Active Directory Recycle Bin –

 
Yes, it’s here! (well in Windows Server 2008 R2 it will be)
 
If you have some experience with Active Directory being deleted accidentally, you will probably like this
In R2 there’s the AD Recycle Bin functionality, functionality yes, it’s not like the icon on your desktop you can use
to restore files easily, but it’s a major improvement over previous AD restore methods
(for accidentally deleted objects that is, it has no use for restoring an entire DC that got toasted)
 
In Windows 2003 and 2008 you could reanimate tombstone objects, but you would loose a lot of the attributes,
especially the linke value attributes like group memberships that were probably pretty important to your users.
 
In W2k8 ADs you could also recover objects from Backup using ntdsutil in DSRM mode to mark the deleted
objects as authoritative so they would get replicated back into the domain,
but that required taking your DC offline and any changes since the backup were gone.

 

 
Now you can restore the objects without using backed up data, without restarting your DC or AD DS.
 
Basically there is a new ‘state’ for an object, before you had Live and Deleted (tombstoned) objects
Now we have Live – Deleted (Functionally Deleted) – and Recycled (equivalent to Deleted in previous versions) objects.
To recover Recycled objects you need to fall back to the old methods as describe above.
 
What do you need (to do):
 
-Raise your forest to Windows Server 2008 R2 Forest Functional Level (yes all your DCs need to be at that level),
use the GUI or the AD Powershell Module with following command:
Set-ADForestMode –Identity myAD.lab -ForestMode Windows2008R2Forest
 
-Enable the AD Recycle Bin (easiest by using your best friend Powershell):
(Mirosoft is making new features in the new functional levels optional, so you are really sure you don’t get new stuff without knowing  )
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=myAD,DC=lab’ –Scope Forest –Target ‘myAD.lab’
 

-Once enabled, wait for your coworkers to delete some objects - or create/delete some test objects

Example for restoring a single object:

Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject

 
When you want to completely restore an OU with all objects underneath, you have some more work, because you can only restore objects,
when their parentobject (usually an OU) is a Live (existing) object.
One way to do this is a command as following:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=myAD,DC=lab" -Filter {name -like "*"} -IncludeDeletedObjects -Properties lastKnownParent
This gets a list of all Deleted Objects with their LastKnownParent, so you can reconstruct the previously existing tree if necessary
Then you can use commands to restore the OU structure:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=lab2,DC=int" -Filter {name -like "MyOU*"} -IncludeDeletedObjects -Properties lastKnownParent | RestoreADObject
Note that piping the object output to the Restore-ADObject is enough to bring the object Back to Life in AD.
When the parent OU is alive, you can restore the underlying objects in the same way:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=lab2,DC=int" -Filter {name -like "MyUser*"} -IncludeDeletedObjects -Properties lastKnownParent | RestoreADObject
 
The filter used above can be a little ambigous of course, if you need more granular control like specifying the precise parent OU, use more precise filters like:
-Filter {lastKnownParent -eq "OU=MyOU,DC=MyAD,DC=lab"}
 
I recommend playing with these commands to get the hang of it.
 
 
I assume there will be some enthousiasts that will create a ‘GUI on top of PowerShell’ that enable you to more quickly
restore objects, because you don’t want to start creating scripts when you want to restore a triple level OU structure with lots of user and computer objects.
Especially if this needs to be done by not so Powershell savvy people,
 
But hey, the functionality is there, explore it !

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s