Active Directory How-To
How To Enable the Active Directory Recycle Bin
While there are a few shortcomings to the Active Directory Recycle Bin, having it enabled may save yourself some heartache when something goes wrong.
- By Troy Thompson
Backing up and restoring Active Directory is something you never want to have to do, but must plan for. One way to quickly restore Active Directory objects is by enabling the Recycle Bin. This should not be considered an alternative to traditional backup, which should still be performed. You can compare the Active Directory Recycle Bin to how you would use Shadow Copy to restore files. You should still maintain a traditional backup to tape or disk just in case. Active Directory Recycle Bin has many benefits. It reduces directory service downtime by allowing you to restore deleted Active Directory objects without having to restore Active Directory data from backups, restarting DSRM, or rebooting domain controllers. Enabling Active Directory Recycle Bin preserves all link-valued and non-link-valued attributes of the deleted Active Directory objects. When you restore the deleted objects, they go back to the same consistent logical state that they were in before they were deleted.
The disadvantage to traditional Active Directory restore is that it has to be performed in Directory Services Restore Mode (DSRM). When a server is booted to DSRM, it has to stay offline, which prevents it from servicing client requests. Also, any changes to objects that have occurred between the backup and restore cannot be recovered. For instance, if you place a user account into a new group and then accidentally delete the user account, an authoritative restore for this account from a backup that was taken two days ago will recover the account but will lose the recent group membership information.
By default, the Active Directory Recycle Bin in not enabled. It requires that you run Windows Server 2008 R2 or later on all domain controllers in the forest. Enabling the Recycle Bin is not difficult.
- Open the Active Directory Administrative Center
- Choose your domain
- Select the Enable Recycle Bin from the Tasks menu (Figure 1). You can also right click your domain name and choose Enable Recycle Bin from the drop down menu (Figure 2).
After you choose to enable the Recycle Bin, you will be prompted with a message asking you to confirm (Figure 3). Once the Recycle Bin has been enabled, it cannot be disabled.
After enabling the Recycle Bin, depending on the size of the active directory infrastructure, it may take a while before it is ready to use (Figure 4).
When you enable Active Directory Recycle Bin, all of the objects that were deleted before Active Directory Recycle Bin was enabled become recycled objects and are no longer visible in the Deleted Objects container. You will not be able to recover them with Active Directory Recycle Bin. The only way you can restore these objects is by using an authoritative restore from a backup of AD DS that was performed before Active Directory Recycle Bin was enabled.
When an object is deleted, it goes through a Deleted and Recycled state.
- Deleted State: The deleted object retains all of its attributes, links and group memberships that existed before deletion. The object will remain in this state for a configurable period of time, which is called deleted object lifetime. When the lifetime period expires, the object is transferred to the Recycled state. While in the Deleted state, the object can be restored with all of its original attributes, links and group memberships.
- Recycled State: When a deleted object is transferred to the Recycled state, only the attributes essential to replicate the object's new state to other domain controllers in the forest remain. The object will remain in the Recycled state for a configurable period of time, which is called recycled object lifetime.
Deleted objects can also be recovered using an authoritative restore from an AD DS backup. When the object is transferred to the Recycled state, you should not use an authoritative restore to recover it.
To recover an object from the Recycle Bin, open the Active Directory Administrative Center and click on the Deleted Objects folder. You can then search through the list of deleted objects to find the object you wish to restore. Right click on the object you wish to restore and choose the Restore or Restore To option from the drop down menu. If you restore the object while it is in the deleted state, it will retain all original attributes.
Enabling the Active Directory Recycle Bin will increase the size of the Active Directory database (Ntds.dit) file. Based on this information, be sure to allow enough disk space before enabling the Recycle Bin feature. The default limit of the Recycle Bin is 20,000 objects, but this can be changed to up to 100,000 objects by selecting the Management List Options under the Manage menu. You can save a lot of time by being able to restore deleted objects quickly and by not having to boot your server to DSRM mode, which will prevent it from handling request. Enabling the Recycle Bin should not take the place of a regular backup procedure. Another thing to consider is to lock down the default permissions of AD objects, which can prevent accidental deletion.
Troy Thompson has worked in network administration for over 25 years, serving as a network engineer and Microsoft Exchange administration in Department of Defense, writing technology articles, tutorials, and white papers and technical edits. Troy is a Cisco Certified Academy Instructor (CCAI), and has numerous other certifications including CCNA, MSCE+I, Network+, A+ and Security+. Troy has also traveled the world playing music as the guitarist for the band Bride. Contact information is [email protected]