Saturday, April 23, 2011

Active Directory Recycle Bin

Enable Active Directory Recycle Bin
Active Directory Recycle Bin is a new feature on Windows Server 2008 R2, it can help administrator to recover the Active Directory deleted item.

As a before, when administrator delete an item on Active Directory, the administrator need to restore the system state backup. It will make a downtime for restore.

Remark: By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2. which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2. After setting the forest functional level of your environment to Windows Server 2008 R2, you can use the instructions in this guide to enable Active Directory Recycle Bin.

1. At Domain Controller, log in as Domain Administrator.
2. Click "Start", enter "dsac".
3. Select "<Domain> (local), next to "Tasks", click "Raise the forest functional level".

Figure 1: Raise Forest Functional Level

4. Click "OK" three times.
5. Click "Start > Administrative Tools > Active Directory Module for Windows PowerShell".
6. Enter the following cmdlet to enable Active Directory Recycle Bin:

Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<Domain>,DC=com' -Scope ForestOrConfigurationSet -Target '<Domain Name>' -Confurm:$false

Figure 2: Enable Active Directory Recycle Bin

Remark: After enabling Active Directory Recycle Bin, you can't disable it.

7. Back to "Active Directory Administrative Center", create an OU and name it as Engineer (uncheck protect from acidential deletion).
8. Create a user account and name it as Susan in Engineer OU (uncheck protect from acidential deletion).


Recover the deleted user account
1. Still in "Active Directory Administrative Center", delete the Susan's user account.
2. Go to "Active Directory Module for Windows PowerShell", enter the following cmdlet:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=<Domain>,DC=com" -ldapFilter:"(msDs-lastknownRDN=Susan Tam)" -IncludeDeletedObjects -Properties lastKnownParent

Figure 3: Verify the account status

This cmdlet is used to showing the deleted user information and status.

Remark: You can input * at (msDs-lastKnownRDN=*), it shows all deleted users.

Figure 4: Verify all deleted users account

3. Enter the following cmdlet to restore Susan's account.

Get-ADObject -ldapFilter:"(msDs-LastKnownRDN=Susan Tam)" -includeDeletedObjects | Restore-ADObject

Figure 5: Restore Susan's account

4. Back to "Active Directory Administrative Center", refresh "Engineer" OU.

Figure 6: Engineer OU

Susan's account was restored.


Recover the deleted OU
1. Still in "Active Directory Administrative Center", delete the "Engineer" OU.
2. Go to "Active Directory Module for Windows PowerShell", enter the following cmdlet:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=<Domain>,DC=com" -ldapFilter:"(msDs-lastknownRDN=Engineer)" -IncludeDeletedObjects -Properties lastKnownParent

Figure 7: Verify the OU status

3. Enter the following cmdlet to restore Engineer OU:

Restore-ADObject -Identity <ObjectGUID>

Figure 8: Restore Engineer OU

4. Back to "Active Directory Administrative Center", refresh "<Domain>".

Figure 9: Engineer OU

As a result, the Engineer OU was recovered, but the users account doesn't restore. You have to restore the users account by above cmdlet.

Reference:
Active Directory Recycle Bin Step-by-Step Guide
http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx

This posting is provided “AS IS” with no warranties, and confers no rights!

No comments:

Post a Comment