Share via

How Active Directory Recycle Bin works: Enable AD Recycle Bin

  • Article

http://www.itechguides.com/wp-content/uploads/2014/10/ad-300x102.png

Active Directory Recycle Bin, introduced with Windows Server 2008 R2, helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting AD DS, or rebooting domain controllers. Although tombstone reanimation provides the option to recover deleted objects without taking a DC offline, the method is not as robust as AD Recycle Bin.

When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. It is important to understand two concepts:

Deleted objects

After you enable Active Directory Recycle Bin, when an Active Directory object is deleted, the system preserves all the object’s link-valued and non-link-valued attributes and the object becomes “logically deleted”, a new state introduced in Windows Server 2008 R2. A deleted object is moved to the Deleted Objects container, with its distinguished name mangled. A deleted object remains in the Deleted Objects container in a logically deleted state throughout the duration of the deleted object lifetime. Within the deleted object lifetime, you can recover a deleted object.

Recycled objects

After the deleted object lifetime expires, the logically deleted object is turned into a recycled object and most of its attributes are stripped away. A “recycled object,” a new state introduced in Windows Server 2008 R2, remains in the Deleted Objects container until its recycled object lifetime expires. After the recycled object lifetime expires, the garbage-collection process physically deletes the recycled Active Directory object from the database.

Deleted object lifetime and recycled object lifetime

The deleted object lifetime is determined by the value of the msDS-deletedObjectLifetime attribute. The recycled object lifetime is determined by the value of the legacy tombstoneLifetime attribute. By default, msDS-deletedObjectLifetime is set to null. When msDS-deletedObjectLifetime is set to null, the deleted object lifetime is set to the value of the recycled object lifetime. By default, the recycled object lifetime, which is stored in the tombstoneLifetime attribute, is also set to null. In Windows Server 2012 R2, when tombstoneLifetime is set to null, the recycled object lifetime defaults to 180 days.

Active Directory Recycle Bin can be enabled with the following tools: Active Directory Administrative Center, Enable-ADOptionalFeature PowerShell cmdlet (This is the recommended method.), Ldp.exe.

WARNING!

Enabling Active Directory Recycle Bin is an irreversible action. Perform this task carefully!

To enable Active Directory Recycle Bin run the following PowerShell commands:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=70411Lab,DC=com’ -Scope ForestOrConfigurationSet -Target ‘70411Lab.com’

NOTE:

You can also enable Active Directory Recycle Bin from Active Directory Administrative Center.
The objects used in the powershell command above are from my test lab. Remember to change your domain name if you wish to run the command.

This is an except from my new book Hands-On Study Guide for exam 70-411: Administering Windows Server 2012 R2