More on Active Directory
Restoring Deleted Objects in Windows Server 2008 R2
Truly revolutionary changes in regard to restoring deleted objects are introduced in Windows Server 2008 R2 thanks to the feature known as Active Directory Recycle Bin. This new functionality eliminates the most significant disadvantages associated with traditional recovery procedures described above — namely, the need to restart a domain controller in Directory Services Restore Mode during authoritative restores and dealing with missing attributes following tombstone reanimation. However, to take advantage of its benefits, you must first raise the forest functional level of Windows Server 2008 R2 such that all domain controllers in the forest must be running Windows Server 2008 R2 operating system and then enable it. In addition, while it is possible to roll back the first step of this process because unlike in earlier version of Windows, you are allowed to lower the functional level to Windows Server 2008, the second one invalidates this option. This makes the change irreversible.
Active Directory is one of the primary infrastructure components of many Windows environments. Its resiliency and recoverability are inherently linked to operational continuity. Issues affecting its availability translate into monetary losses. Since Microsoft introduced this technology, it has continually improved native restore capabilities, most recently in Windows Server 2008 R2.
Enabling Active Directory Recycle Bin alters the implementation of object deletion process. Rather than following the traditional mechanism that resulted in stripping non-mandatory attributes, objects moved to CN=Deleted Objects container retain all of them for the duration of the deleted object lifetime. Once that period passes, these objects become recycled (it is also possible to initiate this action manually), which roughly corresponds to the pre-AD Recycle Bin deleted status. However, unlike in pre-Windows Server 2008 R2 implementations, such objects cannot be recovered through tombstone reanimation, and they should not be authoritatively restored. They remain in this state until the recycled object lifetime expires. At that point, the garbage collection process removes them from Active Directory database. Extending the retention period and preserving all attributes while at the deleted stage is bound to contribute to its increased size. The duration of these two consecutive periods is controlled by Active Directory attributes msDS-deletedObjectLifetime and tombstoneLifetime. Both reside in the CN=Directory Service,CN=Windows NT,CN=Services container of the Configuration partition. If the first one is not explicitly configured, it takes on the value assigned to tombstoneLifetime, which defaults to 180 days. The smaller of the two determines the useful shelf life of a System State backup of Active Directory domain controllers.
It is important to realize that enabling Active Directory Recycle Bin changes the state of all of its tombstoned objects to recycled. It also introduces a learning curve, since there are no native GUI-based utilities dedicated to managing deleted objects. However, it is possible to recover deleted objects using ldp.exe. There are also several third-party tools that fill that void, such as PowerGUI-based Active Directory Recycle Bin PowerPack or ADRecycleBin from Overall Solutions.
Instead, Microsoft developed a number of PowerShell cmdlets that provide relevant functionality. For details regarding their syntax, refer to the Technet-based Active Directory Recycle Bin Step-by-Step Guide. The majority of administrative tasks (such as deleting objects, viewing deleted objects, viewing deactivated links, viewing tombstones, recovering deleted objects or recycling deleted objects) can be delegated. In addition, you should not treat the AD Recycle Bin as a substitute for valid backups of your domain controllers.
Recovery of deleted Active Directory containers that host objects and child containers can be performed using authoritative restore (as described in Active Directory Operations Guide) or by taking advantage of Recycle Bin capabilities (assuming, of course, this features has been enabled). In case of the latter, keep in mind that the restore process should be carried out starting from the top of the deleted hierarchy. An example documenting this approach can be found in Restoring multiple, deleted Active Directory objects section of Active Directory Recycle Bin Step-by-Step Guide.
Active Directory domain and forest recovery are considerably more complex topics since they typically extend beyond the scope of Directory Services. While Microsoft offers some assistance in this area (e.g., the Planning for Active Directory Forest Recovery guide published in the TechNet Library), you should consider creating your own detailed disaster recovery documentation that takes into account all relevant infrastructure dependencies specific to your environment. In addition, keep in mind that some components viewed as inherently tied to Active Directory (e.g., Group Policies or Sysvol shares hosted on domain controllers) warrant their own backup and restore strategy since they are not recoverable via the methods described above.