Enable of Windows 2008 R2–the Active Directory Recycle Bin

Even in professionally managed network environments it is still possible for mistakes to happen. If an Active Directory object such as a user or computer account is accidentally deleted  network access will be lost. Worker productivity will decline until the account is restored and IT support costs will add to the total expense incurred by the organization.

In the past the best method to restore a deleted AD object is to reboot a domain controller into Active Directory Restore Mode, logon the computer with a special administrative account, and restore the Active Directory database from a backup file. The final steps are to run the NTDSUTIL command line utility to authoritatively restore the object in question and then reboot the computer into normal mode. This procedure is cumbersome, time consuming and requires that the backup file selected contains the most current version of the object.  Many administrators have wished that an easier method was available.

With the introduction of Windows Server 2008 R2 it is possible to enable an Active Directory Recycle Bin. Deleted AD objects can be restored complete with all object related attributes intact. These attributes includes user and computer account group memberships. In order to enable the Active Directory Recycle Bin all Domain Controllers in the Domain must first be upgraded to Windows Server 2008 R2. The Domain functional level of the Domain and the Forest must be raised to 2008 R2 functional level. This can be accomplished in the Domains and Trusts administrative console. If the Active Directory Forest was created using Windows 2000 or 2003 Server it is also necessary for a member of the Schema Admins group to update the Active Directory Schema by running the ADPREP /Forest Prep command on the Schema Master domain controller and the ADPREP /DomainPrep command on the Infrastructure Master computer. Raising functional levels may affect some applications that integrate with Active Directory, therefore it is important to research possible issues before raising the levels.

Once the functional levels are raised the Recycle Bin can be enabled using the following PowerShell command: “Enable-ADOptionalFeature -Identity <ADOptionalFeature> -Scope <ADOptionalFeatureScope> -Target <ADEntity>”. This command must be run using the Active Directory Module for Windows PowerShell  by an member of the Enterprise Administrators group.  Microsoft gives us an example of how this command would look when it is used to enable the Recycle Bin for the Contoso.com domain:

“Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature, CN=Optional Features,CN=Directory Service, CN=WindowsNT, CN=Services, CN=Configuration, DC=contoso, DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’”

Now that the Recycle Bin is enabled, deleted object can be recovered using either PowerShell or the ldp.exe utility. This process is described by Microsoft here: http://technet.microsoft.com/en-us/library/dd379509(WS.10).aspx

Save yourself time and aggravation by enabling the Active Directory Recycle Bin soon!

Tags:

Leave a Reply

You must be logged in to post a comment.