What's new in Active Directory Recycle Bin in Windows Server 2012

Kyle Beckman wrote a simple, but useful material on the portal http://4sysops.com , dedicated to the innovations in the AD basket in Windows Server 2012. His review seemed quite interesting to us, so we give his translation in Habrahabr. We invite interested persons under cat.


Since its introduction in Windows Server 2008 R2, the AD Shopping Cart has undergone significant changes: a graphical interface has appeared in Windows Server 2012. The AD Recycle Bin allows you to recover deleted AD objects without forcing AD to restore or restore from tombstone objects. Also added to the new basket is the ability to capture information about group membership and attributes, so you don’t have to manually restore the settings, as you had to do with tombstone objects.
Initially access to the AD basket was through Powershell. In Windows Server 2012, you can access objects through the Active Directory Administrative Center (ADAC), which has a graphical interface. By default - when you create a new forest or domain - the AD Basket is turned off. If you turn it on, then do not turn it off. Therefore, I recommend that you first carry out all the manipulations in the test environment - the inclusion of this function changes the way AD stores remote objects.
First you need the following:

• At least one domain controller running under Windows Server 2012 with the Active Directory Administrative Center enabled.
• All domain controllers (or servers running AD LDS) must run under Windows Server 2008 R2 or higher.
• The forest should work at the functional level of Windows Server 2008 R2.
')

Forest Functional Level

First, make sure that the forest works at the correct functional level of the forest. It's easier to do all this using the PowerShell cmdlet Get-ADForest . Run the Get-ADForest command yourdomain.local .


Forest functional level

In the PowerShell window, you can see that the forest is running in, he Windows 2008, and should be raised at least to the Windows Server 2008 R2 level. Run the Set-ADForestMode cmdlet.
Set-ADForestMode -Identity yourdomain.local -ForestMode Windows2008R2Forest.


Forest mode (Forrest mode)

We confirm - and you're done! If we run yourdomain.local Get-ADForest again, we’ll see that the forest mode has changed.


Windows Server 2008 R2 Forest Mode

Enable the Active Directory Recycle Bin in Windows Server 2012

Now, when the functional level of the forest is at the minimum accessible level, we can enable the basket AD. And again, the easiest way to do this is through Powershell:
Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ad,DC=4sysops,DC=com' –Scope ForestOrConfigurationSet –Target 'ad.4sysops.com'
Confirm the inclusion of the basket.


Enable AD Recycle Bin in Windows Server 2012

After these manipulations, we can start testing the capabilities of the basket. It can be accessed through the Active Directory Administrative Center (ADAC) on the start screen of your domain controller.


Active Directory Administrative Center (ADAC)

In ADAC, select a domain (in this case, ad.local) and see a container with deleted objects (Deleted Objects). There is hardly anything inside, so let's create test objects that we could delete. I created several users and security groups. Now delete them.


Deleting Objects in ADAC

Now they appeared in the Deleted Objects section.


Remote Objects in ADAC

Ok, select the objects you want to restore and click the Restore button. Objects will be restored to the original OU as if they were deleted and did not occur.


AD Recycle Bin Windows Server 2012 Object Recovery

And it's all. The graphical interface is quite simple, but a long-awaited innovation in Windows Server 2012. Unfortunately, through the graphical interface you will see only the object name, last known parent and GUID. If you need more detailed information, you must first restore the object and then delete it if it turns out to be not the one you need.

Take into consideration

Deleted objects stored in the basket AD 180 days. For most organizations, this is too long. About changing the shelf life can read on Technet .
Turning on the AD Recycle Bin is an irreversible process. Therefore, evaluate it in a test environment. If your AD environment consists of many objects with which many deletes are performed, you can see how the database grows and whether any domain controller updates are required.
In addition to ADAC, AD objects can be restored from the recycle bin using PowerShell or ldp.exe - Details .
Recycle AD will not replace backups and recovery strategies! Make regular backups of your AD environment. The basket will help in cases where the deletion happened by chance, and you need to restore the objects with minimal effort.

Upd:
The post contains translations of articles from the portal 4sysops.com
Active Directory Recycle Bin in Windows Server 2012 - Part 1: Enable
AD Recycle Bin in Windows Server 2012 - Part 2: Usage