In this exercise you will perform the tasks required to install and configure Microsoft Windows Active Directory recycle bin. More detail on this topic can be found on Microsoft Technet
In this exercise you will be required to Power On and connect to the following servers from your Practice-Lab application:
Domain Controller
If this is the first time you are accessing a Practice-Lab why not take a few minutes to watch our video on getting started, or if you are still having difficulty connecting to your Practice-Lab device please refer to our help pages.
Overview
In previous versions of Microsoft Windows Active Directory domains, an administrator could recover mistakenly deleted objects from a successful backup of the Active Directory database. Then using the ntdsutil utility an administrator could use commands to mark the objects as authoritative to ensure that restored objects is replicated throughout the Active Directory domain.
One of the drawbacks of this solution in Windows Server 2003 Active Directory is that the operation had to be performed in Directory Services Restore Mode (DSRM) which means the domain controller being restored will not be functioning therefore it will not able to service any client requests. This is fine if you have multiple domain controllers in a site but is not always the case. This improved slightly in Windows Server 2008 and there is no need to run the domain controller in DSRM when restoring objects in AD LDS, instead you are required to stop the intended AD LDS instance.
Another negative point of authoritatively restore Active Directory objects from backup was that, any changes to the object that occurred between the backup time and the deletion time could not be recovered; for example: If an administrator had ran the backup for the Active Directory domain and after one day he changed the group membership of a user account, then by mistake this account object had been deleted. The user object could be recovered but the changes to its group membership could not, this is because the account was recovered to the state that it was in the time of the backup job was performed.
Another way to recover deleted Active Directory objects through tombstone reanimation, which is advantage of that the deleted objects are kept in the Active Directory database for a period of time before physically removing them away. A deleted Active Directory object was not removed from the database directly, what happened is that the Active Directory object distinguished name (DN) was destroyed, objects non-link-valued attributes were cleared, all of the objects link-valued attributes were physically removed, and the object itself was moved to special container named Deleted Objects. Now the object called tombstone and it became out of scope directory service normal operations. Tombstone could be reanimated and get it back to normal state as Active Directory object within the period of tombstones lifetime which was by default 180 days. See Reanimating Active Directory Tombstone Objects for more information.
However, an administrator could not rely on tombstone reanimation as vital solution for accidental deletion of Active Directory objects. Although using tombstone reanimation administrator could recover deleted objects without taking the domain controller or AD LDS instance offline; the reanimated object link-valued attribute such as group membership, and the non-linked-valued attributes that were physically removed and could not be recovered.
The following diagram illustrates Microsoft Active Directory objects lifecycle in Windows Server 2003 and Windows Server 2008 environments, which support tombstone reanimation. This is the default behaviour of when the Active Directory recycle bin disabled.
Active Directory Recycle Bin Introduction
With Microsoft Windows Server 2008 R2 Recycle Bin it is not required to take domain controller offline or restart either AD DS / AD LDS to recover deleted Active Directory objects. When enabling Active Directory Recycle Bin an administrator using Active Directory PowerShell module can recover deleted objects in their entirety to the same consistent logical state that they were in just before the deletion, which means all link-valued and non-linked-valued attributes are preserved.
When having Active Directory Recycle Bin enabled, any deleted object will be set in a new state logically deleted and will be moved to the Deleted Objects container. While the deleted Active Directory object in the logically deleted state all its link-valued and non-link-valued attributes will be preserved until the lifetime is expired, during this period the object can be recovered using Active Directory Recycle Bin, then the object will be turned into Recycled Object state and its link-valued and non-link-valued attributes will be removed away. The Recycled Object will be kept in the Deleted Objects container until its lifetime is expired and then the Recycled Object will be physically removed.
Note: The default lifetime period for both states logically deleted and Recycled Object is 180 days.
The following diagram illustrates Active Directory objects lifecycle in Windows Server 2008 R2 with Active Directory Recycle Bin enabled.
Requirements for Active Directory Recycle Bin
Step 1
Launch access to the Domain Controller from the lab application.
Ensure that the Active Directory Forest Functional Level is at Windows Server 2008 R2. This can be verified by opening the Active Directory Domains and Trusts console from Administrative Tools.
Right click on PRACTICELABS.COM and select Raise Domain Functional level
The message displayed will define the current level.
The above can also be achieved using PowerShell, use the PowerShell option from Administrative tools and NOT the one located on the task bar.
Run the follow command in the PowerShell console:
Set-ADForestMode Identity practicelabs.com -ForestMode Windows2008R2Forest
Select Yes to the message that is displayed.
Enabling Active Directory Recycle Bin using PowerShell Active Directory Module
Step 1
From the Domain Controller Practice-Lab device open PowerShell located in Administrative Tools and NOT the task bar.
Step 2
From the command line check to see if the Active Directory Recycle Bin is enabled by running the following command
Get-ADOptionalFeature 'Recycle Bin Feature'
The output from the cmdlet will define the current state of the feature.
In order to enable the Active Directory Recycle Bin feature use the following command syntax in the PowerShell command window:
Enable-ADOptionalFeature Identity CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=practicelabs,DC=com Scope ForestOrConfigurationSet Target practicelabs.com
Select Yes to the message that is displayed and this feature will be enabled.
Redo the Get-ADOptionalFeature 'Recycle Bin Feature' command from above to see the difference in the output.
Recover Deleted Active Directory objects using Active Directory Recycle Bin
Step 1
From the Domain Controller Practice-Lab device open Active Directory Users and Computers console from Administrative Tools and create a new user account in the Users OU with the following details:
First Name: John
Last Name: Jones
Username: JonesJ
Password: Passw0rd
Add as Member of Domain Admins security group
Test the new user account by logging off the Domain Controller.
Before you launch access to the Domain Controller again from the Practice-Lab application, ensure you have uncheck the Auto login option. If this is not done you will log on as Administrator.
If you have successfully logged in and presented with a desktop then this will confirm the account is operational.
If it is not possible to connect re-enable the Auto login function and ensure the user has been created with the relevant privileges.
Step 2
Launch access to the Domain Controller Practice-Lab device using the Auto Login feature.
Using Active Directory Module for windows Power Shell remove the user from the Active directory using the following command:
Remove-ADUser JonesJ
Confirm the action in the console.
This task can also be completed using the Active directory Users and Computers management console. Verify that the user has been deleted in this console.
Step 3
Form the PowerShell console search for the deleted account in the Deleted Objects container:
Get-ADObject -Filter {displayName -eq "John Jones"} IncludeDeletedObjects
The output should read as follows:
To restore the user object use the same command window with the following syntax:
Using the same command but piped into restore command:
Get-ADObject -Filter {displayName -eq "John Jones"} IncludeDeletedObjects | Restore-ADObject
Now the Object is completely restored as is in the same state before the deletion. Verify the account has been restored using DSA.msc from the run box or search function.
Summary
In this exercise you installed and utilised the AD recycle bin. As you can see this is a beneficial utility that could save recovery time. This is not something that will be used extensively but knowing how to configure and use it may be of great benefit in the future.
Also try
- Recovering a security group or other AD objects.
And finally
The above exercise gives you an insight to what you can achieve in a Practice-Lab. Being able to learn, discover and explore new topics and tools without the fear of compromising production environments.
If you are interested in more topics like the above have a look at the topics in our Windows Server 2008 Practice-Labs courses:
Alternatively look at purchasing access to our Practice-Lab library that covers all of our supported technologies.
If you wish to comment on this Practice-Lab please use the feedback option located on the home page or alternatively send an email to Support@Practice-IT.co.uk with your feedback.