Active Directory Recycle Bin: Usage Guidelines
We continue to publish a series of articles on the restoration of Active Directory objects and the tools used for this.
In the previous article, we analyzed cases where administrators have to work with domain controllers, where the functional mode of the Windows Server 2003 or Windows Server 2008 forest is set in Active Directory. As you recall, we have examined in detail the steps required to restore tombstone objects using the utility LDP and Veeam Explorer tool for Microsoft Active Directory.
Today we will move on to more modern systems that allow you to use the Active Directory Recycle Bin function. For details, I ask under the cat.
')
Microsoft first implemented the long-awaited basket of Active Directory in Windows Server 2008 R2. At the same time, the life cycle of Active Directory objects and the order of their deletion changed. So, after deleting an object, the following happens now:
Schematically, these stages can be represented as:
Currently, the cart is not activated by default in any Windows Server OS. To use it, you need to prepare the infrastructure: make sure that all domain controllers are running Windows Server 2008 R2 or higher, and set the forest functional mode to Windows Server 2008 R2 or higher.
Useful: Activating the Active Directory Recycle Bin, as well as any other significant changes to the Active Directory settings (or another production system), is recommended to be first tested in a sandbox. To do this, you can use the technology of the virtual laboratory Veeam . In addition to the domain controller, you can also run other critical virtual machines in the virtual lab. This technology helps a lot when testing multi-tier application compatibility after making changes. Depending on the configuration, the virtual lab can be run from backups, replicas, or even hardware snapshots. This will avoid unpleasant surprises when changing the settings of the production environment.
Before you start using the Active Directory Recycle Bin, consider the following:
When you turn on the Active Directory Recycle Bin, you’ll see a new Deleted Objects container in the Active Directory Administrative Center. In this container you will find all deleted objects, be able to view their properties and restore them to the original or any other place of your choice.
Although at first glance, it is much easier to restore individual objects using this function than using the LDP utility or the “authoritative” restoration of a domain controller, you need to remember some pitfalls. Below are the pros and cons of using the Active Directory Recycle Bin.
The second point is especially important here. What to do if the object was not deleted, but accidentally changed, and the error was discovered much later? Unfortunately, the basket does not help here, and this problem requires a different solution.
Of course, for most of you, basket minuses will not be a reason to abandon it. However, those who want to get a universal solution for all tasks should think about overcoming the drawbacks of the basket. And here Veeam comes on the scene with the previously discussed Veeam Explorer for Active Directory. This tool completely eliminates the limitations of the Active Directory Recycle Bin:
Important! This tool is included in all editions of Veeam Backup & Replication, including its free edition.
Using Veeam Backup & Replication and Veeam Explorer for Active Directory together, you can instantly restore the entire domain controller or restore individual Active Directory objects: organizational units (OU), computer and user accounts with passwords, group policy objects, DNS records, etc. In addition, by running Explorer, you can easily compare the objects in the backup with the current objects in the production environment and detect the differences, as well as identify the changed attributes.
Below is an example of a situation where an administrator has detected a change in the attributes of a user account and must restore it to its original state.
In any case, if you take care of eliminating the consequences of possible failures of Active Directory in advance and test various tools for solving this problem, then you will be able to sleep well.
Article on Habré: Recovering deleted AD objects from tombstone objects
Article on Habré: Restoring a domain controller from a backup using Veeam
Article on Habré: Backup of domain controllers using Veeam
In the previous article, we analyzed cases where administrators have to work with domain controllers, where the functional mode of the Windows Server 2003 or Windows Server 2008 forest is set in Active Directory. As you recall, we have examined in detail the steps required to restore tombstone objects using the utility LDP and Veeam Explorer tool for Microsoft Active Directory.
Today we will move on to more modern systems that allow you to use the Active Directory Recycle Bin function. For details, I ask under the cat.
')
How Active Directory Shopping Cart Works
Microsoft first implemented the long-awaited basket of Active Directory in Windows Server 2008 R2. At the same time, the life cycle of Active Directory objects and the order of their deletion changed. So, after deleting an object, the following happens now:
- Immediately after deletion, the object is moved to the container of remote objects, where it remains until the end of the lifetime of the remote object (by default, this time is equal to the lifetime of the recycled object).
Important! All related and unrelated object attributes are stored in the system for the same time. This means that during the specified period, the object can be restored along with all attributes. - After the end of the lifetime of the object, the system changes its state to recycled and resets most of the attributes. The object becomes analogous to the deleted ( tombstone ) in Windows Server 2003 and Windows Server 2008. The only difference is that it can no longer be restored.
- After the lifetime of the recycled object (the default is 180 days), it is automatically deleted by the garbage collector.
Schematically, these stages can be represented as:
Enable Active Directory Recycle Bin
Currently, the cart is not activated by default in any Windows Server OS. To use it, you need to prepare the infrastructure: make sure that all domain controllers are running Windows Server 2008 R2 or higher, and set the forest functional mode to Windows Server 2008 R2 or higher.
Useful: Activating the Active Directory Recycle Bin, as well as any other significant changes to the Active Directory settings (or another production system), is recommended to be first tested in a sandbox. To do this, you can use the technology of the virtual laboratory Veeam . In addition to the domain controller, you can also run other critical virtual machines in the virtual lab. This technology helps a lot when testing multi-tier application compatibility after making changes. Depending on the configuration, the virtual lab can be run from backups, replicas, or even hardware snapshots. This will avoid unpleasant surprises when changing the settings of the production environment.
Before you start using the Active Directory Recycle Bin, consider the following:
- When you turn on the Active Directory Recycle Bin, all tombstone objects will turn into recycled objects, and it will be impossible to restore them after that.
- Restoring several dependent objects can be difficult, since it must be done in a strictly defined order, starting from the upper levels of the hierarchy.
- In Windows Server 2008 R2, all basket operations are performed using PowerShell cmdlets. In Windows Server 2012, all basket actions can be performed through the user interface using the Active Directory Administrative Center (ADAC).
- The recycle bin has nothing to do with the Active Directory backup and will not allow restoring the entire domain controller if it is damaged.
Pros and cons of Active Directory Recycle Bin
When you turn on the Active Directory Recycle Bin, you’ll see a new Deleted Objects container in the Active Directory Administrative Center. In this container you will find all deleted objects, be able to view their properties and restore them to the original or any other place of your choice.
Although at first glance, it is much easier to restore individual objects using this function than using the LDP utility or the “authoritative” restoration of a domain controller, you need to remember some pitfalls. Below are the pros and cons of using the Active Directory Recycle Bin.
pros
- Universal method for domains with functional level of Windows Server 2008 R2 (and later).
- The long time of the object's existence (by default, 180 days is sufficient time for most tasks).
- Saving the attributes of the object during the time of its existence.
- No restart of the domain controller is required.
- Graphical Management Interface (ADAC) for Windows Server 2012 and higher.
Minuses
- Does not work for domains that are functional in the forest of Windows Server 2008 and earlier.
- Not suitable for restoring changed objects (you can restore an object only if it was deleted).
- Recovery is possible only during the lifetime of the object.
- Does not provide protection against problems with the domain controller itself (can not be compared with a backup copy).
- Does not support automatic hierarchy recovery.
The second point is especially important here. What to do if the object was not deleted, but accidentally changed, and the error was discovered much later? Unfortunately, the basket does not help here, and this problem requires a different solution.
How Veeam allows you to bypass the basket restrictions
Of course, for most of you, basket minuses will not be a reason to abandon it. However, those who want to get a universal solution for all tasks should think about overcoming the drawbacks of the basket. And here Veeam comes on the scene with the previously discussed Veeam Explorer for Active Directory. This tool completely eliminates the limitations of the Active Directory Recycle Bin:
- With its help, all Active Directory objects will be protected during the entire backup storage period.
- It can be used for domains with forest functional scope of Windows Server 2003 and higher.
Important! This tool is included in all editions of Veeam Backup & Replication, including its free edition.
Using Veeam Backup & Replication and Veeam Explorer for Active Directory together, you can instantly restore the entire domain controller or restore individual Active Directory objects: organizational units (OU), computer and user accounts with passwords, group policy objects, DNS records, etc. In addition, by running Explorer, you can easily compare the objects in the backup with the current objects in the production environment and detect the differences, as well as identify the changed attributes.
Below is an example of a situation where an administrator has detected a change in the attributes of a user account and must restore it to its original state.
In any case, if you take care of eliminating the consequences of possible failures of Active Directory in advance and test various tools for solving this problem, then you will be able to sleep well.
Additional links
Article on Habré: Recovering deleted AD objects from tombstone objects
Article on Habré: Restoring a domain controller from a backup using Veeam
Article on Habré: Backup of domain controllers using Veeam
Source: https://habr.com/ru/post/324246/
All Articles