Hopefully some of you have been playing with Server 2008 R2 while it has been in Beta. One of the features I’m looking forward to most is the AD Recycle Bin. Yes you heard me correct. We now have an easy method for restoring accidently deleted objects.
In the past our only recovery method out of the box was to perform an authoritative restore of an object. That method had several issues that always rubbed me the wrong way. First you had to be in Directory Services Restore Mode (DRSM). And ever since Server 2003 we could use tombstone reanimation but that removed most of the non-link-valued attributes. This lead to additional work after the restore. The default tombstone lifetime was 180 days with Server 2003 and 2008.
You are probably already familiar with tombstones and the garbage collection process. If not read Gil’s excellent article on that here. With Server 2008 R2 you will need to now become aware of Deleted Object and Recycled Object. The first thing to realize here is that the AD Recycle Bin is not enabled by default with Server 2008 R2. The following steps/requirements must first be met:
- Raise the Forest Functional Level to Server 2008 R2
- Enable AD Recycle Bin (my example uses PowerShell…get use to it now)
- Enable-ADOptionalFeature –Identity „CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=AdminPrep,DC=com‟ –Scope Forest –Target „AdminPrep.com‟
- Just make sure to replace AdminPrep with your domain
Now when an object is deleted it is not marked for tombstone it is marked as deleted. It places the object in the Deleted Objects container which is hidden but can be located here – CN=Deleted Objects. When you want to restore an object there are two methods that I'm aware of, one using PowerShell and the other using LDP.
Using LDP:
- Using elevated credentials, open LDP by typing ldp.exe from the Run Dialog box
- Click Connections and select Connect and then go back and select Bind
- Navigate to the CN=Deleted Objects
- Find the object you wish to restore and right-click it and select Modify
- In the Modify dialog box:
- In Edit Entry Attribute, type isDeleted
- Leave the Values box empty
- Under Operation, click Delete, and then click Enter
- In Edit Entry Attribute, type distinguishedName
- In Values, type the original distinguished name (also known as DN) of this Active Directory object
- Under Operation, click Replace
- Make sure that the Extended check box is selected, click Enter, and then click Run
To restore an object using PowerShell you must use the Get-ADObject and Restore-ADObject cmdlets. Using PowerShell:
- Open the Active Directory PowerShell command Prompt and use the following syntax:
- Get-ADObject-Filter {String} -IncludeDeletedObjects | Restore-ADObject
- Here is an example of restoring a deleted user account named Brian:
- Get-ADObject -Filter {displayName -eq "Brian"} -IncludeDeletedObjects | Restore-ADObject
When restoring multiple items that may be linked (OU or Group that contains Users) you will want to start at the highest level.
An object can only be restored using those methods if it is still within the Deleted Object Lifetime. The attribute is msDS-deletedObjectLifetime and if you look it up it will have a null value which the default time is 180 days.
Here is a look at what AD Recycle Bin looks like visually
I just found out that there is an Active Directory PowerShell Blog run by Microsoft’s AD PowerShell team. I gathered that info from reading up on Jason’s post. Its amazing how much info you can get from reading other people’s blogs…now on to the regularly scheduled post…
After writing my article on the AD Recycle Bin I thought I would include a few PowerShell scripts here that can be used to modify the tombstone lifetime along with the deleted object lifetime. Remember that the default for both of these is going to be 180 days and will show up as Null if you use LDP to view the attributes.
PowerShell Script to change the tombstone lifetime of my domain (AdminPrep.Local) to 250 days:
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“tombstoneLifetime” = 250}
PowerShell Script to change the deleted object lifetime:
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“msDS-DeletedObjectLifetime” = 250}
I’ve removed plenty of DCs and Domains in my years. In fact I recently blogged about how remove a failed DC here. It seems sometimes after removing a domain from your environment doesn’t remove it entirely.
You may see a message that says the following:
The trusts between this domain (abc.local) and the following domain(s) are in an error state:
xyz.abc.local (inbound), the error is:
The specified domain either does not exist or could not be contacted. (0x54B)
Normally this message is pretty self explanatory. However if you removed the domain and it still shows up then it can cause some unrest.
To remove those messages and to completely remove those messages you will want to open ADSIEdit.msc from a DC and expand out the Domain partition. From there select CN=System. Now you should see in the results pane a listing of objects. In there you should find the domain in question as a trustedDomain class. If indeed the domain has been removed go ahead and right click it and delete it.