Planning Tech

Windows Server 2008 R2 – Active Directory Recycle Bin

Here I want to talk about the new feature that R2 enables us to do and solve us the administrators a lot of time and screaming from our bosses.

So what these wonderful new features do..? Well as you already understand Microsoft developed this tool to restore deleted objects from our Active Directory without using any backup program.

But as you know not everything good as it’s sounds because when you try to restore an object your Active Directory should go to DSRM and that says that your domain controller need to go to offline mode and as you may already understand offline is the opposite of online….so few services will be stopped for using darning the restore.

Now after we understand what upends when we restore I want to explain what upends between the last backup and the changes that follow from this time. Like every backup all changes that add or change to this object after you created the backup will not restored!

Let’s give an example

 You created the backup on Sunday morning, this backup include the new user for sales department named “Erik Forman”, in Monday your bosses decide to promote Erik to the “Retention” group, well everybody happy but not for long on Monday evening your employ accidently deleted Eric account, so need to be upset because you have R2 so you can recover it but the object will recovered without the changes that you make. Well it’s stooped example because you tell yourself that you can created new user and that’s it, but imagine the next scenario that your worker accidently deleted the entire “Sales” organization unit well you fucked up and here you wish you have tool like the this feature allows you to do.   

When you use the Active Directory Recycle bin feature you also minimize directory service downtime because you not need to reboot the server like you need to do when restoring from tombstone or other backup program.

Well after you understand what the tool can do for you let’s understand what the requirements are for using it. In normal state this feature disabled so if you want to enabled it and enjoy it your network should follow the next requirements. In different sections.

• THE “SCHEMA” – here we need to understand what we have in our environment and how we get there:

 

1. If you install new server 2008 R2 on clean machine(Clean Installation) you should not update your schema because she already have all necessary attributes for using AD Recycle  Bin .

 

1. The second option and off course the most relevant is that you already have forest that include domain controllers running server 2003 or server 2008 , and you need to rise functional level to use this feature so that’s says that you need to update all servers at your forest to Active-Directory  2008 R2 , well it’s not enough because here you need to update your schema , to do so you need to run few command in one of you AD servers , follow the next steps :

 

-          Go to the server that olds the “Schema Master” and run :

           Adprep /foresprep (By running this command you updates your entire forest)

 

-          Adprep /domainprep /gpprep.

 

Note!

If you have RODC on your forest you also need to run:

Adprep /rodcprep

 

• THE “SERVERS” – make sure all your servers running Server 2008 R2.

 

• THE “Functional Level” – you need to make sure that our forest functional server set as “Windows Server 2008 R2” (all your domain controllers need to set to this level before you can raise the forest functional level).

 

 

After we understand all the benefits of this feature let’s start to be more specific and understand how we check all the requirements: 

 

1.    rise the functional level of each DC to “Windows Server 2008 R2” :

 

Start -> All Programs -> Administrative Tools ->”users and computers”-> right-click on your domain name -> Rise Domain Functional Level -> “Windows Server 2008 R2”

 

 

Note!

After we finish raising all DC functionality we need to raise the forest functionality.

 

1. 2.       Rise the functional level of the entire forest :

 

Start -> All Programs -> Administrative Tools ->”Active Directory Domains and Trusts” -> right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.

 

1. 3.       Now we need to Enable Active Directory Recycle Bin:

 

 To do it we can choose two options but here I will cover the methods recommended by Microsoft Using LDAP.EXE.

 

-          Start->Run-> type LDP.exe

-          Now we need to  connect and bind to the DC that’s holds the forest root domain

Connection -> Connect -> click Bind

-          Press on View -> Tree (In BaseDn) -> now we need to chose the configuration partition (You also see the SHEMA partition) – > press OK.

-          Now after the console tree is open go to the distinguished name of the configuration directory partition -> search for CN=Partitions container -> Right on it ->press Modify.

-          Now verify that the DN box is empty and in Edit Entry Attribute, type enableOptionalFeature.

-          In the Modify dialog box, in Values, type CN=Partitions, CN=Configuration, DC=mydomain, DC=com: 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a. Replace mydomain and com with the appropriate forest root domain name of your AD DS environment.

-          In the Modify dialog box, under Operation click Add, click Enter, and then click Run.

 

 

Now after we configured it, we need to understand how to use it.

 

So let’s say that worst case scenario upends and you deleted critical objects, so how we can see what has been deleted…?

 

1. Start->Run-> type LDP.exe -> Options menu -> controls.
2. When the controls dialog opened – > click “Load Predefined” ->press “Return deleted objects” ->click OK.

 

Now for the “Punch Line” the restore process:

 

1. Start->Run-> type LDP.exe
2. Now we need to  connect and bind to the DC that’s holds the forest root domain

Connection -> Connect -> click Bind.

1. Now when you see the console tree search  for “CN=Deleted Objects”
2. Now all you need to do is to locate the deleted objects :

 

-          Locate and right-click the deleted Active Directory objects that you want to restore, and then click Modify.

 

In the Modify dialog that opens do the following:

 

1. In Edit Entry Attribute, type IsDeleted.
2. Now the Values box needs to be empty.
3. Under Operation, click Delete, and then click Enter.
4. In Edit Entry Attribute, type distinguishedName.
5. In Values, type your Active Directory DN
6. Under Operation, click Replace.
7. Click Enter->Run.