Windows Server 8 - Active Directory Recycle Bin ~ My blog about Active Directory and everything else

Wednesday, September 14, 2011

Windows Server 8 - Active Directory Recycle Bin

The active directory recycle bin was a welcome addition in 2008 R2. Prior to Windows 2008 R2 there were no easy ways to fully restore an AD object and keep all their attributes intact.

There was the system state/authoritative restore method
There was the tombstone reanimation method that didn't restore all the attributes but it was fast.
There were also some third party tools that could help.

So the options were not great and recovering deleted objects could be a pain. Admins rejoiced when they first heard of the AD recycle bin. The forest functional level had to be at Windows 2008 R2 but it was a major incentive to get there.

The AD recycle bin had to be enabled using Powershell and objects could only be restored using Powershell. Microsoft released a good AD recycle bin step by step guide for 2008 R2

Ned Pyle from the Microsoft AD team also had a great blog entry on the askds blog

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting
Notice how to enable the feature and restore objects.

There were third party tools that put a GUI wrapper around the recycle bin but I'm referring to a native build.

So as you can see the AD Recycle Bin in 2008 R2 was very good step forward but it could be better. The Microsoft AD team heard the need for improving the feature and the feature has been improved.

It gets much better in Windows Server 8. The Active Directory Administrative Center (ADAC) has a lot of improvements and one of the big ones is being able to restore objects from the GUI. Powershell still works too but this will be easier for a lot of folks.

The AD Recycle Bin can now be enabled from ADAC

It can also be enabled by right clicking the domain and enabling it there

Warning alerting the user that once the Recycle Bin is enabled it can't be turning back.

Note: In a production Windows Server 2008 R2 domain at Microsoft, the Active Directory Recycle Bin feature increased the size of the AD DS database by an additional 15 to 20 percent of the original database size.

I'm guessing those stats are still accurate and will update the blog if I find out anything new.

Once the enable recycle bin is chosen and the changes have replicated then the feature will work after a refresh of ADAC.

I have a test user with many attributes populated and a member of a group that I'm going to delete.

So now the user is deleted but how do I get it back. In ADAC I navigate to the Deleted Objects Node. As you can see the deleted user is there. I can right click and restore the object, restore to another location, locate parent, or view properties.

The deleted objects node in ADAC is the new hotness :)

As you can see I restored the object back to its original location and it is back with all attributes populated.

Anyone who has been in a pressure filled situation trying to get a user or object back in a hurry (especially if a VIP is involved) will really like this.

There will be follow ups to this post about other new features in ADAC and other test scenarios. Job well done Microsoft AD Team!!

1 comment:

  1. Hello All,

    Windows Server 2008 R2 Active Directory Recycle Bin enhances your ability to preserve and recover accidentally deleted Active Directory objects by preserving all link-valued and non-link-valued attributes of the deleted Active Directory objects. With the Active Directory Recycle Bin enabled, the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. Thank you...
    Active Directory Auditing