Using AD Recycle Bin For Mailbox Recovery

Eliminate frustration by using logic—and this Server 2008 R2 tool

When a user is accidentally deleted from Active Directory (AD), your first thought might be to panic. What happens to that user? How do I bring the user object back? What about the connection between the mailbox and the user? All excellent questions, and all better handled with logic.

In logic, a conditional statement is a compound statement formed by combining two sentences (or facts) using “If/Then.” For every if that might happen within your network, you need to know what your then will be.

For example, if a user is accidentally deleted from AD and if you’re using Windows Server 2008 R2 with a forest level raised to Server 2008 R2 and the AD Recycle Bin enabled, then you will restore that user through Windows PowerShell by using the Restore-ADObject cmdlet.

Wait: Perhaps we’re moving a bit too fast with that last portion.

Let’s take it from the top: Your options have broadened with the release of Server 2008 R2 and its new Active Directory Recycle Bin. Combining this new tool, and the time-proven tool of logic, you can make troubleshooting deleted user objects and recovering users in AD easier.

The AD Recycle Bin lets you recover a deleted user object through the use of PowerShell or the LDP tool. In this article, I focus on Server 2008 R2 domain controllers (DCs) and Exchange 2007 mailbox servers running on Server 2008/Windows Server 2003 member servers, although it could apply as well to Exchange 2010 servers running on Server 2008 or Server 2008 R2 servers.

The only part of the process that has changed since Exchange 2000 is the recovery element.

With Exchange 2000 and 2003 if you deleted a user, the mailbox was deleted with it. That mailbox wasn’t permanently deleted but simply flagged for deletion and held for the duration of the mailbox retention period. After that period expired, the mailbox was purged. Although the mailbox was flagged for deletion, you could restore it using the Cleanup Agent on the Mailbox store.

With the use of the AD Recycle Bin you can recover your users quickly and reconnect them to their mailboxes within moments.

The AD Recycle Bin is a feature that must first be enabled for your organization. Before you can enable it, all your DCs within the forest need to be running Server 2008 R2, and you need to raise the forest functional level to Server 2008 R2 as well. (To learn more about the AD Recycle Bin in Server 2008 R2, plus how to enable it and undelete an object from it, see these three FAQs by John Savill at InstantDoc ID 102221, 102222, and 102224.)

To enable the AD Recycle Bin, open PowerShell and use the Enable-ADOptionalFeature cmdlet and the necessary syntax to enable it specifically for your environment. The FAQs above and this Microsoft article tell more about how to enable the Recycle Bin.

After you enable the Recycle Bin feature for AD, all items that are deleted will be restorable because the Recycle Bin will look for the IsDeleted attribute set to True, and an object with that setting can be brought back from that point.

Keep in mind that there are two different sides to this story: the AD side and the Exchange side. Now, in many small to midsized organizations these two sides are combined and one person oversees them or a small team of people who have permissions and access within both.

In larger companies, however, you might be dealing with two separate teams. In that case you will need cooperation between the two to accomplish the goal of recovering a user and reconnecting that user to the mailbox.

To understand the process of troubleshooting a deleted user and/or deleted mailbox, keep a few facts in mind. A functioning user mailbox requires three things:
1. A user object must exist (or be created during the mailbox creation process) in order to attach or assign the Exchange mailbox attributes to it.
2. Exchange attributes are tied to a user object.
3. The user must either log in or receive mail to that mailbox. When you create a mailbox, Exchange attributes are added to the user object in AD; however, the associated mailbox data isn’t added until you log in or receive mail.

To restore a user by using the Get-ADObject cmdlets, you need to be running Server 2008 R2 (or Windows 7 as part of Remote Server Administration Tools—RSAT), because the AD module for PowerShell is part of the new features in Server 2008 R2 and the module can only be installed on Server 2008 R2 or Windows 7 systems.

The RSAT tools let you manage roles and features that are installed on computers that are running Server 2008, Windows 2003, and Server 2008 R2. (They can be downloaded at the Microsoft download site.) 

Now, let’s use those If/Then statements I mentioned at the beginning of this article. Every If statement implies a Then as you troubleshoot the issue:

What happens if a user is deleted from AD using the AD Console or Active Directory Users and Computers? Does his mailbox remain in the recipients container? Does it move over to the Disconnected Mailbox section? Is it lost forever?

Well, if you delete the user, the mailbox disappears with it. To restore both you would use the AD Recycle Bin cmdlets in PowerShell, and restoring the user automatically restores the mailbox as well.

So, for example, if the user is “Logan Smith”, and that user has been deleted from with the Active Directory Users and Computers console, you would open a PowerShell prompt on the DC (for the sake of ease) and type:

Get-ADObject -Filter \{displayName -eq "Logan    
Smith"\} -IncludeDeletedObjects | Restore -ADObject

The result: The user object is restored and the mailbox is restored to the Recipients container in Exchange as well. Two items get corrected in one step.

Note that I’m only talking about the server side of Server 2008 and Server 2008 R2 for the restore in this way. You could have legacy servers in play but for the most part I am looking at Exchange 2007 and Exchange 2010.

What happens if you right-click a mailbox in the Recipients container and choose Disable? The mailbox goes to the Disconnected Mailbox section. (This doesn’t mean items are removed from the mailbox database; instead, it just puts the mailbox in a safe, limbo state.)

You can, at that time, restore the mailbox to its original user or you can choose to restore the mailbox to another user. Note that one of the benefits to this approach is that you can restore a mailbox of a former employee to another user.

What happens if you disable a mailbox, then delete the user account that was associated with that mailbox? The mailbox is still available for the length of time set for the Deleted Mailbox Retention period.

You can create a new user and connect the mailbox to that new user (or to an existing user who doesn’t have a mailbox associated with it) or you can use the AD Recycle Bin to restore the user who was deleted.

But the trick here is to reconnect the mailbox to the user who was deleted if that was your intent. It won’t happen automatically like it does if you delete a user account, and the mailbox is still connected to the user at the time.

The result: You’ve completed a two-step process. You restored the user object, then reconnected the mailbox to that user.

What if you right-click a mailbox and choose Remove from the menu options? The warning says the user object will be removed and the mailbox will be marked for removal as well. Here is where we see all the information we have collide.

The user will be removed from AD. The mailbox will be placed in the Disconnected Mailboxes.

However, this time, restoring the user doesn’t automatically restore the mailbox as it did when we deleted the user account form with the AD console. Restoring the user account from the Recycle Bin will restore the account only. You will still have to reconnect the mailbox with that account, if that is your goal.

A Review of Options
Keep in mind that this entire exercise was meant to supply all the facts that you need to form logical resolutions to problems that occur when items are deleted. You just put the facts into simple statements of If/Then.

• If an AD user has a functioning mailbox (that is, the user logged into it or received mail to it) and if that user is deleted from within the AD tools, then the mailbox disappears with the user. Both will be restored when you use the AD Recycle Bin.

• If that same user’s mailbox was disabled before being deleted, then the mailbox would have moved over to the Disconnected Mailbox location. It could be reattached to that user when it’s restored using the Recycle Bin, or it could be attached to another existing or newly created user object that currently has no mailbox attached.

• If the mailbox is removed from within the Exchange Management Console, the user object would be removed at time and the mailbox would be moved over to the Disconnected Mailbox items. Upon restoration of the account, the mailbox would have to be reconnected manually.

You can see that the entire procedure is somewhat like a choreographed dance. In the event you have a small environment and you are the only administrator handling all the parts, then you can consider all of these facts and map out a plan of attack depending on the circumstances.

If, however, you are in a much larger environment with both an AD and an Exchange team, you can see how you would first need to determine the timeline of moving to Server 2008 R2, ensure the AD team understands the importance of turning on the Recycle Bin, and make sure the AD team knows how to restore the users through PowerShell.

(If you accidentally delete a user object and think you will simply turn on the Recycle Bin at that time and restore the object, you’ll be disappointed. When you enable AD Recycle Bin, all objects that have been deleted already are recoverable only through an authoritative restore from a backup of AD that was taken prior to the implementation of the AD Recycle Bin.)

At the same time, the teams need to communicate to ensure a user isn’t deleted from AD prior to the Exchange team disconnecting the mailbox from that user (if it’s an environment where the mailbox is reattached to another user or held as Disconnected for a period of time).

In addition, the Exchange team should know how and when to restore disconnected mailboxes to restored, newly created, or pre-existing user accounts.

When Too Much Time Has Passed
As time passes, the clock is ticking on objects in AD. They will eventually be permanently deleted if they aren’t recovered before their lifetime is up.

The default IsDeleted lifetime is actually the same as the tombstone lifetime (which is what the object becomes if you don’t have the Recycle Bin enabled)—by default, 180 days. At this point the object moves toward the ‘garbage collection’ phase and can’t be recovered without a backup and restore solution.

AD object restore on that level is another article entirely. The same is true of mailbox retention times. After those times have been exceeded, the mailbox is unrecoverable without a backup solution. Many different solutions exist through third-party vendors.

One of the negative issues with Server 2008 is the loss of an onboard backup solution for Exchange. There is an “almost-fix” in Exchange 2007 SP2, but it lets you back up only the volume itself.

So, if you want a more precise and granular backup for mailboxes, you need to consider options beyond what Server 2008 or Exchange offer.

You might consider System Center Data Protection Manager and perhaps restore a database over to a recovery storage group or database. Then you can recover the lost mailbox.

Or you might try another solution that allows for immediate recovery of the mailbox, such as Mimosa NearPoint for Exchange or CommVault Simpana. The sidebar “A Free GUI–Based AD Recycle Bin Tool” discusses a free tool that can also help. Whatever choice you make as to recovery software, it doesn’t hurt to try to solve these If/Then scenarios yourself first.

Logic Beats a Restore from Backup
By using logic, plus the AD Recycle Bin and the Disconnected Mailbox location, you can avoid the frustration of restoring from a backup. These tools can save admins a lot of frustration, stress, and panic

A Free GUI–Based AD Recycle Bin Tool

The AD Recycle Bin tool in Server 2008 R2 is a long time coming, yet frustrating on many fronts. For one thing it isn't installed by default. For another, it requires use of the command line. Finally, it’s only in Windows Server 2008 R2.

Here is an alternative that happens to be free. Overall Solutions offers a tool called ADRecycleBin that’s a GUI–based solution. It works with the R2 Recycle Bin by restoring objects, or it can reanimate objects if you’re using an earlier form of AD or simply can’t bring up your forest functional level.

Essentially, it looks for tombstones and presents them to you for a simple click-restore of those items. You don't have to have installed it prior to the deletion because it will come on the scene and simply look for the IsDeleted attribute on objects to gather a graphical view of tombstones. Find the tool at the Overall Solutions website.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.