 |
|
||||
|
Windows Server 2008 R2: Introducing the AD Recycle BinBy John PolicelliOctober 22, 2009
The accidental deletion of objects is a problem with which most Active Directory administrators are far too familiar. Prior to Windows Server 2008 R2, recovering from an accidental deletion required an authoritative restore, a time-consuming process. However, the Active Directory Recycle Bin, which is a new feature in Windows Server 2008 R2, allows administrators to recover Active Directory objects that were accidentally deleted in a timely manner. The Four States of the Active Directory Recycle BinThe Active Directory Recycle Bin, once enabled, changes the lifecycle of Active Directory objects, as shown in the following figure.  The Lifecycle of Active Directory Objects The Active Directory object lifecycle consists of four states once the Active Directory Recycle Bin is enabled. Live State: The Live state represents the state of an Active Directory object when it is live the directory. Deleted State: When an object is deleted from the Active Directory, the object is put into the Deleted state, and the object is logically deleted from the directory. A logical deletion consists of the following:
Enabling the Active Directory Recycle BinThe Active Directory Recycle Bin is considered an optional feature and is not enabled by default. However, before you can go ahead and enable the Active Directory Recycle Bin, there are a few things to consider. First, the Active Directory Recycle Bin requires a forest-functional level of Windows Server 2008 R2, which means all current and future domain controllers must have at least Windows Server 2008 R2 installed, and your domains must have a domain-functional level of Windows Server 2008 R2. If you meet the forest-functional level prerequisite, there is one more important consideration you must be aware of before you go ahead and enable the Active Directory Recycle Bin. In Windows Server 2008 R2, you can lower the functional level back to Windows Server 2008, provided you have not enabled the Active Directory Recycle Bin. Therefore, you must be absolutely certain you will not lower the functional level before you go ahead and enable the Active Directory Recycle Bin feature. Once you meet the prerequisite, and you are ok with limiting yourself from lowering the functional level in future, you can use the Enable-AD OptionalFeature PowerShell cmdlet, which is included with the Active Directory Module for Windows PowerShell, to enable the Active Directory Recycle Bin. Using the Active Directory Recycle BinMicrosoft has not included any new graphical tools that can be used with the Active Directory Recycle Bin. However, a number of PowerShell cmdlets included in the Active Directory Module for Windows PowerShell are useful when using the Active Directory Recycle Bin. The Restore-ADObject PowerShell cmdlet is what you use to restore deleted objects using the Recycle Bin. John Policelli (Microsoft MVP for Directory Services, MCTS, MCSA, ITSM, iNet+, Network+, and A+) is a solutions-focused IT consultant with over a decade of combined success in architecture, security, strategic planning and disaster recovery planning. John has designed and implemented dozens of complex directory service, e-Messaging, web, networking, and security enterprise solutions. John is the author of Active Directory Domain Services 2008 How-To (Sams Publishing). He maintains a blog at http://policelli.com/blog. Follow Enterprise IT Planet on Twitter
|
|
|
|
Email
Print
Digg This
Add to del.icio.us
