Last Updated on January 16, 2018 by Dishan M. Francis
Most common active directory related disasters are due to accidently deleted objects. Once object is deleted from active directory, it is not permanently deleteing from the active directory same time. As soon as an object deleted, it will set the isDeleted object value to True and move the object under CN=Deleted Object.
Then the it is stay there till system reaches the tombstone lifetime value. By default, it is 180 days and this can be change if required. As soon as object passes the tombstone lifetime, it is available for permanent deletion. When I explain about the active directory database in previous section I mentioned about “online defragmentation”. It is uses garbage collector service to remove the deleted objects from the active directory database and release that space to database. This service runs in every 12 hours’ time. Once deleted object exceeded the tombstone lifetime value, it will be permanently removed in next garbage collector service cycle. the problem with this one is, during the tombstone process most of the object values are striped off. So even you were able to recover, these objects values will need to re-enter.
With windows server 2008 R2, Microsoft introduced Active Directory Recycle Bin feature. When this feature is enabled, once object is deleted, it’s still set isDeleted object value to True and move the object under CN=Deleted Object. but instead of tombstone lifetime, now its control by Deleted Object Lifetime (DOL). Object attributes will remain same in this stage and it is recoverable easily. By default, the DOL value is equal to tombstone lifetime. This value can change by modifying msDS-deletedObjectLifetime object value. Once its exceeded the DOL, it is moved in to Recycled state and isRecycled object value set to True. By this state, it will not be able to recovered and it will be in that state till tombstone lifetime value exceed. After it reach the value it will be permanently delete from the AD.
Active Directory Recycle Bin feature required minimum of windows server 2008 R2 domain and forest functional level. Once this feature is enabled it cannot be disabled.
This feature can be enable using,
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target rebeladmin.com
In above -Target can be change with your domain name.
Once it is enabled, we can revive the objects which is deleted using,
Get-ADObject -filter 'isdeleted -eq $true' -includeDeletedObjects
It will search for the objects where isdeleted attributes set to true.
Now we know the deleted object and it can be restore using,
Get-ADObject -Filter 'samaccountname -eq "dfrancis"' -IncludeDeletedObjects | Restore-ADObject
The above will restore user object dfrancis.
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on firstname.lastname@example.org also follow me on twitter @rebeladm to get updates about new blog posts.