A First Look at the Active Directory Domain Services Recycling Bin Feature in the Windows Server 2008 R2 Beta

Posted by John Policelli on January 23rd, 2009
Windows Server 2008 R2 includes a new Recycling Bin feature for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
The following is a first look at the Active Directory Recycling Bin that is included with the Windows Server 2008 R2 Beta.
NOTE: Updated May 8, 2009 to include information for the RC build of Windows Server 2008 R2.
Disclaimer
The following is based on the Beta build of Windows Server 2008 R2. Therefore, it may change by the time RTM is released.
Considerations


  • The Active Directory Recycling Bin feature requires a forest functional level of Windows Server 2008 R2
  • The Active Directory Recycling Bin feature is disabled by default
  • The Active Directory Recycling Bin feature is a forest-wide feature, so it applies to every domain in the forest
  • Objects that were deleted prior to the Active Directory Recycling Bin feature being enabled cannot be recovered by using the Recycling Bin
  • The Recycling Bin feature cannot be disabled after it has been enabled
  • When the Recycling Bin feature is enabled, you cannot roll back / lower functional levels – see: Roll Back / Lower Active Directory Functional Levels in Windows Server 2008 R2

Overview of How the Active Directory Recycling Bin Feature Works

Once the forest functional level has been set to Windows Server 2008 R2 and the Active Directory Recycling Bin feature is enabled, the life cycle for an Active Directory object is as follows:

  • An Active Directory object is deleted
  • All of the object’s link-valued and non-linked valued attributes are preserved and the object becomes logically deleted
  • The object is moved to the Deleted Objects container and its distinguished name is mangled
  • The object remains in the Deleted Objects container in a logically deleted state for the duration of the Deleted Objects Lifetime, which is defined in the msDS-deletedObjectLifetime
  • When the object is in the Deleted Objects container, it can be recovered and from the Recycling Bin
  • Once the Deleted Objects Lifetime expires, the object is made a recycled object and most of its attributes are cleared
  • At this point, the object can no longer be recovered by using the Active Directory Recycling Bin feature
  • The recycled object remains in the Deleted Objects container for the duration of the Tombstone Lifetime, which is defined in the tombstoneLifetime attribute and is 180 days by default
  • Once the Tombstone Lifetime expires, the recycled object is physically deleted from the database by the garbage-collection process

Enabling the Active Directory Recycling Bin Feature

As previously mentioned, the Active Directory Recycling Bin feature is disabled by default in Windows Server 2008 R2. As such, you must enable the feature after you raise the forest functional level to Windows Server 2008 R2.
To enable the Active Directory Recycling Bin feature, log on to a domain controller with a user account that is a member of the Enterprise Admins group, and perform the following:

  1. Click Start, click Administrative Tools, and then click Active Directory PowerShell
  2. Type Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=Domain,DC=com’ –Scope Forest –Target ‘Domain.com and then hit Enter
  3. You will be promoted to confirm the operation, type Y and hit Enter.

At this point, the Active Directory Recycling Bin feature has been enabled. In the Windows Server 2008 R2 Beta, you do not receive any confirmation that previous step was successful. You can verify that the Active Directory Recycling Bin is enabled by looking at the msDS-EnabledFeature attribute on the CN=Partitions,CN=Configuration,DC=Domain,DC=com container, which should contain CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=Domain,DC=com

NOTE: In the above steps, DC=Domain,DC=Com should be replaced with the distinguished name of your forest root domain, and Domain.comshould be replaced with the DNS name of your forest root domain.
Viewing Objects that are in the Deleted Objects Container

The Deleted Objects container cannot be viewed by using the Active Directory Users and Computers, Active Directory Administrative Center, or ADSI Edit consoles. The current built-in methods available to view objects that are in the Deleted Objects container are the LDP.exe console and the Active Directory PowerShell cmdlets.
Viewing Objects that are in the Deleted Objects Container by Using LDP.exe

As previously mentioned, the Deleted Objects container can be viewed by using the LDP.exe console. By default, the Deleted Objects Container is not visible in LDP.exe. In order to view the Deleted Objects container in LDP.exe, you need to perform the following tasks:

  1. Open LDP.exe
  2. On the Connection menu, select Connect
  3. On the Connect dialog box, type the name a domain controller in the forest root domain, and then click OK
  4. On the Connection menu, select Bind
  5. On the Bind dialog box, select the Bind as currently logged on user option and then click OK, or select the Bind with credentials option, enter the credentials, and then click OK
  6. On the View menu, select Tree
  7. On the Tree View dialog box, enter the distinguished name of the forest root domain, and then click OK
  8. On the Options menu, select Controls
  9. On Controls dialog box, select Return deleted objects from the dropdown below Load Predefined, and then click OK
  10. Double-click on the on the forest root domain node in the console tree, expand the forest root domain in the console tree, and then double-click on the CN=Deleted Objects,DC=Domain,DC=Comnode, where DC=Domain,DC=Com is the distinguished name of your forest root domain.
  11. The Deleted Objects container will be visible.

Above you will notice that there are no objects in the Deleted Objects container in my test environment. If I deleted a user object, you will see the user object will appear in the Deleted Objects container:

As you can see above, the object’s distinguished name is mangled because it was deleted after the Active Directory Recycling Bin feature was enabled. The msDS-LastKnownRDN attribute on the deleted object shows the original RDN (User1).
Viewing Objects that are in the Deleted Objects Container by Using PowerShell cmdlets

As previously mentioned, deleted objects can be viewed by using the Active Directory PowerShell cmdlets. Use the following to view objects that are in the Deleted Objects container:

  1. Click Start, click Administrative Tools, and then click Active Directory PowerShell
  2. Type Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=*)" -IncludeDeletedObjects and then hit Enter
  3. As shown above, the deleted objects will be returned.

Restoring Deleted Objects

The current built-in methods available to restore objects that are in the Deleted Objects container are the LDP.exe console and the Active Directory PowerShell cmdlets.
Restoring Deleted Objects by Using LDP.exe


  1. Follow the steps detailed in the “Viewing Objects that are in the Deleted Objects Container by Using the GUI” above.
  2. In the console tree, right-click on the object that you want to restore, and then click Modify
  3. On the Modify dialog box:
    1. Type isDeleted into the Edit Entry Attribute field
    2. Select Delete under the Operation section, and then click Enter
    3. Type distinguishedName into the Edit Entry Attribute field
    4. In Values, type the original distinguished name of the Active Directory object
    5. Select Replace under the Operation section
    6. Select the Extended check box
    7. Click Enter
    8. Click Run
    9. Close the Modify dialog box
    10. Verify the modify operations completed in the details pane of LDP.exe



Restoring Deleted Objects by Using the Active Directory PowerShell cmdlets

As previously mentioned, deleted objects can be restored by using the Active Directory PowerShell cmdlets. Use the following to restore objects that are in the Deleted Objects container:

  1. Click Start, click Administrative Tools, and then click Active Directory PowerShell
  2. Type Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=User1)" -IncludeDeleted | Restore-ADObject, and then hit Enter

Notes:

  • The above command will not produce any results in the PowerShell console. You can use the previously mentioned methods to view the Deleted Objects container to ensure the object was restored. You can also search for the restored object in the Active Directory Users and Computers and Active Directory Administrative Center consoles.
  • The example above restored a user that had an RDN of User1.




موضوعات مشابه: