Introducing Active Directory Recycle Bin

Accidental deletion of Active Directory objects is a common occurrence for users of Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

In Windows Server 2008 Active Directory domains, you could recover accidentally deleted objects from backups of AD DS that were taken by Windows Server Backup. Or you could recover deleted Active Directory objects through tombstone reanimation. The drawback to the authoritative restore solution was that it had to be performed in Directory Services Restore Mode (DSRM) during which the domain controller being restored had to remain offline. And the problem with tombstone reanimation was that reanimated objects' link-valued attributes (for example, group memberships of user accounts) were physically removed and non-link-valued attributes were cleared and not recovered.

Windows Server 2008 R2 Active Directory Recycle Bin enhances your ability to preserve and recover accidentally deleted Active Directory objects by preserving all link-valued and non-link-valued attributes of the deleted Active Directory objects. With the Active Directory Recycle Bin enabled, the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion.

There are a couple of special considerations:

1. By default, Active Directory Recycle Bin is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2. This in turn requires that all domain controllers in the forest or all servers that host instances of AD LDS configuration sets be running Windows Server 2008 R2.

2. In Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.

For further information, such as the Active Directory Recycle Bin scenario overview and the detailed steps on how to recover a single or multiple deleted objects (using ldp.exe or the Active Directory PowerShell snap-in), see What's New in AD DS: Active Directory Recycle Bin (https://go.microsoft.com/fwlink/?LinkId=141392) and Active Directory Recycle Bin Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=133971).  

This posting is provided "AS IS" with no warranties, and confers no rights.