or the Ac- tive Directory cmdlets for Windows PowerShell. If you updated the Active Directory schema in your forests and domains for Windows Server 2012, you also can enable the enhanced recycle bin, which allows you to recover deleted objects using Active Directory Administrative Center.
Keep in mind that Active Directory blocks access to an object for a short while after it is deleted. During this time, Active Directory processes the object’s link-value table to maintain referential integrity on the linked attribute’s values. Active Direc- tory then permits access to the deleted object.
Using Ldp.exe for Basic Recovery
You can use Ldp.exe to display the Deleted Objects container and recover a deleted object by following these steps:
1. Type Ldp.exe in the Apps Search box, and then press Enter.
2. On the Options menu, tap or click Controls. In the Controls dialog box, select Return Deleted Objects in the Load Predefined list, and then tap or click OK.
3. Bind to the server that hosts the forest root domain by choosing Bind from the Connection menu. Select the Bind type, and then tap or click OK.
4. On the View menu, tap or click Tree. In the Tree View dialog box, use the BaseDN list to select the appropriate forest root domain name, such as DC=windows-scripting,DC=org, and then tap or click OK.
5. In the console tree, double-tap or double-click the root distinguished name and locate the CN=Deleted Objects container.
6. Locate and press and hold or right-click the Active Directory object you want to restore, and then tap or click Modify. This displays the Modify dialog box.
7. In the Edit Entry Attribute text box, type isDeleted. Do not enter anything in the Values text box.
8. Under Operation, tap or click Delete, and then tap or click Enter.
9. In the Edit Entry Attribute text box, type distinguishedName. In Values, type the original distinguished name of this Active Directory object.
- Under Operation, tap or click Replace. Select the Extended check box, tap or click Enter, and then tap or click Run.
Using Windows PowerShell for Basic and Advanced Recovery
The Active Directory cmdlets for Windows PowerShell allow you to recover deleted objects using scripts or by typing commands at a PowerShell prompt. You use Get- ADObject to retrieve the object or objects you want to restore, pass that object or objects to Restore-ADObject, and then Restore-ADObject restores the object or objects to the directory database.
NOTE The Active Directory module is not imported into Windows PowerShell by de- fault. Import the Active Directory module by typing import-module activedirectory at the PowerShell prompt. For more information, see “Active Directory Administrative Center and Windows PowerShell” in Chapter 7.
To use the Active Directory cmdlets for recovery, you need to open an elevated, administrator PowerShell prompt by pressing and holding or right-clicking the Windows PowerShell entry on the menu and tapping or clicking Run As Administra- tor. The basic syntax for recovering an object is as follows:
Get-ADObject -Filter {ObjectId} -IncludeDeletedObjects | Restore-ADObject
ObjectId is a filter value that identifies the object you want to restore. For ex- ample, you could restore a deleted user account by display name or SAM account name as shown in these examples:
Get-ADObject -Filter {DisplayName -eq "Rich Tuppy"} -IncludeDeletedObjects | Restore-ADObject
Get-ADObject -Filter {SamAccountName -eq “richt”} –IncludeDeletedObjects | Restore-ADObject
Note that nested objects must be recovered from the highest level of the deleted hierarchy to a live parent container. For example, if you accidentally deleted an OU and all its related accounts, you need to restore the OU before you can restore the related accounts.
The basic syntax for restoring container objects such as an OU is as follows:
Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=ContainerID)” –IncludeDeletedObjects | Restore-ADObject
ContainerID is a filter value that identifies the container object you want to restore. For example, you could restore the Corporate Services OU as shown in this example:
Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=Corporate_Services)”
–IncludeDeletedObjects | Restore-ADObject
If the OU contains accounts you also want to restore, you can now restore the ac- counts by using the technique discussed previously, or you can restore all accounts at the same time. The basic syntax requires that you establish a search base and associate the accounts with their last known parent, as shown here:
Get-ADObject -SearchBase “CN=Deleted Objects,ForestRootDN” -Filter {lastKnownParent -eq “ContainerCN,ForestRootDN“} -IncludeDeletedObjects | Restore-ADObject
ForestRootDN is the distinguished name of the forest root domain, such as DC=windows-scripting,DC=org, and ContainerCN is the common name of the container, such as OU=Corporate_Services or CN=Users. The following example restores all the ac- counts that were in the Corporate Services OU when it was deleted:
Get-ADObject -SearchBase “CN=Deleted Objects,DC=Cpandl,DC=com” –Filter
{lastKnownParent -eq “OU=Corporate_Services,DC=windows-scripting,DC=org”}
-IncludeDeletedObjects | Restore-ADObject
Using the Enhanced Recycle Bin for Recovery
The enhanced recycle bin makes recovering deleted objects as easy as pointing and clicking or tapping and holding. Once you updated the Active Directory schema in your forests and domains for Windows Server 2012, you enable the enhanced recycle bin for use by following these steps:
1. In Active Directory Administrative Center, the local domain is opened for management by default. If you want to work with a different domain, tap or click Manage and then tap or click Add Navigation Nodes. In the Add Navigation Nodes dialog box, select the domain you want to work with and then tap or click OK.
- Select the domain you want to work with by tapping or clicking it in the left pane. In the Tasks pane, tap or click Enable Recycle Bin and then tap or click OK in the confirmation dialog box.
- Active Directory will begin replicating the change to all domain controllers in the forest. Once the change is replicated, the enhanced recycle bin will be available for use. If you then tap or click Refresh in Active Directory Adminis- trative Center, you’ll see that a Deleted Object container is now available for domains using the enhanced recycle bin.
Keep in mind that the enhanced recycle bin is a forestwide option. When you enable this option in one domain of a forest, Active Directory replicates the change to all domain controllers in all domains of the forest.
With the enhanced recycle bin enabled, you can recover deleted objects with ease. In Active Directory Administrative Center, domains using the enhanced recycle bin will have a Deleted Object container. In this container, you’ll see a list of deleted objects. As discussed previously, deleted objects remain in this container for the deleted object lifetime value, which is 180 days by default.
Each deleted object is listed by name, when it was deleted, the last known par- ent, and the type. When you select a deleted object by tapping or clicking it, you can use the options in the Tasks pane to work with it. The Restore option restores the object to its original container. For example, if the object was deleted from the Users container, it is restored to this container.
The Restore To option restores the object to an alternate container within its original domain or a different domain within the current forest. Specify the alternate container in the Restore To dialog box. For example, if the object was deleted from the Users container in the tech.windows-scripting.org domain, you could restore it to the Devs OU in the eng.windows-scripting.org domain.
Filed under: TUTORIALS
