March 20, 2017 at 11:36Active Directory Recycle Bin: Usage Guidelines
- Transfer
- Tutorial
We continue to publish a series of articles devoted to the restoration of Active Directory objects and the tools used for this.
In the previous article, we looked at cases when administrators have to work with domain controllers where the Active Windows forest functional level of Windows Server 2003 or Windows Server 2008 is set in Active Directory. As you remember, we examined in detail the steps necessary to restore tombstone objects using the utility LDP and the Veeam Explorer tool for Microsoft Active Directory.
Today let's move on to more modern systems that allow you to use the Active Directory Recycle Bin feature. I ask for details under cat.
Microsoft first implemented the long-awaited Active Directory recycle bin in Windows Server 2008 R2. This changed the life cycle of Active Directory objects and the order in which they were deleted. So, after deleting an object, this is what happens now:
Schematically, these stages can be represented as follows:
Currently, the Recycle Bin is not activated by default on any Windows Server OS. To use it, you need to prepare the infrastructure: make sure that all domain controllers are running Windows Server 2008 R2 or higher, and set the forest functional mode to Windows Server 2008 R2 or higher.
Useful: Activation of the Active Directory recycle bin, like any other significant changes to the settings of Active Directory (or another production system), is recommended to be tested in the sandbox first. You can use Veeam virtual lab technology for this.. In addition to the domain controller, you can run other mission-critical virtual machines in the virtual lab. This technology helps a lot when testing multi-tier application compatibility after making changes. Depending on the configuration, the virtual lab can be run from backups, replicas, or even hardware snapshots. This will avoid unpleasant surprises when changing the settings of the production environment.
Before you start using the Active Directory Recycle Bin, consider the following:
When you enable the Active Directory Recycle Bin, you will see a new Deleted Objects container in the Active Directory admin center . In this container you will find all deleted objects, you can view their properties and restore them to their original or any other place of your choice.
Although at first glance it is much easier to restore individual objects using this function than using the LDP utility or the "authoritative" restoration of a domain controller, there are some pitfalls to remember. The pros and cons of using Active Directory Recycle Bin are listed below.
The second point is especially important here. What should I do if the object was not deleted, but accidentally changed, and the error was detected noticeably later? Unfortunately, the basket will not help here, and a different solution is required for this problem.
Of course, for most of you, the disadvantages of the basket will not be a reason to abandon it. However, those who want a universal solution for all tasks should think about overcoming the shortcomings of the basket. And here Veeam enters the scene with the already discussed Veeam Explorer for Active Directory. This tool completely removes Active Directory recycle bin restrictions:
Important! This tool is included with all editions of Veeam Backup & Replication, including its free edition.
Using Veeam Backup & Replication and Veeam Explorer for Active Directory together, you can instantly restore the entire domain controller or restore individual Active Directory objects: organizational units (OUs), computer and user accounts along with passwords, group policy objects, DNS records, etc. e. In addition, by launching Explorer, you can easily compare the objects in the backup with the current objects in the production environment and detect differences, as well as identify changed attributes.
The following is an example of a situation where the administrator has detected a change in the attributes of a user account and must restore it to its original state.
In any case, if you take care in advance of eliminating the consequences of possible Active Directory crashes and test various tools to solve this problem, you can sleep in the future.
Article on Habr: Recovering deleted AD objects from tombstone objects
Article on Habr: Restoring a domain controller from backup using Veeam
Article on Habr: Backing up domain controllers using Veeam
In the previous article, we looked at cases when administrators have to work with domain controllers where the Active Windows forest functional level of Windows Server 2003 or Windows Server 2008 is set in Active Directory. As you remember, we examined in detail the steps necessary to restore tombstone objects using the utility LDP and the Veeam Explorer tool for Microsoft Active Directory.
Today let's move on to more modern systems that allow you to use the Active Directory Recycle Bin feature. I ask for details under cat.
How the Active Directory Recycle Bin Works
Microsoft first implemented the long-awaited Active Directory recycle bin in Windows Server 2008 R2. This changed the life cycle of Active Directory objects and the order in which they were deleted. So, after deleting an object, this is what happens now:
- Immediately after deletion, the object is moved to the container of deleted objects, where it is located until the end of the lifetime of the deleted object (by default, this time is equal to the lifetime of the recycled object).
Important! All related and unrelated attributes of an object are stored in the system for the same time. This means that during the specified period, the object can be restored along with all attributes. - After the end of the lifetime of the object, the system changes its state to recycled and resets most of the attributes. The object becomes similar to the deleted one ( tombstone ) in Windows Server 2003 and Windows Server 2008. The only difference is that now it cannot be restored.
- After the recycled object has expired (180 days by default), the garbage collector automatically removes it.
Schematically, these stages can be represented as follows:
Enabling Active Directory Recycle Bin
Currently, the Recycle Bin is not activated by default on any Windows Server OS. To use it, you need to prepare the infrastructure: make sure that all domain controllers are running Windows Server 2008 R2 or higher, and set the forest functional mode to Windows Server 2008 R2 or higher.
Useful: Activation of the Active Directory recycle bin, like any other significant changes to the settings of Active Directory (or another production system), is recommended to be tested in the sandbox first. You can use Veeam virtual lab technology for this.. In addition to the domain controller, you can run other mission-critical virtual machines in the virtual lab. This technology helps a lot when testing multi-tier application compatibility after making changes. Depending on the configuration, the virtual lab can be run from backups, replicas, or even hardware snapshots. This will avoid unpleasant surprises when changing the settings of the production environment.
Before you start using the Active Directory Recycle Bin, consider the following:
- When you turn on the Active Directory Recycle Bin, all tombstone objects will turn into recycled objects, and it will be impossible to restore them after that.
- Restoring several dependent objects can be difficult because it must be performed in a strictly defined order, starting from the upper levels of the hierarchy.
- In Windows Server 2008 R2, all recycle bin operations are performed using PowerShell cmdlets. In Windows Server 2012, all basket operations can be performed through the user interface using the Active Directory Administrative Center (ADAC).
- The Recycle Bin has nothing to do with the Active Directory backup and will not allow you to restore the entire domain controller if it is damaged.
Pros and Cons of Active Directory Recycle Bin
When you enable the Active Directory Recycle Bin, you will see a new Deleted Objects container in the Active Directory admin center . In this container you will find all deleted objects, you can view their properties and restore them to their original or any other place of your choice.
Although at first glance it is much easier to restore individual objects using this function than using the LDP utility or the "authoritative" restoration of a domain controller, there are some pitfalls to remember. The pros and cons of using Active Directory Recycle Bin are listed below.
pros
- A universal method for domains with a functional level of Windows Server 2008 R2 (and later).
- Long life of the object (by default 180 days is a sufficient period to solve most problems).
- Saving the attributes of an object during its lifetime.
- A restart of the domain controller is not required.
- Graphical Management Interface (ADAC) for Windows Server 2012 and higher.
Minuses
- Does not work for domains with functional forest functional level of Windows Server 2008 and earlier.
- Not suitable for restoring changed objects (you can restore an object only if it was deleted).
- Recovery is only possible during the lifetime of the object.
- It does not provide protection against problems with the domain controller itself (cannot compare with the backup).
- Does not support automatic hierarchy recovery.
The second point is especially important here. What should I do if the object was not deleted, but accidentally changed, and the error was detected noticeably later? Unfortunately, the basket will not help here, and a different solution is required for this problem.
How Veeam circumvents basket restrictions
Of course, for most of you, the disadvantages of the basket will not be a reason to abandon it. However, those who want a universal solution for all tasks should think about overcoming the shortcomings of the basket. And here Veeam enters the scene with the already discussed Veeam Explorer for Active Directory. This tool completely removes Active Directory recycle bin restrictions:
- With it, all Active Directory objects will be protected during the entire backup storage period.
- It can be used for domains with a functional forest functional level of Windows Server 2003 and higher.
Important! This tool is included with all editions of Veeam Backup & Replication, including its free edition.
Using Veeam Backup & Replication and Veeam Explorer for Active Directory together, you can instantly restore the entire domain controller or restore individual Active Directory objects: organizational units (OUs), computer and user accounts along with passwords, group policy objects, DNS records, etc. e. In addition, by launching Explorer, you can easily compare the objects in the backup with the current objects in the production environment and detect differences, as well as identify changed attributes.
The following is an example of a situation where the administrator has detected a change in the attributes of a user account and must restore it to its original state.
In any case, if you take care in advance of eliminating the consequences of possible Active Directory crashes and test various tools to solve this problem, you can sleep in the future.
Sitelinks
Article on Habr: Recovering deleted AD objects from tombstone objects
Article on Habr: Restoring a domain controller from backup using Veeam
Article on Habr: Backing up domain controllers using Veeam