Deletion, Deletion & Deletion. One of the biggest nightmare for any administrator. Be it files & folders or objects in Active Directory. And I think, Even Microsoft understand the sentiments of an administrator that is why with each new operating system, Microsoft is trying to ease out the process of recovering data. At least, objects in Active Directory :)
Before Windows 2008 Server was introduced, there were following ways of recovering deleted data in active directory:-
- Backup
- LDP
- ADRestore
From Windows Server 2008 R2, there is a new feature introduced which can be used to recover deleted objects from active directory - The "RECYCLE BIN"
Backup
This is one component where many administrators fails. Ask them if they have a backup and there is "Silence"... Nah... Don`t say No... We understood :)
Also, even if you have a backup, it should be "Valid"
"Valid" because if as an administrator you come to me and say that you have a year old backup, then you can expect me asking you to dump that backup in trash. huh. Cmon.. One year old backup??? Do you have any idea about an attribute tombstoneLifetime"?
If no, then do read this article...
Useful shelf life of a system-state backup of Active Directory
http://support.microsoft.com/kb/216993
Excerpt from the above article "The "tombstoneLifetime" attribute represents the number of days a backup of Active Directory can be used in addition to the frequency with which Garbage Collection routines (removing items previously marked for deletion) are run"
And the value of tombstoneLifetime is 180 days, so ideally a backup which is less then 180 days of age can only be used
LDP
Restoring objects can be "Quite" useful especially when you don`t have a backup
"Quite" because when you restore AD Objects using LDP, it will NOT restore ALL the attributes of the restored object. For Example, When you restore a User Object, it will not restore the Group Membership of the User Accounts.
To know on how to restore deleted objects using LDP :-
How to Restore Deleted AD Objects Using LDP
http://www.adshotgyan.com/2010/11/how-to-restore-deleted-ad-objects-using_27.html
ADRestore
Ideally, administrators who have been working on Active Directory should not find LDP or ADSIEDIT very complex, but its "Ideally"... Generally they do...
For all those who have a phobia of browsing into LDP or ADSIEDIT, Microsoft came up with very cool and simplified tool to restore deleted objects. Basically, what this toll will do is to connect to the same Deleted Objects container where all the deleted objects are moved after deletion from active directory console and will list all the deleted objects and will ask you if you wants to recover these deleted objects
To know on how to restore deleted objects using ADRestore :-
How to Restore Deleted AD Objects Using ADRestore
http://www.adshotgyan.com/2010/11/how-to-restore-deleted-ad-objects-using.html
Two drawbacks on using ADRestore were :-
- Just like with LDP, when you restore objects using ADRestore, it does NOT restore all the attributes of an object
- If you have 1000 objects in Deleted Object Container, it will one by one list all the objects and will ask you if you want to restore that object or not. So think about a situation where the object which you wants to restore is at 999 position in the list of 1000 deleted objects.... So you have to press "N" button 998 times.... And what if by mistake you pressed N button on the 999th time as well.... All what I can say... Sorry :(
Recycle Bin
In Windows Server 2008 R2
With Windows 2008 R2, Microsoft came up with a very cool feature "Recycle Bin". No, that is not the same Recycle Bin which you see on your desktop. This Recycle Bin will store all the deleted objects of Active Directory and you as an administrator can recover these objects
By default, Recycle Bin is not enabled and remember this... when you enable Recycle Bin, the size of NTDS.DIT will increase.
The only drawback of Recycle Bin in Widows Server 2008 R2 was that enabling recycle bin and recovering objects from the recycle bin was all command based (Powershell) and a bit lengthy process as well
To know more about Recycle Bin :-
Active Directory Recycle Bin
http://www.adshotgyan.com/2012/02/active-directory-recycle-bin.html
How to Enable Active Directory Recycle Bin
http://www.adshotgyan.com/2012/02/how-to-enable-active-directory-recycle.html
How to Recover Deleted Objects Using AD Recycle Bin
http://www.adshotgyan.com/2012/02/how-to-recover-deleted-objects-using-ad.html
In Windows Server 2012
In Windows Server 2012, the same Recycle Bin now have a GUI
- Open the Active Directory Administrative Center
- Click on <DomainName> (Local) in left pane
- On right pane, click on "Enable Recycle Bin"
Did you said that the option "Enable Recycle Bin" is grayed out? Yes, You might be correct
This could be because even though you are running Windows Server 2012, the Functional Level may be less. For Recycle Bin to be enabled, you need to have a minimum of Windows 2008 R2 Forest Functional Level
And I have a Domain Functional Level at Windows Server 2008
And Forest Functional Level at Windows Server 2008
I have now raised the domain functional level to Windows Server 2008 R2. Lets see if we are able to enable the recycle bin feature
Nopes, its still grayed out...
Now lets raise the Forest Functional Level to Windows Server 2008 R2
Raised...
Ahh... Now the option to Enable Recycle Bin is highlighted...
Are you sure?
Remember... Once Recycle Bin is enabled, it cannot be disabled... (Warning)
Now the option to Enable Recycle Bin is again grayed out (Because its already enabled)
Also look at the Containers / Organization Units...
After a Refresh, now we have a new container listed here in the list....
The "Deleted Objects" container
Enable the "Backlinks" option
Look for the attribute: msDS-EnabledFeatureBL
This attribute will have the list of servers on which the recycle bin will be enabled
Remember, this feature is not related to one server, the feature is a configuration partition change
Before Windows 2008 Server was introduced, there were following ways of recovering deleted data in active directory:-
- Backup
- LDP
- ADRestore
From Windows Server 2008 R2, there is a new feature introduced which can be used to recover deleted objects from active directory - The "RECYCLE BIN"
Backup
This is one component where many administrators fails. Ask them if they have a backup and there is "Silence"... Nah... Don`t say No... We understood :)
Also, even if you have a backup, it should be "Valid"
"Valid" because if as an administrator you come to me and say that you have a year old backup, then you can expect me asking you to dump that backup in trash. huh. Cmon.. One year old backup??? Do you have any idea about an attribute tombstoneLifetime"?
If no, then do read this article...
Useful shelf life of a system-state backup of Active Directory
http://support.microsoft.com/kb/216993
Excerpt from the above article "The "tombstoneLifetime" attribute represents the number of days a backup of Active Directory can be used in addition to the frequency with which Garbage Collection routines (removing items previously marked for deletion) are run"
And the value of tombstoneLifetime is 180 days, so ideally a backup which is less then 180 days of age can only be used
Restoring objects can be "Quite" useful especially when you don`t have a backup
"Quite" because when you restore AD Objects using LDP, it will NOT restore ALL the attributes of the restored object. For Example, When you restore a User Object, it will not restore the Group Membership of the User Accounts.
To know on how to restore deleted objects using LDP :-
How to Restore Deleted AD Objects Using LDP
http://www.adshotgyan.com/2010/11/how-to-restore-deleted-ad-objects-using_27.html
ADRestore
Ideally, administrators who have been working on Active Directory should not find LDP or ADSIEDIT very complex, but its "Ideally"... Generally they do...
For all those who have a phobia of browsing into LDP or ADSIEDIT, Microsoft came up with very cool and simplified tool to restore deleted objects. Basically, what this toll will do is to connect to the same Deleted Objects container where all the deleted objects are moved after deletion from active directory console and will list all the deleted objects and will ask you if you wants to recover these deleted objects
To know on how to restore deleted objects using ADRestore :-
How to Restore Deleted AD Objects Using ADRestore
http://www.adshotgyan.com/2010/11/how-to-restore-deleted-ad-objects-using.html
Two drawbacks on using ADRestore were :-
- Just like with LDP, when you restore objects using ADRestore, it does NOT restore all the attributes of an object
- If you have 1000 objects in Deleted Object Container, it will one by one list all the objects and will ask you if you want to restore that object or not. So think about a situation where the object which you wants to restore is at 999 position in the list of 1000 deleted objects.... So you have to press "N" button 998 times.... And what if by mistake you pressed N button on the 999th time as well.... All what I can say... Sorry :(
Recycle Bin
In Windows Server 2008 R2
With Windows 2008 R2, Microsoft came up with a very cool feature "Recycle Bin". No, that is not the same Recycle Bin which you see on your desktop. This Recycle Bin will store all the deleted objects of Active Directory and you as an administrator can recover these objects
By default, Recycle Bin is not enabled and remember this... when you enable Recycle Bin, the size of NTDS.DIT will increase.
The only drawback of Recycle Bin in Widows Server 2008 R2 was that enabling recycle bin and recovering objects from the recycle bin was all command based (Powershell) and a bit lengthy process as well
To know more about Recycle Bin :-
Active Directory Recycle Bin
http://www.adshotgyan.com/2012/02/active-directory-recycle-bin.html
How to Enable Active Directory Recycle Bin
http://www.adshotgyan.com/2012/02/how-to-enable-active-directory-recycle.html
How to Recover Deleted Objects Using AD Recycle Bin
http://www.adshotgyan.com/2012/02/how-to-recover-deleted-objects-using-ad.html
In Windows Server 2012
In Windows Server 2012, the same Recycle Bin now have a GUI
- Open the Active Directory Administrative Center
- Click on <DomainName> (Local) in left pane
- On right pane, click on "Enable Recycle Bin"
Did you said that the option "Enable Recycle Bin" is grayed out? Yes, You might be correct
This could be because even though you are running Windows Server 2012, the Functional Level may be less. For Recycle Bin to be enabled, you need to have a minimum of Windows 2008 R2 Forest Functional Level
And I have a Domain Functional Level at Windows Server 2008
And Forest Functional Level at Windows Server 2008
I have now raised the domain functional level to Windows Server 2008 R2. Lets see if we are able to enable the recycle bin feature
Nopes, its still grayed out...
Now lets raise the Forest Functional Level to Windows Server 2008 R2
Raised...
Ahh... Now the option to Enable Recycle Bin is highlighted...
Are you sure?
Remember... Once Recycle Bin is enabled, it cannot be disabled... (Warning)
Now the option to Enable Recycle Bin is again grayed out (Because its already enabled)
Also look at the Containers / Organization Units...
After a Refresh, now we have a new container listed here in the list....
The "Deleted Objects" container
Time for some In depth Knowledge...
Lets go in ADSIEDIT -> Configuration Partition -> Services -> Windows NT -> Directory Service -> Optional Features -> Recycle Bin Feature
Look for the attribute: msDS-EnabledFeatureBL
This attribute will have the list of servers on which the recycle bin will be enabled
Remember, this feature is not related to one server, the feature is a configuration partition change
To validate my point, I have another forest on which I have not enabled the Recycle Bin.. Look at the msDS-EnabledFeatureBL, It does not have any value (s)
