New in Server 2008 R2: Recycle Bin in Active Directory

RecycleBinYes, you read it correctly.  Microsoft created Recycle Bin for Active Directory and it is now available with Windows Server 2008 R2.  This is one of the new features of R2 and I think it’s totally awesome.  This is going to save Windows Administrators a lot of work, time, and frustration.   Want to know how?  Keep reading!

Let’s start by taking a look at the old way of recovering deleted AD objects in both Server 2008 and Server 2003.

Directory Services Restore Mode (DSRM)

In Windows Server 2008 Active Directory you can completely recover deleted objects, such as users and groups, but only from the Server Backup. Once you restore the object, you then have to make sure that the data is replicated throughout the domain. This is a long, two-step process — first you have to restore it and then replicate it.

But, there is also a catch to this process — you can only perform the restore in Directory Services Restore Mode (DSRM). On top of that, while in DSRM the domain controller has to be offline. No big deal, right?  Well, actually it is a big deal because that domain controller cannot provide services while data is being restored. So restores cannot be done right away but only during scheduled maintenance hours. 

What about that guy who’s account was deleted and he can’t login? Looks like he’s out of luck.

AD Tombstone Reanimation

In Windows Server 2003 and 2008 Active Directory, you can also recover deleted objects through tombstone reanimation.  How does that work? 

Well, when an object is deleted from Active Directory it is not physically removed from the database.  Not right away, at least.  What happens though is the object’s distinguished name (DN) is distorted, attributes are cleared or removed, and the object is moved to Deleted Objects container.  It sits there for about 180 days (that’s the default length of time but it can be adjusted) and anytime within this time period the deleted object can be recovered.

The good thing is that this recovery can be done right away, however, all the attributes will be gone.  So, for example, if a user account belonged to an Administrator’s group before the deletion, this attribute is not going to be there after recovery and you will have to add that account to the Administrator’s group manually. 

You might have to spend some time trying to figure out all the group memberships for an object and that may cause a lot of complaints from that particular user who won’t be able to access his data.

Needless to say, the old way of recovering Active Directory is a slow, painful process that’s frustrating to everyone.

The Active Directory Recycle Bin in Server 2008 R2 will save you a lot of time and frustration. It also makes the whole process a lot simpler.

How does Active Directory Recycle Bin work?

The AD Recycle Bin works just like the tombstone reanimation explained earlier, but way better. 

The difference is huge — when you delete an object from AD in Server 2008 R2 the system keeps all the attributes with the object, instead of clearing or deleting them. The object becomes “logically deleted” (new state that is introduced in R2). 

Just like with tombstone reanimation, the object is moved to Deleted Objects container where its DN is distorted.  It sits there for a limited period of time (such as 180 days) and within this time frame it can be recovered with AD Recycle Bin within seconds. It will then become a live AD object just like it was before deletion with all the attributes and ready to be used.

LifeCycle

So, by using AD Recycle Bin, the object will be:

  • restored while Domain Controller is online — without interruption of services
  • have all the attributes
  • ready to use without any manual adjustments

This will not only minimize directory service downtime but also help restore objects as they are needed within seconds.

Can I have AD Recycle Bin on my Server?

There are three version of Windows Server 2008 R2 that support AD Recycle Bin:

  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Datacenter

AD Recycle Bin is not available in:

  • Windows Server 2008 R2 for Itanium-Based Systems
  • Windows Web Server 2008 R2

How do I enable AD Recycle Bin?

By default Active Directory Recycle Bin is disabled. You need to enable it and once you do so, there is no way to disable it.

To enable the Recycle Bin, you need to:

  1. Make sure that all of your Domain Controllers run Server 2008 R2
  2. Raise the forest and domain functional levels to Server 2008 R2
  3. Run a command that will enable the AD Recycle Bin

I bet any Server Admin will agree that the AD Recycle Bin is a great new feature of R2. I think it will be very popular with most (if not all) Windows Administrators.

If you would like to find out more about this and other new features of Windows Server 2008 R2, please visit this Microsoft page and tell me what else you think is cool!

Comments