Introduction to the Active Directory recycle bin Function

Active Directory Recycle BinIs a new function in Windows Server 2008 R2, which allows us to easily restore AD objects accidentally deleted. Before describing how the recycle bin works, we will briefly describe how to restore the Active Directory object with Windows. This is to help us better understand the changes in Windows Server 2008 R2.

In earlier Windows versions, you can restore deleted Active Directory objects in two ways. We can authorize the restoration of the Active Directory backup, or perform the Tombstone Reanimation operation on the deleted object.

I. Authorization recovery

Authorization to recover the Active Directory backup allows us to restore some specific objects. Authorization means that the status of the recovered object will overwrite the information on other domain controllers. The unauthenticated recovery object will appear as the old data of the Active Directory replication system.

Authorization recovery has two drawbacks. First, we can only restore the status of objects in the last running backup. Second, it is not convenient to authorize the recovered process to operate. At least we must disable the Directory Service and restart it in Directory Services Restore Mode. This means that no directory service is available during the restoration process.

Ii. Tombstone Reanimation

When Active Directory is online, you can execute Tombstone Reanimation on the deleted Active Directory object to change the object attributes. However, the biggest drawback of this method is that most of its attributes are lost when an object is deleted from Active Directory.

The main purpose of the Tombstone object is to ensure that the information of the deleted object is copied to all domain controllers. However, we can configure Active Directory to save the additional attributes of the Tombstone object. The new Active recycle bin is more convenient, so we can easily use free tools to perform Tombstone Reanimation operations.

Tombstone service life

It is worth noting that another feature of the Tombstone object is to provide the possibility of authorized recovery. As long as the Tombstone object is not physically deleted through the Garbage Collection Process, we can perform authorized recovery and Tombstone Reanimation. In Windows Server 2003/2008, the default Tombstone service life is 180 days. We cannot use Active Directory backup to restore a single object that exceeds Tombstone's life. To make the backup valid for a long time, you must change the Tombstone service life.

If the recycle bin is enabled by Active Directory, things are completely different. In the next section, we will summarize the hidden principles in the recycle bin. In section 3, we will explain how to use the recycle bin.