qUICKLY Explained: Active Directory Recycle Bin

  • Article

Hello everyone, "q" here, in my last blog on Authoritative Restore, one of the reader "M" suggested I do a blog on AD Recycle Bin so I figure why not :). I am sure you will find lots of information on technet and blog sites regarding what AD Recycle Bin is, what the requirements are, how to enable it etc etc. I will just do a qUICK explanation and hope I can add value with this blog.

So for me to write something about AD Recycle Bin, the two things that we must understand first are

  • 1. Difference between Authoritative and non-Authoritative Restore of AD
  • 2. Tombstone Lifetime (TSL) - duration that allows all domain controllers to have the knowledge of an object getting deleted.

In the past (before 2008 R2 FFL and enabling AD Recycle Bin), there were two methods of recovering deleted objects in AD.

  • Microsoft supported method of Authoritative Restore which required restoring AD database on a Domain Controller using a backup which contained the objects with the attributes you wanted to recover AND marking this object as authoritative using NTDSUTIL. (https://support.microsoft.com/kb/840001)
  • Tombstone reanimation using LDP and changing the two attributes of deleted object i.e. isDeleted and distinguishedName (https://go.microsoft.com/fwlink/?LinkID=125452)

I am not going into the details of the above two methods as I am sure this is common knowledge by now. In terms of being able to recover objects from accidental or even intentional deletions in AD, Microsoft has provided a new feature called AD Recycle Bin. AD Recycle Bin requires that your AD environment is at Windows Server 2008 R2 Forest Functional Level and then you enable this feature (disabled by default) either by Enable-ADOptionalFeature PowerShell cmdlet or LDP.

Before you enable AD Recycle Bin, it's always good to know the gotchas. For example, once you enable AD Recycle Bin, you cannot disable it and after you enable it, your NTDS.DIT (AD Database) will grow by 10-20% on every Domain Controller in the forest. But another point to remember is that NTDS.DIT size may continue to grow as you delete objects. Why you ask? Simply because unlike before where all the attributes would be stripped except ObjectSID, lastknownparent, distinguishedName (DN) would be mangled and the object getting moved to the hidden Deleted Objects container, now the object becomes logically deleted which means the object is moved to the Deleted Objects container with its DN mangled only. A deleted object remains in the Deleted Objects container in this logically deleted state throughout the duration of the deleted object lifetime.  These objects can be viewed in LDP by enabling the Return recycled objects Control.

Deleted object lifetime is determined by the value of the msDS-deletedObjectLifetime attribute.  Tombstone lifetime is determined by the value of the tombstoneLifetime attribute. By default, msDS-deletedObjectLifetime attribute is set to null. When msDS-deletedObjectLifetime attribute is set to null, the deleted object lifetime is set to the value of the tombstone lifetime which in Windows Server 2003 and above is 180 days.

Hence, with AD Recycle Bin, you have 6 months to recover a deleted object with all its attributes as they were at the time of deletion, this is a huge advantage and benefit as you no longer need to find a valid, tested, recent backup of AD that has all the properties of an object at the time of deletion. For example, I have a user account that was added to a group and then deleted, the only backup I have is from last night which does not have this latest change of group membership so if I were to restore the user from my backup, it will not be a member of this group. AD Recycle Bin helps in this and you can all agree that this is absolutely a better solution of ensuring all properties are recovered which were present at the time of deletion. So AD Recycle Bin is a must have for Windows Server 2008 R2 FFL environments.

There are two attributes that need to be covered quickly in order to understand deletion of objects with AD Recycle Bin enabled. These attributes are:

  • IsDeleted
  • IsRecycled

When an object is deleted, the IsDeleted attribute is set to TRUE. Within the duration of msDS-deletedObjectLifetime, an object can be recovered and become a live object again. After this value expires, most of the attributes of the deleted object are stripped away similar to a deletion prior to AD Recycle Bin and also at this time IsRecycled attribute gets set to TRUE also. AD Recycle bin can only be used to recover a deleted object only when isDeleted = TRUE and isRecycled = False; this state of an object is called a Recycled Object (new state in Windows Server 200 R2). When both of these attributes are TRUE, the object is referred to as a Deleted Object. From this point on you cannot use AD Recycle Bin and to recover it now, you will have to use  Authoritative Restore procedure of a backup before IsRecycled was set to TRUE. This Recycled Object stays in Deleted Objects container for the duration of Tombstone Lifetime (180 days by default) and when this duration expires, a process called Garbage Collection (runs every 12 hours by default) physically deletes it from the AD database.

Hope this qUICK explanation helps M, Cheers :)