Active Directory Recycle bin in Windows Server 2012 R2 – is a great feature for System Administrator in the event of recovery deleted objects from Active Directory. This feature is available in server since version 2008 but it is not enabled by default. You have to enable it before you can use it.
To get started, you’ll need the following:
- At least one Domain Controller running Windows Server 2012 with the Active Directory Administrative Center enabled.
- All Domain Controllers (or servers running AD LDS) must be running Windows Server 2008 R2 or higher.
- The Forest must be running at Windows Server 2008 R2 functional level.
In GUI – here are the steps:
- In Windows Server 2012 R2 click on Active Directory Administrative Center
- Click on your Domain name on left side
- Right click and select Enable Recycle bin
- It will take a second and you should receive confirmation that the Recycle Bin has been enabled on your server
If you are one of those who prefer PowerShell here is the code:
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ad,DC=Cloudman,DC=com’ –Scope ForestOrConfigurationSet –Target ‘ad.cloudman.com’
It is worth to mention that once this Recycle Bin feature is enabled on server, you can not disable it. As well you should consider and plan accordingly for this feature because once the feature is enabled, you will notice, that the size of AD database (Ntds.dit) will increase. Reason behind the size increase is that the recycle bin needs space to preserve the deleted object in the database. In order to access the AD Recycle Bin, you must be a member of Enterprise Administrator group.
Deleted AD object are preserved for 180 days. The tombstoneLifetime attribute is set in the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=COMPANY,DC=COM container.
There’s an artificial limit to the number of items displayed in the recycle bin. By default, it’s set at 20,000. You can change this number (up to 100,000) by clicking the Manage menu and selecting Management List Options.
To make the restore easy and simple for Admin in case there is many same name objects in AD, they have added into restore process to select other criteria which allow you to find the deleted object faster in the recycle bin.
As you probably are aware, AD has multiple partitions. It’s important to note that the recycle bin can manage only domain partitions. So, if objects are deleted from the Configuration, Domain DNS, or Forest DNS partitions, you can’t restore them with this tool.
The Active Directory Recycle Bin can be a lifesaver for those times when simply re-creating a user won’t do or when you have to restore the entire AD or large parts of it. If the need arises, I encourage you to take advantage of this easy-to-use tool.