Enabling the Active Directory Recycle Bin in Server 2012/R2

I don’t wanna be wrong here, but I think that one of the most common Active Directory disasters that administrators face is the accidentally deleted object(s). Even if you put a strong security in place, there comes a time when you need to delegate permissions and with that accidents happen. There were, and maybe there still are third party tools that enables you to restore objects or attribute values to the directory without recovering from a conventional system state backup, but you don’t have to spend the money on those any more. Starting with Windows Server 2008 R2 a new feature was implemented called Active Directory Recycle Bin that let you recover those deleted objects, but you had to rely on PowerShell for that. Now in Windows Server 2012/R2 we get a GUI.

When you delete an object from Active Directory the object isn’t actually purged from the database, it stays there for quite some time, to ensure that replication of that deleted object occurs across the entire forest (also known as tombstones objects). The time that objects are retained in the database after deletion is called the tombstone lifetime; and once it passes records are deleted from the database from each domain controller trough the garbage collection process (which runs every 12 hours). Now when you enable the Active Directory Recycle Bin, before a deleted object becomes a tombstone it first enters in a deleted object state, where all of its attributes and links to the object are retained. Before Active Directory Recycle Bin showed up, when an object was deleted from Active Directory most of its attributes were also removed, so a reanimation of the tombstone object would be missing most attributes that were set when the object was deleted.

Taken from Microsoft Technet

Enable Active Directory Recycle Bin

To enable the Active Directory Recycle Bin your forest functional level needs to be at least at level four, that’s Windows Server 2008 R2. So in case you are still running server 2003 on your domain controllers, you’re out of luck, but an upgrade will do the trick. If you are not compliant, the option to enable the AD Recycle Bin is grayed-out Enable Active Directory Recycle Bin

and PowerShell will give you an ugly error.

Enable Active Directory Recycle Bin

Be careful that once you enable AD Recycle Bin it cannot be disabled; and make sure everything is tested and working before you implement this into production so no side effects will arise. If PowerShell is the proffered tool, you can use this command line to enable the AD Recycle Bin (replace the domain name with your own):

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,
CN=Windows NT,CN=Services,CN=Configuration,DC=vkernel,DC=local’ –Scope ForestOrConfigurationSet –Target 
‘vkernel.local’

Enable Active Directory Recycle Bin

If you want to use the GUI to enable the AD Recycle Bin (Server 2012/R2) open Active Directory Administrative Center, click your domain name and from the Tasks pane click the Enable Recycle Bin link.

[important]You cannot recover objects that were deleted before you enabled the AD Recycle Bin, only those deleted after.[/important]

Enable Active Directory Recycle Bin

Now that we have it enable, let’s test it. For the sake of this example I deleted my user account

Enable Active Directory Recycle Bin

and now I will have to recover it. This is done form the Administrative Center > Deleted Objects.

Enable Active Directory Recycle Bin

Right click the object(s) you want to recover and choose the Restore or Restore to option. If you choose Restore, the object will be restored to it’s original location, and if you choose Restore to you will be give the option to choose where you want to put the recovered object.

Enable Active Directory Recycle Bin

If you prefer PowerShell…:

Get-ADObject -Filter {displayName -eq "Costea Adrian"} -IncludeDeletedObjects | Restore-ADObject

Enable Active Directory Recycle Bin

Off course this is just a simple PowerShell command to recover a deleted object, and you can extend this. Just browse the Microsoft Techet site and you will find plenty of examples.

If you are wondering what happens if an entire OU is deleted, well…this can be recovered as well very easy from the Deleted Objects folder in the Administrative Center. In this case however, you’ll first need to recover the OU and then recover the objects that were inside of it. If you were to try to restore an object before restoring the object’s parent, you would receive the following error message:

The operation could not be performed because the object’s parent is either uninstantiated or deleted.
Enable Active Directory Recycle Bin

Some additional tasks that you can perform is to modify the tombstone lifetime (the number of days before a deleted object is removed from the directory services) and the deleted object lifetime, which by default are 180 days, and this can be done only using PowerShell or Ldp.exe. And since PowerShell is preferred I’m going to use it for this example.

To modify the tombstone lifetime to 365 days run the following command:
Replace DC=<vkernel>,DC=<local> with the name of your Active Directory environment.

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=vkernel,
DC=local" –Partition “CN=Configuration,DC=vkernel,DC=local” –Replace:@{“tombstoneLifetime” = 365}

Enable Active Directory Recycle Bin

To modify the deleted object lifetime to 365 days run the following command:
Replace DC=<vkernel>,DC=<local> with the name of your Active Directory environment.

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=vkernel,
DC=local” –Partition “CN=Configuration,DC=vkernel,DC=local” –Replace:@{“msDS-DeletedObjectLifetime” = 365}

Enable Active Directory Recycle Bin

As you can see the AD Recycle Bin is improved in server 2012 compared to 2008 and if enabled will make your life much easier; you can recover deleted objects in seconds not hours or days. If your environment supports, it I can’t find a reason not to enable this great feature.

Want content like this delivered right to your

email inbox?


3 thoughts on “Enabling the Active Directory Recycle Bin in Server 2012/R2

  • 26/05/2016 at 12:35
    Permalink

    Hi Adrian,

    I have a query and not able to find the solution related with this topic. Please help me with below query.

    If we change the tombstone lifetime = 365 days and isrecycled= in AD 2012.

    1.how many days, we will have the retention Period for deleted Object.
    2.how can we restore it .
    3. What will be the best way if we want retention period upto 365 Days.

    Thanks in advance..

    Reply
  • 18/12/2015 at 17:28
    Permalink

    Thanks vkernal, I went on all possible website and I was not able to find the answer to my question. Your website helped. Thanks a lot dear. This this was driving me nuts, now I am feeling relaxed, thanks to you again. Your website is aweome, TechNet is useless, crap

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

css.php