Active Directory recycle bin function Introduction 3

Source: Internet
Author: User

In the previous sections Active Directory recycle bin function Introduction 1 and Active Directory recycle bin function Introduction 2, weActive Directory Recycle BinThe changes are briefly outlined. Today, we want to know how to use the Active Directory recycle bin.

Upgrade the AD function level to Windows Server 2008 R2

Before using the recycle bin, you must improve the function of the AD. Basically, we must run ADPREP/FORESTPREP on the forest architecture host, then run ADPREP/DOMAINPREP on the infrastructure host, and use the ADPREP version in the Windows Server 2008 R2 installation disk. We recommend that you refer to the article "how to upgrade the function level of the Active Directory domain to Server 2008 R2" on this website.

Enable AD Recycle Bin

It is not enough to enable the AD recycle bin because it only improves the AD function level. The recycle bin function must be explicitly enabled. Note: This process is irreversible. Once the active recycle bin is enabled, this function cannot be disabled. Since this step will affect our backup policy, we need to fully understand how the recycle bin works before using this function.

You can enable the recycle bin function in two ways. We can use powershellcmdldp.exe, which is a GUI tool for managing Lightweight Directory Access Protocol (LDAP. The process of using ldp.exe is complicated. Therefore, we recommend that you use PowerShell:

 
 
  1. Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional 
  2.  
  3. Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,  
  4.  
  5. DC=domain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘domain.com’  
  6.  

We can copy this command and replace the domain name as needed. To input this command to the AD module of Windows PowerShell, you can find this module in the management tools folder in the "Start" menu of the Windows Server 2008 R2 domain controller. Remember to start the Shell as an administrator.

Recovering an AD object through the recycle bin

Microsoftwares also attempted to use the two types of recovery objects (powershelland ldp.exe) from the recovery site ). However, I personally feel that these two methods are not convenient. If you want to quickly restore an AD object that is accidentally deleted, you certainly do not want to enter a long string of PowerShell commands. Using ldp.exe GUI is not much convenient. Because, using this method to restore an object requires seven steps and a large amount of information. If you want to restore multiple objects, this method is too troublesome.

Fortunately, there are methods that are easier to use than the two methods to restore AD objects in the recycle bin. We can use free tools to Restore AD objects, such as Quest Object Restore for Active Directory or ADRestore. NET. These two tools used to restore Tombstone objects, but they are equally useful for objects deleted in the Windows Server 2008 R2 domain. If you use the two tools in the Server 2008 R2 domain that has not enabled the recycle bin, or in the previous domain, you can only restore the Tombstone object, that is, the objects that have lost most of the attributes. However, in active AD with the recycle bin enabled, all properties of the deleted object will be restored. These two tools have similar functions.

PowerShell is applicable if you want to restore a large number of objects. Microsoft TechNet provides some demo scripts. However, if you only need to restore several objects, using the two tools described above will be faster.

Change the validity period of deleted objects

The user can only restore the deleted objects within the validity period of the deleted objects, and the default validity period is 180 days. Generally, this period is sufficient for objects that are accidentally deleted. However, the validity period of the deleted object also determines the duration for recovering the AD object from the backup. In some environments, 180 days may be a little short.

Many backup policies support one year of backup. If you want to restore a specific object and the deleted object is valid for only 180 days, these backups are useless. Although we can change the object's validity period, this process is complicated, but considering that we only need to do this operation once, it does not matter.

The author believes that the new Active recycle bin function is a major improvement in Windows Server 2008 R2. Accidental deletion of AD objects may cause some trouble because the recovery process of these objects is not as simple as restoring files. In my opinion, the recycle bin function is enough to be a reason for us to upgrade to the functional level of Server 2008 R2.

Unfortunately, the recycle bin function does not support third-party AD Recovery tools, such as Blackbird Recovery or Quest Recovery Manager. The Recycle Bin also lacks functions such as disaster recovery, attribute recovery, and GPO recovery.

We hope this series of Active Directory recycle bin functions will be helpful to readers.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.