So, you have upgraded all your DCs in the forest to Windows Server 2008 R2 and raised the domain and forest functional levels to Windows Server 2008 R2. Congratulations!
Now what?
Yes, you have to enable the AD Recycle Bin manually by running the following PowerShell commands:
Import-Module ActiveDirectory
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=com’ –Scope ForestOrConfigurationSet –Target ‘DOMAIN.com’
Note that this effectively removes the importance of the Infrastructure Master FSMO since all DCs will perform that role. From MSDN:
When the Recycle Bin optional feature is enabled, every DC is responsible for updating its cross-domain object references in the event that the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role.
Another interesting note regarding the AD Recycle Bin: the feature was introduced in Windows Server 2008 R2 and as such, the GUI didn’t come with it. The Active Directory Administrative Center in Windows Server 2012 does include the recycle bin GUI. So, don’t be surprised that after you enable the recycle bin, that the GUI doesn’t change.
For now, you can leverage PowerShell cmdlets, Get-ADObject and Restore-ADObject.
With PowerShell, half the battle is knowing which cmdlets perform certain actions.
Here’s the PowerShell way for restoring deleted items:
The recommended approach is to use the Get-ADObject cmdlet to retrieve the deleted object and then pass that object through the pipeline to the Restore-ADObject cmdlet.
Import the Active Directory PowerShell module by running:
Import-module ActiveDirectory
Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject
Possible filter options:
- Get-ADObject -Filter { SAMAccountName –eq “JGrey” } -IncludeDeletedObjects
- Get-ADObject -Filter { DisplayName –like “*Grey*” } -IncludeDeletedObjects
Get-Help Get-ADObject –Full provides the full help screen for the command.
You can also use –Examples to just show examples of how to use the command.
Once you found the objects you want to restore, just pipe the first command to “|Restore-ADObject”
Here’s some additional information from the Recycle Bin article:
Restoring multiple, deleted Active Directory objects
Consider the following scenario: An administrator at Contoso.com accidentally deletes a nested organizational unit (OU) called Finance_Department, which contains user accounts for employees in the Finance department. The administrator deletes another OU called Admins, which contains user accounts for administrative assistants that work for the Finance department. Brian and Mary are user accounts in the Finance_Department OU. Tom is a user account in the Admins OU. The following illustration shows the Finance_Department OU.
When the Finance_Department OU is deleted, all its objects (a total of five objects) are moved to the Deleted Objects container, with their distinguished names mangled. The Deleted Objects container displays all logically deleted objects in a flat hierarchy as its direct children. The recommended approach to restoring a nested OU to its original state is to use the Get-ADObject Active Directory module cmdlet to retrieve the deleted objects one hierarchy level at a time and then to pass those objects through the pipeline to the Restore-ADObject cmdlet. If the administrator is not familiar with the original hierarchy of the Finance_Department OU, the administrator must first use the Get-ADOBject cmdlet to perform several investigation steps:
For example, the administrator decides to search for the user account Mary with the Get-ADOBject cmdlet, using the msDS-lastKnownRDN attribute in the ldapFilter parameter and constructing the command so that the lastKnownParent attribute of Mary is returned, as follows:
Get-ADObject -SearchBase “CN=Deleted Objects,DC=contoso,DC=com” -ldapFilter:”(msDs-lastKnownRDN=Mary)” –IncludeDeletedObjects –Properties lastKnownParent
In the output that the Get-ADObject cmdlet returns, the administrator notices that the value for lastKnownParent of Mary is Finance_Department. The administrator also notices that the distinguished name of the Finance_Department OU is mangled, which indicates that the Finance_Department OU object itself is deleted. (An example of a mangled distinguished name is OU=Finance_Department\0ADEL:e954edda-db8c-41be-bbbd-599bef5a5f2a,CN=Deleted Objects,DC=contoso,DC=com.)
The administrator then decides to search for all the objects in the Deleted Objects container whose lastKnownParent value is Finance_Department, using the following command:
Get-ADObject –SearchBase “CN=Deleted Objects,DC=contoso,DC=com” -Filter {lastKnownParent -eq ‘OU=Finance_Department\\0ADEL:e954edda-db8c-41be-bbbd-599bef5a5f2a,CN=Deleted Objects,DC=contoso,DC=com’} -IncludeDeletedObjects -Properties lastKnownParent | ft
Note:
Make sure that you escape the slash (\) in the mangled distinguished name that is used in the Get-ADObject cmdlet with another slash.In the output that the Get-ADObject cmdlet returns, the administrator notices that Admins is an OU itself.
The administer further searches for all the deleted objects with a lastKnownParent attribute equal to Admins, using the following command:
Get-ADObject –SearchBase “CN=Deleted Objects,DC=contoso,DC=com” -Filter {lastKnownParent -eq ‘OU=Admins\\0ADEL:6b405c87-027c-4135-95af-36c31002be5a,CN=Deleted Objects,DC=contoso,DC=com’} -IncludeDeletedObjects -Properties lastKnownParent | ft
Note:
Make sure that you escape the slash (\) in the mangled distinguished name that is used in the Get-ADObject cmdlet with another slash.In the output that the Get-ADObject cmdlet returns, the administrator finds the user account Tom.
In Windows Server 2008 R2, deleted nested objects must be restored from the highest level of their hierarchy to a live parent. Therefore, the Finance_Department OU object must be restored first. Because all previous investigation steps were performed using the lastKnownParent attribute, which points to the direct parent of the object and does not indicate whether the next parent object is also deleted, as a check the administrator can verify that the value of lastKnownParent for Finance_Department is indeed a live OU by running the following command:
Get-ADObject -SearchBase “CN=Deleted Objects,DC=contoso,DC=com” -ldapFilter:”(msDs-lastKnownRDN=Finance_Department)” –IncludeDeletedObjects –Properties lastKnownParent
This concludes the investigation and the administrator is ready to restore the Finance_Department OU to its original hierarchy and state.
Important:
It is critical to begin restoring objects from the highest level of the hierarchy because deleted objects must be restored to a live parent.To restore the Finance_Department OU
Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
Restore the Finance_Department OU by running the following command at the Active Directory Module for Windows PowerShell prompt:
Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=Finance_Department)” –IncludeDeletedObjects | Restore-ADObject
Restore the user accounts Brian and Mary and the Admins OU (the direct children of the Finance_Department OU whose distinguished name was restored to OU=Finance_Department,DC=contoso,DC=com in the previous step) by running the following command at the Active Directory Module for Windows PowerShell prompt:
Get-ADObject -SearchBase “CN=Deleted Objects,DC=contoso,DC=com” -Filter {lastKnownParent -eq “OU=Finance_Department,DC=contoso,DC=com”} -IncludeDeletedObjects | Restore-ADObject
Restore the user account Tom (the direct child of the Admins OU whose distinguished name was restored to OU=Admins,OU=Finance_Department,DC=contoso,DC=com in the previous step) by running the following command at the Active Directory Module for Windows PowerShell prompt:
Get-ADObject -SearchBase “CN=Deleted Objects,DC=contoso,DC=com” -Filter {lastKnownParent -eq “OU=Admins,OU=Finance_Department,DC=contoso,DC=com”} -IncludeDeletedObjects | Restore-ADObject
For a sample Windows PowerShell script that you can use to restore a deleted tree of Active Directory objects, see Appendix B: Restore Multiple, Deleted Active Directory Objects (Sample Script).
Recent Comments