In the previous section "Active Directory recycle bin function Introduction 1", we briefly outlined how to restore an Active Directory object in Windows Server 2003/2008. In this section, we will explainActive Directory Recycle BinNew Features and changes. Let's take a look at how the recycle bin can improve the recovery of Active Directory objects.
Advantages of Active Directory Recycle Bin
Using the new recycle bin function has three advantages:
1. We can restore the status before the Active Directory object is deleted, not just the last available backup.
2. You do not need to disable the directory service during the recovery process and authorization.
3. Unlike Tombstone Reanimation, all attributes of an object are restored.
Requirements for Active Directory Recycle Bin
The recovery of Active Directory objects must meet the following four requirements:
1. At least one domain controller must be run on Windows Server 2008 R2.
2. The function level of Active Directory must be Windows Server 2008 R2.
3. Enable the Active Directory recycle bin.
4. The deleted objects in the Active Directory object do not exceed the validity period.
Deleted Object Validity Period
The deleted object validity period is a new concept in Windows Server 2008 R2. It determines the retention period of deleted objects in the deleted object container-Recycle Bin. By default, the deleted object is valid for 180 days. After this period, the object will be recycled. Note: If the recycle bin is not enabled in the Active Directory where the function level reaches Windows Server 2008 R2, everything is the same as in Windows Server 2003/2008. For example, there is no deleted object.
Recycled object VS Tombstone object
Like the Tombstone object, the recycled object does not have most of the attributes of the original object. However, there is a fundamental difference between the two. You cannot perform Reanimation operations on recycled objects, and cannot restore these objects from the backup. The purpose of object recycling is to ensure that the information of the deleted object can be completely copied.
Like the Tombstone validity period, the validity period of the recycled object determines the duration for the original domain controller to save the recycled object information. Therefore, it determines the domain controller's offline time limit or the time limit for failed replication.
It is worth noting that once the recycle bin is enabled, all Tombstone objects will become recycle objects. As mentioned above, this means that we will no longer be able to recover these objects from the backup, even if Tombstone has not expired. The Tombstone object does not exist in the Active Directory where the recycle bin is enabled.
I hope you can understand why we need to upgrade the function level and why we need to enable the function explicitly. In the next section "How to enable and use the Active Directory recycle bin", we will continue to explain.