NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Active Directory Recycle Bin

In an Active Directory environment, there could be instances where Active Directory objects such as users, computers, groups, or organizational units are deleted accidentally. Revocation of such errors can be a cumbersome task for system administrators. Thus to enable easy recovery of deleted objects by the administrators, Microsoft introduced Active Directory Recycle Bin which is quite similar to the Windows Recycle Bin.

Prior to the introduction of AD Recycle Bin feature, there were two ways to restore deleted objects. 

However, each had its own share of disadvantages. In Windows Server 2008 Active Directory, the restoration was performed by authoritative restore. An authoritative restore will retrieve deleted data from the AD Domain Services backup and mark specific data as current. This authoritative data will be then replicated throughout the domain. However, during the recovery, the server must be taken offline in the Directory Service Restore Mode (DSRM) and is unavailable for processing client service requests until the restoration is complete. Another disadvantage of this restoration method is that if any change has been made to the object after the AD DS backup has been done, the deleted object will recover only the backup data and will not have the changes made post the backup. For example, a user account, which was accidentally deleted, is restored from the backup done few days earlier. Any change made to the user account object after the backup will not be reflected when the deleted object is restored.

In Windows Server Active Directory 2003 and Windows Server 2008, the deleted objects were restored using a method called tombstone reanimation. This method takes advantage of the fact that deleted objects are moved to a container called Deleted Objects instead of being removed immediately from AD. There the deleted objects will be retained for a particular period of time called the Tombstone Lifetime period. The default Tombstone Lifetime Period is 180 days. The deleted objects, now called ‘Tombstones’, will be stripped off most of their attributes and will not be available in the normal directory objects. Within the Tombstone Lifetime period, objects can be recovered without affecting the functioning of the servers and can become live objects. Since the Tombstone objects have most of its attributes cleared, the objects will not have any of these attributes when restored. 

AD Recycle Bin, introduced in Windows Server 2008 R2, helps in the recovery of deleted objects along with the attributes and allows functioning of the services uninterrupted while the restoration is being performed. To run the AD Recycle Bin feature, the requirements to be met are as follows: 

  • All domain controllers in Active Directory forest must be running on Windows Server 2008 R2 or higher.
  • The functional level of the Active Directory Forest must be raised to at least Windows Server 2008 R2.  

With Recycle Bin enabled, when an object is deleted, it is originally placed in the Deleted Objects container for a Deleted Object Lifetime period with all its attributes ( for e.g. group memberships) intact. During this Deleted Object Lifetime period, the object can be restored in its entirety with all its attributes preserved. Following the expiration of the Deleted Object Lifetime period, the object is moved to a Recycled Object state where most of its attributes are removed. Once the Recycled Object lifetime period expires the object is removed from the database by the garbage-collection process. Unfortunately, AD Recycle Bin wasn’t easy to use when it was first introduced in the Windows Server 2008 R2. The user could only work with it from the Command line using the AD module for Windows Powershell. By default, the Recycle Bin is disabled and has to be enabled using the command Enable-ADOptionalFeature .

The Active Directory Recycle Bin in Windows Server 2012 is equipped with a Graphical User Interface(GUI). The Administrative Center in the Management Console has the Deleted Objects container with all the deleted objects. These objects can be restored to their original location or to any specified location. Thus the restoration of deleted objects becomes relatively easier in this case since the feature allows the system administrators to restore the single objects, multiple objects, or organizational units which are accidentally deleted.

Related posts
Active Directory Fundamentals

The OSI model: What it is and how you can use it

Active Directory Fundamentals

Managing shared resources

Active Directory Fundamentals

Integrating AD with LDAP

Active Directory Fundamentals

Migrating AD from Windows Server 2003 to Windows Server 2016