Active Directory Recycle Bin

Windows Server 2008 R2 delivered a new feature called the Active Directory Recycle Bin which offers the ability to restore items deleted from the Active Directory database by restoring them from the Recycle Bin with the simplicity of….well, it’s not really that simple.

The premise is simple enough. You’ve deleted an item that you want to restore so instead of breaking out the backups, taking down a Domain Controller, booting in to DSRM and re-acquanting yourself with NTDSUTIL, you enable the Recycle Bin to save you all that hassle.

But wait a minute! Before enabling the Active Directory Recycle Bin (ADRB) there are a couple of caveats which you should be aware of. Now, Microsoft will tell you what you need to enable your use of ADRB such as:

• Forest Functional Level: Windows Server 2008 R2.
• All Domain Controllers running Windows Server 2008R2

…but the limits that enabling Active Directory Recycle Bin can have on restore operations is significant enough to ensure that your Backup Operators and Data Security personnel need to be consulted before you make a unilateral decision to enable it.

1. Enabling ADRB transitions all currently Tombstoned (deleted) objects to the new Recycled object state. This effectively means that current Tombstoned objects (objects deleted in the last 180 days) should never be restored, either through object reanimation or via an authoritative restore.
2. Similar to the above, once an object reaches the Recycled object state (after 180 days of being a Logically Deleted object) it cannot be restored or recovered from backup. Microsoft recommends that you do not use authoritative restores at all after enabling ADRB and that you only use ADRB to restore objects during their deleted object lifetime (DOL). This article: http://technet.microsoft.com/en-us/library/dd379542(WS.10).aspx details the recommendation which effectively means that restores must be done within the deleted object lifetime or you should consider the object completely unrecoverable. The deleted object lifetime can be adjusted at the expense of an increased AD database size and replication traffic but the default is 180 days.
3. ADRB cannot restore changed objects – this must be done using an authoritative restore while the object is still live. Hopefully the proper use of change processes in your organisation should  minimise the eventuality of this occurring and permit the ability to simply undo a change but we all know what happens in the real world.
4. Enabling ADRB results in the size of your Active Directory database increasing (and consequently the replication bandwidth requirements) to accommodate the new object states before objects deleted are completely removed from the database. The increase is dependent on the amount and type of objects created and deleted but since there is a new object state, the time the objects remain in the database is effectively doubled.

Once each of these discussion points has been thoroughly considered should you look at enabling the Active Directory Recycle Bin.

I know this subject is fairly old hat given that Windows Server 2012 is now available but I’m still astonished by the numbers of Active Directories that I come across that aren’t making use of the Active Directory Recycle Bin. Reading the pro-tip (can I call myself a pro?) enabling it in Windows Server 2012 is pretty much a no-brainer with the easy-peasy GUI on offer, just be mindful of the implications.

Pro tip: Although the procedure for using the Recycle Bin is currently based on PowerShell, Windows Server 2012 provides a Graphical User Interface to permit much simpler use of the Recycle Bin feature.

Admission: I actually wrote this article nearly 12 months ago but never finished it or published it – since then Windows Server 2012 has been released so I’ve made mention of that in the article.