Search This Blog

Monday, March 19, 2012

Recover Active Directory Objects using Active Directory Recycle Bin

Recovering deleted objects was one of the hardest issues for Active Directory admins as it requires performing of an authoritative restore for Active Directory backup [ Authoritative restore includes performing of a non-authoritative restore followed by using of NTDSutil to mark certain Active Directory objects as authoritative objects so it can not be overwritten during post restore replication sync. ] 
Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers.
In this post I’ll show you how to raise functional level , enable Active Directory Recycle Bin and finally restore a deleted Active Directory object [ User object ] 

First : Set forest to Windows 2008 R2 mode :
This can be accomplished using  Active Directory Domain and Trusts snap-in or Active Directory module for PowerShell by using the following command :
Set-ADForestMode [-Identity] <ADForest> [-ForestMode] <ADForestMode>
In Active Directory module for PowerShell you can verify the result by executing Get-ADForest | FL Name,ForestMode cmdlet

For my lab environment :
  Set-ADForestMode -Identity -ForestMode Windows2008R2Forest

Second : Enabling AD Recycle Bin: [ Note : This is an irreversible action ]
To enable AD Recycle Bin we use Enable-ADOptionalFeature cmdlet as follow :  

Enable-ADOptionalFeature -Identity <ADOptionalFeature> -Scope <ADOptionalFeatureScope> -Target <ADEntity>

For my lab environment : 

Enable-ADOptionalFeature –Identity “CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=itguydiaries,DC=net” -Scope ForestOrConfigurationSet -Target

Third & last : Recovering a deleted object :
After enabling AD Recycle Bin you can start recovering of your deleted ojects either with LDP.exe or using Active Directory module for Windows PowerShell.  I’ll  show how to use Active Directory module for Winodws PowerShell to recover a user object named TestUser1 who is a member of both TestGroup1 & TestGroup2 .

I have deletd the user post enabling AD Recycle Bin . First I’ll verify existence of the TestUser1 as a deleted user object using Get-ADObject cmdlet with filter switch , as follow :
Get-ADObject –Filter {DisplayName –eq “TestUser1”} –IncludeDeletedObjects
Here below the command execution and the result for my lab environment 

As you can see , the value of deleted attribute is set to “True” as it is a deleted object. Now, I’ll restore the object – TestUser1 – by pipelining Restore-ADObject with the previously command , as below :  

By now our user object – TestUser1 – is restored with all attached attributes , including groups membership. 

Conclusion :
Active Directory Recycle Bin is one of Windows Server 2008 R2 wonderful features that improves capabilities for restoring deleted objects without any downtime while maintain all linked attributes values. 

For more information check Active Directory Recycle Bin Step-by-Step Guide here

No comments:

Post a Comment