January 24, 2013

New features in Active Directory Domain Services in Windows Server 2012, Part 6: Recycle Bin GUI

A new feature in Windows Server 2008 R2 and the Windows Server 2008 R2 Forest Functional Level (FFL) is the Active Directory Recycle Bin. This feature enables administrators to restore (accidentally) deleted objects, without booting into Directory Services Restore Mode (DSRM) or reanimating objects (with loss of attributes).    

How the Active Directory Recycle Bin works

isDeleted and isRecycled

The technology behind the Active Directory Recycle Bin is a new attribute: 'isRecycled'. Since Windows 2000 Server, when an object, like a computer or user, is deleted, the attribute 'isDeleted' is set to true. With the Active Directory Recycle Bin enabled, after the recycle lifetime has expired, the 'isRecycled' attribute is also set to true. Then, after the tombstone lifetime has expired, the object is truly removed from the database.

When only the 'isDeleted' attribute is set, the object is recoverable through the Active Directory Recycle Bin.

PowerShell

In Windows Server 2008 R2, the only way to manage the Active Directory Recycle Bin is to use PowerShell. If you want to enable the Active Directory Recycle Bin optional feature or restore an object from the Active Directory Recycle Bin, you could only perform these actions with PowerShell.

PowerShell is useful for repeating tasks, so it makes perfect sense to perform the one-time action of enabling the Active Directory Recycle Bin and delete accidentally deleted objects with PowerShell, right? Knipogende emoticon 

  

What's New

In Windows Server 2012 you can enable the Active Directory Recycle Bin optional feature and restore objects from the Active Directory Recycle Bin from the Graphical User Interface (GUI). The Active Directory Administrative Center (ADAC) is the tool to perform these actions.

Enabling the Recycle Bin feature from the GUI

You can enable the Active Directory Recycle Bin from within Active Directory Administrative Center, when you're logged on or use the remote tools with an account that is a member of the Enterprise Admins group.

This feature can be found in the action pane on the right, when the forest name is selected. Another way, is to right-click the domain name in the left pane and select the option Enable Recycle Bin … from the context menu:

Enabling the Active Directory Recycle Bin in the Active Directory Administrative Center (click for larger screenshot)

You'll receive a warning, because you won't be able to rollback enabling the Active Directory Recycle Bin. Click OK. A second pop-up will apear, asking you to refresh the AD Administrative Center. Again, click OK. After you refresh, you will notice a new container underneath the domain root named Deleted Objects.

Restoring objects from the GUI

After you, or another Active Directory admin has deleted an object, the object will become visible in this Deleted Objects container.

Clicking on this folder will open it to display deleted objects. You may find user objects, computer objects, Organizational Units (OUs) and Fine-grained password policy settings in this container.

By right-clicking objects in this container you can restore them to their original location, or restore them to an alternative location:

Restoring an user object in the Active Directory Administrative Center (click for a larger screenshot)

That last option might come in handy when you've deleted a whole Organization Unit (OU) and want to restore only a few objects from that OU in a different location.

Note:
When you restore an object of which the parent object was also deleted, make sure you select the parent object too. The logic behind the Active Directory Administrative Center will restore the whole tree.

  

Requirements

To enable the Active Directory Recycle Bin optional feature you will first need to fulfill the Active Directory Recycle Bin requirements:

  • All Domain Controllers in the forest need to run Windows Server 2008 R2 or Windows Server 2012. You can either transition your current Domain Controller to these Windows Server versions or in-place upgrade them. Alternatively you can start a new Active Directory forest from scratch and migrate your current objects in with the Active Directory Migration Tool (ADMT) or a 3rd party migration tool.
  • The Domain Functional Level (DFL) of all domains in the forest need to be at least on the Windows Server 2008 R2 Domain Functional Level. (47)
  • The Forest Functional Level (FFL) needs to be on the Windows Server 2008 R2 Forest Functional Level. (47)

Then, you need to unlock the new Active Directory Administrative Center (ADAC). You can do this in the following ways:

  • Introduce a Windows Server 2012 Domain Controller. This server will need to be a Full Installation, not a Server Core installation. The Active Directory Administrative Center will be installed as part of the Domain Controller promotion process.
  • Introduce a Windows Server 2012 Member Server and add the Active Directory Administrative Center from the Remote Server Administration Tools (RSAT) category in the Add/Remove Server Roles and Features control panel applet. For the purpose of a management server this server is best configured as a Full Installation, instead of a Server Core installation.
  • Introduce a Windows 8 Professional installation to your environment and install the Remote Server Administration Tools (RSAT) update package to the installation. After that, enable the Active Directory Administrative Center from the Remote Server Administration Tools (RSAT) category in the Add/Remove Features applet in the Control Panel (right click in the bottom left corner of the screen and select Control Panel to access this feature).

After fulfilling these requirements you can scroll back up to the part in this blogpost where I explain how to enable the Recycle Bin feature from the GUI, and you're done!

No comments:

Post a Comment