Active Directory Recycle Bin

In Windows Server 2008 Active Directory domains, you could recover accidentally deleted objects from backups of AD DS that were taken by Windows Server Backup. You could use the ntdsutil authoritative restore command to mark objects as authoritative to ensure that the restored data was replicated throughout the domain. The drawback to the authoritative restore solution was that it had to be performed in Directory Services Restore Mode (DSRM). During DSRM, the domain controller being restored had to remain offline. Therefore, it was not able to service client requests.

Also, in Windows Server 2003 Active Directory and Windows Server 2008 AD DS, you could recover deleted Active Directory objects through tombstone reanimation. In Windows Server 2003 and Windows Server 2008, a deleted Active Directory object was not physically removed from the database immediately. Instead, the object's distinguished name (also known as DN) was mangled, most of the object's non-link-valued attributes were cleared, all of the object's link-valued attributes were physically removed, and the object was moved to a special container in the object's naming context (also known as NC) named Deleted Objects. The object, now called a tombstone, became invisible to normal directory operations. Tombstones could be reanimated anytime within the tombstone lifetime period and become live Active Directory objects again. The default tombstone lifetime was 180 days in Windows Server 2003 and Windows Server 2008. You could use tombstone reanimation to recover deleted objects without taking your domain controller or your AD LDS instance offline. However, reanimated objects' link-valued attributes (for example, group memberships of user accounts) that were physically removed and non-link-valued attributes that were cleared were not recovered. Therefore, administrators could not rely on tombstone reanimation as the ultimate solution to accidental deletion of objects.

Active Directory Recycle Bin in Windows Server 2008 R2 builds on the existing tombstone reanimation infrastructure and enhances your ability to preserve and recover accidentally deleted Active Directory objects. For more information about tombstone reanimation, see Reanimating Active Directory Tombstone Objects (http://go.microsoft.com/fwlink/?LinkID=125452).

Windows Server 2008 R2 Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting AD DS, or rebooting domain controllers.

What does Active Directory Recycle Bin do?

When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains. Active Directory Recycle Bin works for both AD DS and AD LDS environments.

Who will be interested in this feature?

The following groups might be interested in Active Directory Recycle Bin in Windows Server 2008 R2:

• Early adopters of Windows Server 2008 R2 and information technology (IT) administrators, planners, and analysts who are evaluating Windows Server 2008 R2
• Enterprise IT planners and designers
• IT operations managers who are accountable for network and server management, IT hardware and software budgets, and technical decisions
• Active Directory administrators

Are there any special considerations?

• By default, Active Directory Recycle Bin is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2. This in turn requires that all domain controllers in the forest or all servers that host instances of AD LDS configuration sets be running Windows Server 2008 R2.
• In Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.

What new functionality does Active Directory Recycle Bin provide?

The following diagram shows the life cycle of a new Active Directory object in Windows Server 2008 R2 when the Active Directory Recycle Bin feature is enabled.

After you enable Active Directory Recycle Bin in Windows Server 2008 R2, when an Active Directory object is deleted, the system preserves all of the object's link-valued and non-link-valued attributes, and the object becomes “logically deleted”, which is a new state that is introduced in Windows Server 2008 R2. A deleted object is moved to the Deleted Objects container, and its distinguished name is mangled. A deleted object remains in the Deleted Objects container in a logically deleted state throughout the duration of the deleted object lifetime. Within the deleted object lifetime, you can recover a deleted object with Active Directory Recycle Bin and make it a live Active Directory object again. Within the deleted object lifetime, you can also recover a deleted object through an authoritative restore from a backup of AD DS. For more information, see Active Directory Recycle Bin Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=133971).

After the deleted object lifetime expires, the logically deleted object is turned into a recycled object and most of its attributes are stripped away. A “recycled object,” which is a new state in Windows Server 2008 R2, remains in the Deleted Objects container until its recycled object lifetime expires. After the recycled object lifetime expires, the garbage-collection process physically deletes the recycled Active Directory object from the database. A recycled object cannot be recovered with Active Directory Recycle Bin or with the steps in Reanimating Active Directory Tombstone Objects (http://go.microsoft.com/fwlink/?LinkID=125452). This is a new behavior in Windows Server 2008 R2.

By default, a recycled object in Windows Server 2008 R2 preserves the same set of attributes as a tombstone object in Windows Server 2003 and Windows Server 2008. To change the set of attributes that are preserved on a Windows Server 2008 R2 recycled object (that is, to make sure that a particular attribute of an object is preserved when this object becomes recycled), set the value of the searchFlags attribute in the schema to 0x00000008. This process is similar to the process for preserving attributes on Windows Server 2003 and Windows Server 2008 tombstone objects. For more information, see Search-Flags Attribute (http://go.microsoft.com/fwlink/?LinkID=125453).

Important

When Active Directory Recycle Bin is enabled, all objects that were deleted before Active Directory Recycle Bin was enabled (that is, all tombstone objects) become recycled objects. These objects are no longer visible in the Deleted Objects container, and they cannot be recovered with Active Directory Recycle Bin. The only way to restore these objects is though an authoritative restore from a backup of AD DS that was taken of the environment before Active Directory Recycle Bin was enabled.

The deleted object lifetime is determined by the value of the msDS-deletedObjectLifetime attribute. The recycled object lifetime is determined by the value of the legacy tombstoneLifetime attribute. By default, msDS-deletedObjectLifetime is set to null. When msDS-deletedObjectLifetime is set to null, the deleted object lifetime is set to the value of the recycled object lifetime. By default, the recycled object lifetime, which is stored in the tombstoneLifetime attribute, is also set to null. When tombstoneLifetime is set to null, the recycled object lifetime defaults to 180 days. You can modify the values of the msDS-deletedObjectLifetime and tombstoneLifetime attributes anytime. When msDS-deletedObjectLife is set to some value other than null, it no longer assumes the value of tombstoneLifetime.

Dependencies?

By default, Active Directory Recycle Bin is disabled in Windows Server 2008 R2. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2. This in turn requires that all domain controllers in the forest or all servers that host instances of AD LDS configuration sets be running Windows Server 2008 R2.

How should I prepare to deploy Active Directory Recycle Bin?

To enable Active Directory Recycle Bin in your AD DS environment, do the following:

• Run Adprep to update your Active Directory schema with the necessary Active Directory Recycle Bin attributes. Membership in the Schema Admins group is the minimum required to complete the following Adprep tasks:

Note

If you are performing a clean install of an Active Directory forest in Windows Server 2008 R2, you do not have to run Adprep. In addition, your Active Directory schema will automatically contain all the attributes that are necessary for Active Directory Recycle Bin to function properly. If, however, you are introducing a Windows Server 2008 R2 domain controller into your existing Windows Server 2003 or Windows Server 2008 forest and, subsequently, you are upgrading the rest of the domain controllers to Windows Server 2008 R2, you must run Adprep to update your Active Directory schema with the attributes that are necessary for Active Directory Recycle Bin to function correctly.

• Prepare the forest by running the adprep /forestprep command on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role to update the schema.
• Prepare the domain by running the adprep /domainprep /gpprep command on the server that holds the infrastructure operations master role.
• If a read-only domain controller (RODC) is present in your AD DS environment, you must also run the adprep /rodcprep command.
• Make sure that all domain controllers in your Active Directory forest are running Windows Server 2008 R2.
• Raise the functional level of your Active Directory forest to Windows Server 2008 R2.

To enable Active Directory Recycle Bin in your AD LDS environment, do the following:

• Upgrade the schema of your AD LDS configuration set with the necessary Active Directory Recycle Bin attributes by running the following command:
  
  Ldifde.exe –i –f MS-ADAM-Upgrade-2.ldf –s server:port –b username domain password –j . -$ adamschema.cat
• Make sure that all servers that are hosting instances of your AD LDS configuration set are running Windows Server 2008 R2.
• Raise the functional level of your AD LDS configuration set to Windows Server 2008 R2.

Which editions include Active Directory Recycle Bin?

Active Directory Recycle Bin is available in the following editions of Windows Server 2008 R2:

• Windows Server 2008 R2 Standard
• Windows Server 2008 R2 Enterprise
• Windows Server 2008 R2 Datacenter

Active Directory Recycle Bin is not available in the following editions of Windows Server 2008 R2:

• Windows Server 2008 R2 for Itanium-Based Systems
• Windows Web Server 2008 R2