Friday, 16 January 2015

Understanding Recycle Bin in Active Directory





Accidental deletion of Active Directory objects is a common occurrence for users of Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). In past versions of Windows Server, prior to Windows Server 2008 R2, one could recover accidentally deleted objects in Active Directory, but the solutions had their drawbacks.

In Windows Server 2008, you could use the Windows Server Backup feature and ntdsutil authoritative restore command to mark objects as authoritative to ensure that the restored data was replicated throughout the domain. The drawback to the authoritative restore solution was that it had to be performed in Directory Services Restore Mode (DSRM). During DSRM, the domain controller being restored had to remain offline. Therefore, it was not able to service client requests.

In Windows Server 2003 Active Directory and Windows Server 2008 AD DS, you could recover deleted Active Directory objects through tombstone reanimation. However, reanimated objects' link-valued attributes (for example, group memberships of user accounts) that were physically removed and non-link-valued attributes that were cleared were not recovered. Therefore, administrators could not rely on tombstone reanimation as the ultimate solution to accidental deletion of objects.

Active Directory Recycle Bin, starting in Windows Server 2008 R2, builds on the existing tombstone reanimation infrastructure and enhances your ability to preserve and recover accidentally deleted Active Directory objects.

When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains. Active Directory Recycle Bin works for both AD DS and AD LDS environments.

What’s new?  

 In Windows Server 2012, the Active Directory Recycle Bin feature has been enhanced with a new graphical user interface for users to manage and restore deleted objects. Users can now visually locate a list of deleted objects and restore them to their original or desired locations.
If you plan to enable Active Directory Recycle Bin in Windows Server 2012, consider the following:
  • By default, Active Directory Recycle Bin is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2 or higher. This in turn requires that all domain controllers in the forest or all servers that host instances of AD LDS configuration sets be running Windows Server 2008 R2 or higher.
  • The process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.
  • To manage the Recycle Bin feature through a user interface, you must install the version of Active Directory Administrative Center in Windows Server 2012


The Active Directory Recycle Bin feature introduced with Windows Server® 2008 R2 provided an architecture permitting complete object recovery. Scenarios that require object recovery by using the Active Directory Recycle Bin are typically high-priority, such as recovery from accidental deletions, for example, resulting in failed logons or work stoppages. But the absence of a rich, graphical user interface complicated its usage and slowed recovery.
To address this challenge, Windows Server 2012 AD DS has a user interface for the Active Directory Recycle Bin that provides the following advantages:
  • Simplifies object recovery through the inclusion of a Deleted Objects node in the Active Directory Administrative Center (ADAC)

    • Deleted objects can now be recovered within the graphical user interface
  • Reduces recovery-time by providing a discoverable, consistent view of deleted object
Requirements
  • Recycle Bin requirements must be met:

    • Windows Server 2008 R2 forest functional level
    • Recycle Bin optional-feature must be enabled
  • Windows Server 2012 Active Directory Administrative Center
  • Objects requiring recovery must have been deleted within Deleted Object Lifetime (DOL)
    • By default, DOL is set to 180 days
      
     

    Active Directory Recycle Bin step-by-step


    In the following steps, you will use ADAC to perform the following Active Directory Recycle Bin tasks in Windows Server 2012:

    • Step 1: Raise the forest functional level

    • Step 2: Enable Recycle Bin

    • Step 3: Create test users, group and organizational unit

    • Step 4: Restore deleted objects

    noteNote :
    Membership in the Enterprise Admins group or equivalent permissions is required to perform the following steps.

    Step 1: Raise the forest functional level


    In this step, you will raise the forest functional level. You must first raise the functional level on the target forest to be Windows Server 2008 R2 at a minimum before you enable Active Directory Recycle Bin.

    To raise the functional level on the target forest :

    1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

    2. Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

    3. Click the target domain in the left navigation pane and in the Tasks pane, click Raise the forest functional level. Select a forest functional level that is at least Windows Server 2008 R2 or higher and then click OK.

    PowerShell Logo Windows PowerShell equivalent commands


    The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. 
     
    Set-ADForestMode –Identity contoso.com -ForestMode Windows2008R2Forest –Confirm:$false

    For the –Identity argument, specify the fully qualified DNS name.



    Step 2: Enable Recycle Bin


     In this step, you will enable the Recycle Bin to restore deleted objects in AD DS.


    To enable Active Directory Recycle Bin in ADAC on the target domain

    1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

    2. Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

    3. In the Tasks pane, click Enable Recycle Bin ... in the Tasks pane, click OK on the warning message box, and then click OK to the refresh ADAC message.

    4. Press F5 to refresh ADAC.


    PowerShell Logo Windows PowerShell equivalent commands

    The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. 
    Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com' –Scope ForestOrConfigurationSet –Target 'contoso.com'

    Step 3: Create test users, group and organizational unit


    In the following procedures, you will create two test users. You will then create a test group and add the test users to the group. In addition, you will create an OU.

    To create test users

    1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
    2. Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.
    3. In the Tasks pane, click New and then click User.

      New User 
    4. Enter the following information under Account and then click OK:

      • Full name: test1
      • User SamAccountName logon: test1
      • Password: p@ssword1
      • Confirm password: p@ssword1
    5. Repeat the previous steps to create a second user, test2.



      To create a test group and add users to the group

      1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
      2. Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.
      3. In the Tasks pane, click New and then click Group
        .
      4. Enter the following information under Group and then click OK:
        • Group name: group1

      5. Click group1, and then under the Tasks pane, click Properties.

      6. Click Members, click Add, type test1;test2, and then click OK.


      PowerShell Logo Windows PowerShell equivalent commands

      The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. 
       
      Add-ADGroupMember -Identity group1 -Member test1

      To create an organizational unit

      1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.
      2. Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.
      3. In the Tasks pane, click New and then click Organizational Unit.
      4. Enter the following information under Organizational Unit and then click OK:
        • Name OU1


      PowerShell Logo Windows PowerShell equivalent commands 

      The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. 
      1..2 | ForEach-Object {New-ADUser -SamAccountName test$_ -Name "test$_" –Path "DC=fabrikam,DC=com" -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssword1" -Force) -Enabled $true}
New-ADGroup -Name "group1" -SamAccountName group1 -GroupCategory Security -GroupScope Global -DisplayName "group1"
New-ADOrganizationalUnit -Name OU1 -Path "DC=fabrikam,DC=com"

      Step 4: Restore deleted objects


      In the following procedures, you will restore deleted objects from the Deleted Objects container to their original location and to a different location.

      To restore deleted objects to their original location

      1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

      2. Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

      3. Select users test1 and test2, click Delete in the Tasks pane and then click Yes to confirm the deletion.

        PowerShell Logo Windows PowerShell equivalent commands

        The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. 
         
        Get-ADUser –Filter 'Name –Like "*test*"'|Remove-ADUser -Confirm:$false
         
      4. Navigate to the Deleted Objects container, select test2 and test1 and then click Restore in the Tasks pane.

      5. To confirm the objects were restored to their original location, navigate to the target domain and verify the user accounts are listed.

        noteNote:
        If you navigate to the Properties of the user accounts test1 and test2 and then click Member Of, you will see that their group membership was also restored.

      The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

      PowerShell Logo Windows PowerShell equivalent commands
        
      Get-ADObject –Filter 'Name –Like "*test*"' –IncludeDeletedObjects | Restore-ADObject


      To restore deleted objects to a different location

      1. Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

      2. Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

      3. Select users test1 and test2, click Delete in the Tasks pane and then click Yes to confirm the deletion.

      4. Navigate to the Deleted Objects container, select test2 and test1 and then click Restore To in the Tasks pane.

      5. Select OU1 and then click OK.

      6. To confirm the objects were restored to OU1, navigate to the target domain, double click OU1 and verify the user accounts are listed.

      PowerShell Logo Windows PowerShell equivalent commands
      The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. 

      Get-ADObject –Filter 'Name –Like "*test*"' –IncludeDeletedObjects | Restore-ADObject –TargetPath "OU=OU1,DC=contoso,DC=com"



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)