Configuring Active Directory Recycle Bin
Active Directory Recycle Bin is a feature introduced in Windows Server 2008 R2 that enables administrators to restore deleted Active Directory objects while Active Directory Domain Services is still running. Previously in Windows Server 2008 and earlier versions you could restore a deleted Active Directory object from a backup but the process involved was daunting. For example, after performing the restoration from the backup medium you had to mark the object as authoritative to ensure that it replicated to all of your domain controllers, and you had to do this in Directory Services Restore Mode, which meant the domain controller needed to be offline. Beginning with Windows Server 2008 R2 however, you could use the new Active Directory Recycle Bin to restore deleted objects with all of their attributes and permissions intact.
Unfortunately the Active Directory Recycle Bin wasn't so easy to use when it was first introduced in Windows Server 2008 R2. That's because you could only work with it from the command line using the Active Directory Module for Windows PowerShell. For example, before you could use the Active Directory Recycle Bin you had to first enable it using the Enable-ADOptionalFeature cmdlet. Then to actually restore a deleted object you had to use two other cmdlets: Get-ADObject to locate the desired object in the Deleted Objects folder and Restore-ADObject to perform the actual restoration. Furthermore, when you were restoring multiple objects--especially organizational units (OUs) that contained other objects--you had to pay attention to the order in which you restored the objects because you could only restore objects to a live parent. This meant for example that if you accidentally deleted an OU object, you had to restore the OU itself before you could restore any of the objects in the OU.
Fortunately, beginning with Windows Server 2012 Microsoft has now included a graphical user interface (GUI) to make restoring deleted Active Directory objects easier and less hazardous. This article explains how the Active Directory Recycle Bin works and how you can enable it and use it in Active Directory environments that have domain controllers running Windows Server 2012 and/or Windows Server 2012 R2. The explanation and procedures in the next few sections are adapted from my book Training Guide: Installing and Configuring Windows Server 2012 R2 (Microsoft Press, 2014) which is available here. The final section of this article includes some additional tips and gotchas concerning the Active Directory Recycle Bin that I've gleaned from the larger IT pro community including the almost 100,000 followers of our WServerNews weekly newsletter which you can subscribe to at http://www.wservernews.com/subscribe.htm.
Understanding the Active Directory Recycle Bin
To understand the limitations of the Active Directory Recycle Bin, you need to know how it works. When the Active Directory Recycle Bin feature is enabled in an Active Directory environment, directory objects can be in one of the following four states (which are illustrated in Figure 1):
- Live - The object is functioning in Active Directory and is located in its proper container within the directory. As an example, a user account object that is live is one that a user can utilize for logging on to the network.
- Deleted - The object has been moved to the Deleted Objects container within Active Directory. The object is no longer functioning in Active Directory, but the object’s link-valued and non-link-valued attributes are preserved, allowing the object to be recovered by restoring it from the Active Directory Recycle Bin if the lifetime of the deleted object has not yet expired. (By default, when the Active Directory Recycle Bin is enabled, the deleted object lifetime is configured as 180 days.) For example, a user account in the deleted state cannot be used for logging on to the network, but if the user account is restored to its live state, it can again be used for logon purposes.
- Recycled - The deleted object lifetime has expired for the object. The object remains in the Deleted Objects container, but most of its attributes are now stripped away. The object can no longer be recovered by restoring it from the Active Directory Recycle Bin or by taking other steps, such as reanimating Active Directory tombstone objects.
- Removed - The recycled object lifetime has expired for the object. The Active Directory garbage collection process has physically removed the object from the directory database.
Figure 1: The four states of Active Directory objects when the Active Directory Recycle Bin is enabled.
Enabling the Active Directory Recycle Bin
By default, the Active Directory Recycle Bin feature is disabled until you choose to enable it. Enabling the Active Directory Recycle Bin in your environment requires that the forest functional level be Windows Server 2008 R2 or higher. This means that all domain controllers in your forest must be running Windows Server 2008 R2 or higher.
To enable the Active Directory Recycle Bin using ADAC, perform the following steps:
- Log on using credentials of an account that belongs to the Enterprise Admins or Schema Admins group.
- Right-click on the forest root domain in the navigation pane, and select Raise The Forest Functional Level as shown in Figure 2 below.
- Ensure that the forest functional level for your environment is Windows Server 2008 R2 or higher.
- Right-click again on the forest root domain, and select Enable Recycle Bin.
- Review the warning, and click OK to proceed with enabling the Active Directory Recycle Bin.
- Refresh ADAC, and wait until all domain controllers in the forest have replicated the configuration change before attempting to use the Active Directory Recycle Bin to restore deleted objects.
Figure 2: Raising the forest functional level.
You can also use Windows PowerShell to perform all of the actions required to enable the Active Directory Recycle Bin for your environment. For example, you can use the Set-ADForestMode cmdlet to raise the forest functional level to Windows Server 2008 R2 or higher. And you can use the Enable-ADOptionalFeature cmdlet to enable the Active Directory Recycle Bin feature. Use the Get-Help cmdlet to display the syntax and examples for each of these cmdlets.
Although enabling the Active Directory Recycle Bin is a recommended best practice for Active Directory administration, after you enable this feature you cannot disable it. So plan carefully before taking this step because you will be unable to roll back the forest functional level once this step has been taken. For more information on rolling back the forest functional level, see the topic titled "Understanding Active Directory Domain Services (AD DS) Functional Levels" in the TechNet Library.
Using the Active Directory Recycle Bin
After the Active Directory Recycle Bin is enabled, using it to restore deleted directory objects is straightforward as long as the deleted object lifetime of the objects has not expired. For example, Figure 3 shows how to restore the user account for Marie Dubois after it was accidentally deleted. The following menu options are available:
- Restore - Restore the deleted object to its original location within Active Directory.
- Restore To - Restore the deleted object to a container you specify using Column Explorer.
- Locate Parent - Display the container where the deleted object originally resided.
- Properties - Display or modify the properties of the deleted object.
You can restore multiple deleted objects in one action by multi-selecting them in the Deleted Objects container and choosing the appropriate menu option.
Figure 3: Restoring a deleted object using the Active Directory Recycle Bin.
After the Active Directory Recycle Bin is enabled for your environment, you can also use Windows PowerShell to restore directory objects you accidentally deleted. You can do this using the Restore-ADObject cmdlet. Use the Get-Help cmdlet to display the syntax and examples for this cmdlet.
Tips and Gotchas
There are several things you need to be aware of before you decide whether to enable and use the Active Directory Recycle Bin in your environment or not:
- Make sure you make a full backup of your Active Directory database right after you enable the Active Directory Recycle Bin in your environment. This is important because enabling Active Directory Recycle Bin invalidates any existing backups of Active Directory that were taken during the tombstone lifetime (last 180 days).
- If you have any Active Directory-aware applications in your environment, make sure that they are compatible with Active Directory Recycle Bin before you enable the feature in your environment. Talk to your application vendor if you're not sure about this.
- If you enable Active Directory Recycle Bin you should expect the size of your Active Directory database to grow accordingly because of deleted objects being retained until they are removed. The size of your Active Directory database may typically grow from 15 to 20 percent or even more if you frequently delete a lot of Active Directory objects, so plan your storage requirements carefully for your domain controllers.
Here are a few more things you should be aware of concerning the Active Directory Recycle Bin feature:
- When an Active Directory object is deleted, the entire object is kept in the Active Directory Recycle Bin for the full duration of the Deleted Object Lifetime. This also means any passwords that are associated with the object are also preserved.
- Administrators can delegate the ability to perform certain tasks with the Active Directory Recycle Bin to non-admin users. These tasks are listed here and can be helpful when planning how your helpdesk and support staff will be using this feature.
Finally, here are a couple of additional resources from TechNet that are a bit dated but still helpful and technically accurate:
- Active Directory Recycle Bin Step-by-Step Guide
- The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting