In the best of all worlds we wouldn’t be in a position where we needed to recover an Active Directory object that we have deliberately or accidentally deleted.
Aside: When writing examples for training kits, always make sure that you specify the clumsy subordinate, not the IT Pro, as the one that does something that might charitably be described as “creative”. That way the IT Pro gets to come in and save the day.
If you’ve ever had to boot into Active Directory Restore Mode to recover deleted AD objects, you know that the process of recovering them requires a little bit of patience. A big limitation of restore mode was that you could only restore objects to the point which they were at when you took the last system state backup. As most accidental deletions occur during directory reorganizations, the state the object was in when backed up probably won’t reflect the state it was in when it was deleted (unless you were smart and did your backup prior to mucking about with the structure of AD – which you should have, but lets not go there).
In Windows Server 2008 R2’s Active Directory, objects not only have a tombstone lifetime, but also have what is called a deleted object lifetime. When something is deleted in a W2KR2 environment, it can be restored using the Active Directory recycle bin during its deleted object lifetime. If that has expired, you can restore it within its tombstone lifetime using AD restore. The advantage with AD Recycle Bin is that you can restore objects to the point that they were at when you deleted them, not to the point they were at when you took the last backup.
The catch with Active Directory Recycle Bin is that all domain controllers must be running 2K8R2 and the domain/functional level must be raised to 2K8R2 as well. This means you cannot take advantage of this technology if you still have Win 2K3 DCs or even if you have a couple of vanilla 2K8 DCs.
Once the domain and forest functional level is at the appropriate level, issue the following command from an Active Directory PowerShell prompt that you are running as an administrator (when logged on to a DC in the forest root as a member of the Enterprise Admins account)
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=windowsitpro,DC=internal’ –Scope Forest –Target ‘windowsitpro.internal’
You can locate deleted objects either by using LDP.EXE and viewing the CN=Deleted Objects container or by using the Get-ADObject with the –IncludeDeletedObjects option from Active Directory PowerShell. You can restore objects using Restore-ADObject from Active Directory PowerShell. You can get examples of how to use each by issuing the get-help Get-ADObject and get-help Restore-ADObject commands from within Active Directory PowerShell. Microsoft also has some examples on the following TechNet page: http://technet.microsoft.com/en-us/library/dd379509.aspx
In the best of all worlds there would probably be a nice GUI front end to all of this so that you could simply right click on a deleted object and select Restore. Although Active Directory Recycle Bin saves us from having to reboot into Directory Services Restore Mode, until you are comfortable with the PowerShell commands (or LDP.exe), it can be a little fiddly.
