Printout Header
LEX RSS Feed

LEX Online Manual Content

AD Recycle Bin Recovery

If you are in a Active Directory environment with Windows 2008 R2 (or newer) domain controllers, then you can recover deleted objects without the limitations of the older windows versions. This is a new feature which is called AD Recycle Bin. All attributes, group memberships and other references can be restored. If you use this feature, you can undelete entire OUs which was deleted before without the need to restore some AD data from a backup! You can read more about this new AD feature on the Microsoft Technet Article 'Step-by-Step Guide to the AD Recycle Bin'.

The important thing about the AD Recycle Bin: This feature has to be activated first! Even in pure Windows 2008 R2 DC environments, you have only the 'old' tombstone reanimation if you don't activate the AD Recycle Bin feature. See the explanations below ho to activate the AD Recycle Bin.

If the AD Recycle Bin is activated, the deleted objects in your domain are stored in the Deleted Objects container, which is a container in the root hierarchy of each domain. You cannot see this container with the normal AD admin tools because it's a special hidden container which is only visible in LDAP requests with the extended LDAP control 1.2.840.113556.1.4.417 (Show Deleted) - fortunately LEX can use this control in it's request to the regarding server.

The Deleted Objects container

 

Objects in the Deleted Objects container can have two different states:

  1. First they are 'Deleted', which means that they can be restored with all their attribute properties. There is a directory parameter named msDS-deletedObjectLifetime which determines how long the objects remain in the 'Deleted' state.

  2. After a while, the objects become 'Recycled' which means that they are only used internally for replication purpose. But these objects cannot be restored, reanimated or otherwise re-used by any tool. There is a directory parameter named tombstoneLifetime which determines how long the objects remain in the 'Recycled' state.

Deleted Objects vs. Recycled Objects

Both timespan parameters can be set globally in the configuration partition object

 CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com


with the attributes

 msDS-deletedObjectLifetime     and      tombstoneLifetime

If there is no attribute, then the default values are in effect (180 days), you can add these attribute with you own setting if you want to change the settings. Please note that large lifetime values causes big AD databases on the file system on all domain controllers in the entire forest!


How to undelete Objects with LEX


If you want to reanimate the tombstone of a recently deleted object, you have to select the Deleted Objects container in the regarding domain. In the object list panel, you see all the deleted objects in this container on the same level (there are never subcontainer structures in the deleted objects container).

 

All deleted objects become a tombstone where the relative distinguished name (RDN) is the old object name, together with a line feed (strange but not illegal in a directory name) and the GUID string of this object. There are several interesting attributes for the tombstones:

  • whenCanged: Normally the date and time when the object was deleted.
  • lastknownParent: The parent container where the object originally was stored. Can be deleted also, you should find the appropriate tombstone then.
  • isDeleted: Always true for all objects in the Deleted Objects container. For normal objects, this parameter doesn't exist.
  • isRecycled: This is true for objects which were in the 'Deleted' state longer than the msDS-deletedObjectLifetime and therefore became 'Recycled'. You cannot recover such objects any more! Normally you would not even see them - you need to add the special extended LDAP control 1.2.840.113556.1.4.2064 (Show Recycled) to your LDAP requests - fortunately LEX can use this control in it's request to the regarding server.

Select all the objects you want to recover and use the menu option Edit - Undelete (also available in the context menu). The Object Undelete dialog appears:

The Object Undelete dialog

In this dialog, you can choose if you want to restore the deleted objects in their original or another container. If you choose to restore the object in their original container, LEX can restore these containers to if this should be necessary. After the undelete operation you see the results in a separated window:

The object recovery result dialog

The option Copy to Clipboard enables you to get a semicolon-separated result summary into the clipboard so that you can use this for documentation of the recovery operation.


How to activate the AD Recycle Bin


You can check whether the AD Recycle Bin Feature was enabled in your Active Directory forest or not. Just browse into the Configuration Partition (this namespace is offered by any DC in your environment). There you have to go to this object

  CN=Partitions,CN=Configuration,DC=yourdomain,DC=com

There is an attribute named

  msDS-EnabledFeature

If the AD Recycle Bin is active, this attribute has this value

  CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,
     CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com


Unfortunately, you cannot simply set this attribute directly if you want to activate the Recycle Bin Feature. Instead, you have to enable the feature by writing to the RootDSE entry of the regarding server. You have to be enterprise admin for this.

So open the RootDSE entry with the LEX option Connection - RootDSE. After that, you see the attribute window for this entry. Now you have to add an additional attribute named EnableFeature. In fact, this is not a real attribute, but writing to 'EnabledFeature' can activate the Ad Recycle Bin on a domain controller. The value that has to be written is the GUID of the AD Recycle Bin Feature:

  CN=Partitions,CN=Configuration,DC=yourdomain,
     DC=com:766ddcd8-acd0-445e-f3b9-a7f9b6744f2a

 

Enabling the AD Recycle Bin

You can read more about the special RootDSE attributes which changes the DC's behavior in the MSDN article about the RootDSE Modify Operations.