Active Directory Recycle Bin for Server 2008 R2

You may already have heard about it: Windows Server 2008 R2 is in the beta phase now and it seems like it brings cool new features. One of those features is the “Recycle bin” for the Directory Service (Active Directory / AD DS – I prefer Active Directory more).

There are a few articles about this out there – one of them is a step-by-step howto on Technet: http://technet.microsoft.com/en-us/library/dd392261.aspx I got my information from. I don’t wanna copy the Technet article but point out some fast facts on this.

Requirements:

Activating the Recycle bin requires you to enable the forest functional level “Windows Server 2008 R2″ which means that you need to say goodbye to legacy DCs. The Recycle bin only works with Server 2008 R2 (and above) DCs. The second thing is, that there’s no switch built-in you can flip like you want. Enabling the recycle bin is an inreversible step. You can’t go back once you enable it.

Why would I need a recycle bin?

Accidential deletion happens. All over the place. It shouldn’t happen but it does. May it be an admin who fat-fingered OU maintenance or a wild script that wipes a bunch of users off an OU. Restoring objects involves downtime of a DC. No matter if 2000, 2003 or 2008, you need to either shut down a DC to reboot in DSRM (Directory Services Restore Mode — the so-called F8-boot) or stopping the AD DS instance. Restoring with NTDSutil requires the database cleanly shut down.

Also, there’s always a gap between the last backup you take to restore and the actual “last good” state of the object to restore. In good cases, the time the object broke might be only a few hours from the last backup, in bad cases, it may be a few days – even weeks between them. Changes between those two points are lost.

How does it work?

I’ll borrow the two pictures from http://technet.microsoft.com/en-us/library/dd379542.aspx here. Right now, we have this thing called “tombstone”. This is what an object gets when it is deleted. Most of its attribute values are stripped off the object and it is marked as deleted and copied to the NC’s “Deleted Objects” container. It rests there for by default 180 days until the garbage collector (which runs every 12 hours by default) decides to finally kill it:

(picture taken from http://technet.microsoft.com/en-us/library/dd379542.aspx)

With the recycle bin in Server 2008 R2, we have a new state between the living object and the physically deletion of the object:

(picture taken from http://technet.microsoft.com/en-us/library/dd379542.aspx)

Once the recycle bin is enabled, objects that get deleted aren’t stripped from their attributes but only marked as “deleted” and moved to the “Deleted Objects” container. All attribute values are preserved. They reside there for a default time of 180 days. The attribute ms-DS-deletedObjectLifetime dictates the number of days it actually can “live”. If the attribute has no value, it uses the value of tombstoneLifetime which has, if it also isn’t specifically set to a value, by default 180 days preset.

After its “deletedObjectLifetime” is over, the object is known as “recycled” and still resides in the “Deleted Objects” container. It is now stripped from its attributes and looks like a “normal” tombstone now.

During the deletedObjectLifetime, you can restore and object with all its previous attributes at no DC downtime. Restoring a single object is as easy as deleting its “isDeleted” attribute value and changing its DN to where ever you want to restore it (look at the lastKnownParent attribute – it’s preserved for tombstones, too!) using ldp or adsiedit.

1 Comment so far

  1. Megamind on November 12th, 2010

    Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts