The Active Directory is arguably the most important part of any organization’s IT infrastructure. It’s important to be vigilant when it comes to monitoring and alerting on any changes made to this system so that you can spot any changes that may have been made in error or are damaging.
Occasionally, objects can be deleted by mistake or administrators may delete objects that have been created for test purposes. Whatever the case, organizations must make sure they are able to restore deleted objects if necessary – otherwise irreparable damage could be caused to IT infrastructure. In this article, we will describe the lifecycle of an object and the steps you can take to restore ones that have been deleted in error.
Active Directory Recycle Bin
The Active Directory Recycle Bin feature was introduced in Windows Server 2008 R2.
When an object is deleted it enters “deleted” state and is moved to the “Deleted Objects” container. It will now have a TRUE value for its “isDeleted” attribute. The deleted object retains all of its attributes and values but it is renamed to a junk value. Once the tombstoneLifetime expires, the object is physically deleted.
When the Active Directory Recycle Bin is activated, an object that is deleted becomes a “logically deleted” object and is moved to the “Deleted Objects” container. The deleted object stays in this container with all of its attributes until msDS-deletedObjectLifetime expires. When this period expires, the object enters “deleted” state and it has true value for “isRecycled” attribute. All other attributes and values of the objects are deleted permanently and an administrator cannot recover the object at all. The object will be physically deleted only when its tombstoneLifetime expires.
Enable Active Directory Recycle Bin
This function can only be activated in a domain when all the domain controllers are running on Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. Please note that the process to enable the Active Directory Recycle Bin is irreversible.
Execute the following command to enable Active Directory Recycle Bin.
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=www,DC=domain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘www.domain.com’
If you are using Windows Server 2012 and Windows Server 2012 R2, you can use the Active Directory Administrative Center to enable the Recycle Bin.
The default tombstone lifetime is 60 to 180 days for different Windows Server Operating Systems. If you have not modified the value of msDS-deletedObjectLifetime, it is equal to the value of tombstoneLifetime attribute. Perform the following steps to check and modify the tombstone lifetime period.
1. Access ADSI Edit Console.
2. Connect to “Configuration” partition.
3. Navigate to “CN=Configuration,DC=www,DC=domain,DC=com” → “CN=”Services”, and expand “CN=Windows NT.”
4. Right click on “CN=Directory Service” and click “Properties” in the context menu.
5. In “Properties” dialog box, look for “msDS-deletedObjectLifetime” attribute. It shows the default tombstone lifecycle in days.
6. Select “tombstoneLifetime” attribute and click “Edit” to change its value.
7. You can scroll down and access “tombstoneLifetime” attribute and perform the same steps to change its value.
Restore Deleted Objects
If an object is deleted and is in a “logically deleted” state, it can still be recovered. Execute the following command with Windows PowerShell to find out the current name of a deleted object:
Get-ADObject -SearchBase “CN=Deleted Objects,DC=www,DC=domain,DC=com” -ldapFilter:”(msDs-lastKnownRDN=Object_NAME)” –IncludeDeletedObjects –Properties lastKnownParent
Here, you can replace the “Object_NAME” with the name of deleted object. Once executed, the current distinguished name of the deleted object is displayed. Copy that name and execute the following command to restore that object:
Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=Object_NAME)” –IncludeDeletedObjects | Restore-ADObject
Administrators can also use LDP.exe to restore deleted objects. If you are using Windows Server 2012 or Windows Server 2012 R2, you can also use the Administrative Center to restore deleted Active Directory Objects.
Drawbacks of Native Restoration
Currently, native restoration methods do not enable you to restore objects that have entered a “recycled” or “totally deleted” state. Using the native methods can also be a time consuming and complex process as you will need to have a good knowledge of Windows PowerShell commands and know the steps for LDP.exe.
Third Party Solution
Lepide’s Active Directory Auditor is an automated solution that enables you to take a backup snapshot of Active Directory and Group Policy Objects. These snapshots record every change made to these objects. Even in scenarios where the object is physically deleted from the server, Lepide Data Security Platform can use these snapshots to restore them to their original state.
Whitepaper – Reanimating the deleted objects of Active Directory