In this quick guide, we will show you a few methods of how you can enable Active Directory Recycle Bin to restore deleted AD objects along with their attributes. Let’s get started!
Using the AD Recycle bin to Restore Deleted Objects
Authoritative restore is the preferred method for administrators to restore accidentally deleted or corrupted AD objects (such as users, groups, computer accounts, and OUs). With Windows Server R2, administrators were introduced to the Active Directory Recycle Bin. The active directory recycle bin can now be used to restore deleted objects from a hidden container called “deletedobjects”.
In the previous versions of active directory, most of the deleted objects were devoid of their attributes and resided in the “deletedobjects” container in “isrecycled” state. Therefore, if the object was not restored back from the “isdeleted” state (logical deletion state), all its attributes were lost.
However, with Active Directory recycle bin (ADRB) in Windows R2 Server, the attributes of deleted objects are reinstated, making the AD restoration process simpler and less time-consuming. But before you enable the AD Recycle Bin, some requirements must be met.
The Requirements for Enabling the AD Recycle Bin
Firstly, the functional level of your environment must be set to Windows Server 2008 R2. In order to raise the functional levels, two methods can be used, viz., Set-ADForestMode Active Directory module cmdlet and Ldp.exe. The active directory schema must also be updated using the adprep.exe utility so that the pre-R2 domain controllers are not required before raising the functional levels.
Once the forest functional level of your environment is set to Windows Server 2008 R2, the Active Directory Recycle Bin can be enabled using one of two methods.
How to enable the Active Directory Recycle Bin Using the Enable-ADOptionalFeature Cmdlet
- Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
- At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:
How to Enable the Active Directory Recycle Bin Using Ldp.exe
- To open Ldp.exe, click Start, click Run, and then type ldp.exe.
- To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connection, click Connect, and then click Bind.
- Click View, click Tree, in BaseDN, select the configuration directory partition, and then click OK.
- In the console tree, double-click the distinguished name of the configuration directory partition, and then navigate to the CN=Partitions container.
- Right-click the CN=Partitions container’s distinguished name, and then click Modify.
- In the Modify dialog box, make sure that the DN box is empty.
- In the Modify dialog box, in Edit Entry Attribute, type enableOptionalFeature.
- In the Modify dialog box, in Values, type CN=Partitions,CN=Configuration,DC=mydomain,DC=com:766ddcd8-acd0-445e-f3b9-a7f9b6744f2a. Replace mydomain and com with the appropriate forest root domain name of your AD DS environment.
An Easier Way to Restore AD Objects
If you are unable to upgrade the functional level of your environment to R2 and you have to continue with your current Windows Server version, then there may be an easier way to ensure you are able to restore AD objects. As part of their Data Security Platform, Lepide created an Active Directory audit solution that allows you to restore deleted objects from the local domain complete with their attributes. Using this solution you won’t have to use different utilities to perform the restoration. If you would like to learn more about Active Directory Auditing, click here.