Active Directory Recycle Bin
A new feature introduced in Windows 2008 R2 which according to my personal belief has been quite underestimated.
In Active Directory, there are mainly three methods by which we can recover deleted objects
1. LDP
2. ADRestore
3. Backup
4. AD Recycle Bin
LDP
Advantages:-
- The way to recover the deleted data using LDP is quite simple
- It does not involve rebooting the DC in DSRM Mode
- Neither we need any kind of backup for this kind of Restore
Disadvantages:-
- By using LDP we can restore the deleted objects but the recovered objects will have only basic attributes
like SID, GUID, Etc...
- We wont be able to get the Group Membership and other important attributes back with the restored
object if we restore the object using LDP
- Also, advanced knowledge of Active Directory is required to restore the object as the LDP Interface and it
usage is not something that every administrators is comfortable with.
How to Restore Deleted AD Objects Using LDP
http://www.adshotgyan.com/2010/11/how-to-restore-deleted-ad-objects-using_27.html
ADRestore
Advantages:-
- Quite simple in use
- Just need to click Yes/No while restoring the objects
- Does not involve rebooting the DC in DSRM Mode
- Neither we need any kind of backup for this kind of Restore
Disadvantages:-
- Just like ADRestore, we can restore the deleted objects but the recovered objects will have only basic
attributes like SID, GUID, Etc...
- We wont be able to get the Group Membership and other important attributes back with the restored
object if we restore the object using LDP
How to Restore Deleted AD Objects Using ADRestore
http://www.adshotgyan.com/2010/11/how-to-restore-deleted-ad-objects-using.html
Backup
Advantages:-
- Once the objects are restored, all the attributes including the group memberships are also restored
Disadvantages:-
- Need to have a Active Directory aware backup
- Have to reboot the DC in DSRM Mode
Active Directory Recycle Bin
Advantages:-
- Easy to restore deleted data
- The data is restored with all the attributes
Disadvantages:-
- Has to be enabled in advance
- Once enabled cannot be disabled
- Size of NTDS.DIT may Increase
Note:-
When Active Directory Recycle Bin is Not Enabled and if any object gets deleted, the IsDeleted Attribute on that object is set and the object is moved to the "Deleted Objects" container. While in this location, the object is stored with only few attributes intact like SID/GUID/Etc.... and attributes like Group Memberships are lost... That is why when the object is restored from this container, it is retrieved only with few basics attributes
Object in AD --> Delete --> Deleted Object --> Tombstone Period Completed --> Garbage Collection --> Object Removed from AD
Tombstone & Garbage Collection
http://www.adshotgyan.com/2010/11/tombstone-garbage-collection.html
When Active Directory Recycle Bin is Enabled and then any object gets deleted, then the object is moved into the "Deleted Objects" container and is logically deleted. In this state, none of the attributes are lost. All the attributes are preserved. When you recover the deleted object using Recycle Bin, you will be recovering the object from this state
Once this state is over, then the logically deleted object becomes a recycled object and most of its attributes are removed leaving behind only few attributes like SID/GUID/Etc...Once this state is over, then the Garbage Collection Process finally removes the Object completely
A recycled object cannot be recovered with Active Directory Recycle Bin or with the steps in Reanimating Active Directory Tombstone Objects
When Active Directory Recycle Bin is Enabled, all objects that were deleted before Active Directory Recycle Bin was enabled (that is, all tombstone objects) become recycled objects. These objects are no longer visible in the Deleted Objects container, and they cannot be recovered with Active Directory Recycle Bin. The only way to restore these objects is though an authoritative restore from a backup of AD DS that was taken of the environment before Active Directory Recycle Bin was enabled.
Object in AD --> Delete --> Logically Deleted Object --> Recycled Object --> Tombstone Period Completed --> Garbage Collection --> Object Removed from AD
A new feature introduced in Windows 2008 R2 which according to my personal belief has been quite underestimated.
In Active Directory, there are mainly three methods by which we can recover deleted objects
1. LDP
2. ADRestore
3. Backup
4. AD Recycle Bin
LDP
Advantages:-
- The way to recover the deleted data using LDP is quite simple
- It does not involve rebooting the DC in DSRM Mode
- Neither we need any kind of backup for this kind of Restore
Disadvantages:-
- By using LDP we can restore the deleted objects but the recovered objects will have only basic attributes
like SID, GUID, Etc...
- We wont be able to get the Group Membership and other important attributes back with the restored
object if we restore the object using LDP
- Also, advanced knowledge of Active Directory is required to restore the object as the LDP Interface and it
usage is not something that every administrators is comfortable with.
How to Restore Deleted AD Objects Using LDP
http://www.adshotgyan.com/2010/11/how-to-restore-deleted-ad-objects-using_27.html
ADRestore
Advantages:-
- Quite simple in use
- Just need to click Yes/No while restoring the objects
- Does not involve rebooting the DC in DSRM Mode
- Neither we need any kind of backup for this kind of Restore
Disadvantages:-
- Just like ADRestore, we can restore the deleted objects but the recovered objects will have only basic
attributes like SID, GUID, Etc...
- We wont be able to get the Group Membership and other important attributes back with the restored
object if we restore the object using LDP
How to Restore Deleted AD Objects Using ADRestore
http://www.adshotgyan.com/2010/11/how-to-restore-deleted-ad-objects-using.html
Backup
Advantages:-
- Once the objects are restored, all the attributes including the group memberships are also restored
Disadvantages:-
- Need to have a Active Directory aware backup
- Have to reboot the DC in DSRM Mode
Active Directory Recycle Bin
Advantages:-
- Easy to restore deleted data
- The data is restored with all the attributes
Disadvantages:-
- Has to be enabled in advance
- Once enabled cannot be disabled
- Size of NTDS.DIT may Increase
Note:-
When Active Directory Recycle Bin is Not Enabled and if any object gets deleted, the IsDeleted Attribute on that object is set and the object is moved to the "Deleted Objects" container. While in this location, the object is stored with only few attributes intact like SID/GUID/Etc.... and attributes like Group Memberships are lost... That is why when the object is restored from this container, it is retrieved only with few basics attributes
Object in AD --> Delete --> Deleted Object --> Tombstone Period Completed --> Garbage Collection --> Object Removed from AD
Tombstone & Garbage Collection
http://www.adshotgyan.com/2010/11/tombstone-garbage-collection.html
When Active Directory Recycle Bin is Enabled and then any object gets deleted, then the object is moved into the "Deleted Objects" container and is logically deleted. In this state, none of the attributes are lost. All the attributes are preserved. When you recover the deleted object using Recycle Bin, you will be recovering the object from this state
Once this state is over, then the logically deleted object becomes a recycled object and most of its attributes are removed leaving behind only few attributes like SID/GUID/Etc...Once this state is over, then the Garbage Collection Process finally removes the Object completely
A recycled object cannot be recovered with Active Directory Recycle Bin or with the steps in Reanimating Active Directory Tombstone Objects
When Active Directory Recycle Bin is Enabled, all objects that were deleted before Active Directory Recycle Bin was enabled (that is, all tombstone objects) become recycled objects. These objects are no longer visible in the Deleted Objects container, and they cannot be recovered with Active Directory Recycle Bin. The only way to restore these objects is though an authoritative restore from a backup of AD DS that was taken of the environment before Active Directory Recycle Bin was enabled.
Object in AD --> Delete --> Logically Deleted Object --> Recycled Object --> Tombstone Period Completed --> Garbage Collection --> Object Removed from AD
