“How do I recover deleted Active Directory objects from the Recycle Bin in Windows Server 2012?” We get this question a lot in our support forums, and as most admins know, restoring and recovering AD objects from the Recycle Bin is not always as simple as right click + undelete.
In fact, back in 2012 I wrote a post called “The Windows Server 2012 Recycle Bin and Recovery Manager for Active Directory,” and it still gets a couple hundred visits every month. (I love it when I post something out on the Web and it still gets tons of visitors more than two years later.)
So, here’s a refresh on the Windows Server Recycle Bin topic, with information we’ve gathered over the last couple of years.
Active Directory Recycle Bin recovery in Windows Server 2008 R2 and 2012
Going back as far as Windows Server 2008 R2, the AD Recycle Bin let you retain Active Directory object information like attributes, passwords and object group membership for a configurable period of time. That made it possible to get the AD objects back using PowerShell, without an authoritative restore.
Windows Server 2012 added a GUI called the Active Directory Administrative Center (ADAC). You can select and undelete AD objects from either ADAC or PowerShell, and you can undelete containers with all child objects.
But there are limitations to enabling the Windows Server 2012 Recycle Bin:
- It requires 2008 R2 forest functional level or higher.
- Once enabled, it cannot be disabled.
- It causes the AD database to swell.
- After the configurable time period, objects can no longer be undeleted.
- When undeleting, you need to know which objects were deleted so you can filter for them.
- Riskiest of all, you can undelete all objects in a time period, but if a fellow admin at another location made an intentional change to AD that you don’t know about, you’ll accidentally restore it. Suppose he deleted the AD entry for an employee terminated on June 5, and you undelete everything from June 1 through June 10; you would accidently undelete the terminated employee’s entry, which poses a security risk.
Some of those limitations are the reason that people are still wondering about the AD Recycle Bin and finding our post two years later, so I’ll go into them a bit deeper.
Increased size of AD database
As Qasim Zaidi posted on Microsoft’s TechNet blog (login reqd.), “Before you enable AD Recycle Bin, it's always good to know the gotchas.” After you enable it, you’re likely to find that the NTDS.DIT (AD Database) will grow by 10 to 20 percent on every Domain Controller in the forest. Get ready for the storage and performance issues associated with that sudden increase in size.
Furthermore, Zaidi points out, the NTDS.DIT may continue to swell with each object you delete. When the AD Recycle Bin is not enabled, almost all of the attributes get stripped and the object moves to the hidden Deleted Objects container. When the AD Recycle Bin is enabled, the objects become logically deleted, which means they are moved to the Deleted Objects container – with all of their attributes and a mangled distinguishedName (DN) – and stay there for the rest of the deleted object lifetime. The upside is that you can undelete it; the downside is the additional storage and the potential drag on AD performance.
It’s a Recycle Bin, not a recovery tool
Counting on being able to restore from AD Recycle Bin is not a good substitute for an AD recovery or migration recovery strategy. Recycle Bin limits you to restoring entire AD objects, so don’t rely on it to restore modified attributes. If, for example, a faulty script modifies the proxy address for a group of users, Recycle Bin can restore the entire user account, but not the modified proxy address alone. And you certainly wouldn’t rely on the AD Recycle Bin alone to roll back from a problem during migration.
Authoritative restore not the answer
Finally, suppose that you get really stuck and need to get something back after the deleted object lifetime. You may be tempted to run an authoritative restore, but that will restore the entire AD database, and all you want to do is restore a few individual objects. You’re asking for trouble, complexity and the possibility of fouling up the AD database you’re trying to repair. Even Microsoft wants you to know what a bad idea it is.
Recovery Manager for Active Directory — Tech Brief
There are plenty of ins and outs to Recycle Bin, Active Directory and recovering deleted objects. We’ve updated our tech brief “FAQ: Windows Server 2012 Recycle Bin and Recovery Manager for Active Directory” and the comparison chart showing the capabilities of different versions of Windows Server (see page 3 of the tech brief) alongside of Recovery Manager for Active Directory from Dell. It’s available for download right now, so find out more about the best way for you to recover deleted objects from the Windows Server Recycle Bin.
Still have questions? We’ll go into Recycle Bin and AD in even more detail.