What is Active Directory Recycle Bin?
Active Directory Recycle Bin was introduced with Windows Server 2008 R2. It helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects.
The introduction of Active Directory Recycle Bin minimises the need to restore Active Directory data from backups. This means less need to restart Active Directory Directory Service(AD DS). or rebooting domain controllers.
Although tombstone reanimation provides the option to recover deleted objects without taking a DC offline, the method is not as robust as AD Recycle Bin. It is somewhat complicated. Active Directory Recycle Bin is a better alternative.
Enabling Active Directory Recycle Bin
When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved. This ensures that the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion
Important concepts associated with Active Directory Recycle Bin
In order to maximise the benefits of Active Directory Recycle Bin, it is important to understand two concepts: “Deleted objects” and “Recycled objects”.
Once you enable Active Directory Recycle Bin, when an Active Directory object is deleted, the system preserves all the object’s link-valued and non-link-valued attributes and the object becomes “logically deleted”.
The “logically deleted” object state is a new state introduced in Windows Server 2008 R2. Objects in this state are moved to the Deleted Objects container with its distinguished name mangled.
A deleted object remains in the Deleted Objects container in a logically deleted state throughout the duration of the deleted object lifetime. You can recover objects within the deleted object lifetime.
After the deleted object lifetime expires, the logically deleted object is turned into a recycled object and most of its attributes are stripped away.
A “recycled object,” a new state introduced in Windows Server 2008 R2, remains in the Deleted Objects container until its recycled object lifetime expires. After the recycled object lifetime expires, the garbage-collection process physically deletes the recycled Active Directory object from the database.
Deleted object lifetime and recycled object lifetime
The “deleted object lifetime” is determined by the value of the “msDS-deletedObjectLifetime” attribute. The recycled object lifetime is determined by the value of the legacy “tombstoneLifetime” attribute.
By default, “msDS-deletedObjectLifetime” is set to null. When msDS-deletedObjectLifetime is set to null, the deleted object lifetime is set to the value of the recycled object lifetime.
By default, the recycled object lifetime, which is stored in the tombstoneLifetime attribute, and it is also set to null. In Windows Server 2012 R2, when tombstoneLifetime is set to null, the recycled object lifetime defaults to 180 days.
How to enable Active Directory Recycle Bin.
Active Directory Recycle Bin can be enabled with the following tools:
1. Active Directory Administrative Center
2. Using Enable-ADOptionalFeature PowerShell cmdlet
This is the recommended method.
Enabling Active Directory Recycle Bin is an irreversible action. Perform this task carefully!
To enable Active Directory Recycle Bin run the following PowerShell commands:
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=70411Lab,DC=com’ -Scope ForestOrConfigurationSet -Target ‘70411Lab.com’
You can also enable Active Directory Recycle Bin from Active Directory Administrative Center. The objects used in the powershell command above are from my test lab. Remember to change your domain name if you wish to run the command.