Windows Server 2008 R2 AD Disaster Recovery (Part 2)

by Marin Franković on 11 May, 2010

Hello again. In the second part of two part series I will describe and show you how to enable and use AD recycle bin feature. It is important to understand that this feature is available only on Windows Server 2008 R2 forest functional level. Also, once it is enabled, it can not be disables.

Step one in the process is raising forest functional level to Windows Server 2008 R2. To do this all domains must be at Windows Server 2008 R2 domain functional levels, which in turn means that all domain controllers have to be Windows Server 2008 R2.

Raise forest functional level

Forest functional level can be raised by using AD Domains and Trusts console or by using Windows PowerShell command:

Set-ADForestMode –Identity demo.local –ForestMode Windows2008R2Forest

You will of course replace demo.local with your domain name.

Enable AD Recycle Bin Feature

After forest level has been raised, we will again utilize PowerShell to enable AD Recycle Bin feature:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=demo,DC=local’ –Scope ForestOrConfigurationSet –Target ‘demo.local’

Again, replace domain name with your own.

In this short video (Croatian) you can see hot to check and raise forest functional level and how to enable AD Recycle Bin feature.

http://blog.frankovic.net/Download/3_Enable_AD_Recycle_Bin.flv

Now that we enabled all required features, lets see how they can be used. There are couple of different ways that we can utilize to recover deleted object from AD database. We can use ldp.exe console, we can use PowerShell or we can use GUI utilities that rely on PowerShell.

Object recovery using ldp.exe

  • Start – Run
  • Input ldp.exe and hit enter
  • Select Options menu and click Controls
  • From Load predefined dropdown list select Return Deleted Objects and click OK
  • Select Bind from Connection menu and click OK
  • From View menu select Tree and as Base DN select root of your domain
  • Double click on Deleted Objects container (you should see your deleted objects)
  • Select object that you want to restore, right click and select Modify
  • In Edit Entry Attribute input IsDeleted
  • Select Delete under Operation and click Enter
  • In Edit Entry Attribute input DistinguishedName
  • In Values input objects distinguished name
  • Select Replace under Operation, click Enter
  • Make sure you place check mark on Extended option
  • When finished, click Run

Your object is now restored.

Object recovery using PowerShell

In case you need to recover more objects, it may be more efficient to use PowerShell and to create scripts. This simple PowerShell command will restore user Test:

Get-ADObject –Filter {displayName –eq “Test”} –IncludeDeletedObjects | Restore-ADObject

Watch this short movie to see how to use these two methods for restoring AD objects.

http://blog.frankovic.net/Download/4_Restore_Deleted_Object_AD_Recycle_Bin.flv

Third party utilities for restoring AD objects

If you are unfamiliar with ldp.exe or PowerShell, you can use PowerGUI, wich is graphical user interface for PowerShell. Also be sure to download and install Active Directory PowerPack and AD Recycle Bin PowerPack.

{ 1 comment… read it below or add one }

Tom Popov June 28, 2010 at 15:52

Excellent article!!

Reply

Leave a Reply

Previous post:

Next post: