1. You have a live object - a user account called SaraDavis that lives in the Sales OU in the Contoso.com domain.
2. An administrator deletes the SaraDavis object.
3. SaraDavis is moved into the container CN=Deleted Objects,DC=Contoso,DC=Com .
4. SaraDavis has its isDeleted attribute set to TRUE .
Note: At this point, SaraDavis is a logically deleted object that can be recovered by the administrator, and will contain all of its data. The amount of time that SaraDavis can be recovered is controlled by the Deleted Object Lifetime (DOL). This time range can be set on the msDS-deletedObjectLifetime attribute. By default, it will be the same number of days as the Tombstone Lifetime (TSL). The TSL set for a new forest since Windows Server 2003 SP1 has been 180 days*, and since by default DOL = TSL, the default number of days that an object can be restored is therefore 180 days. If tombstoneLifetime is NOT SET or NULL, the tombstone lifetime is that of the Windows default: 60 days. This is all configurable by the administrator. Stay with me here.
5. After the Deleted Object Lifetime has been exceeded - remember, 180 days by default - SaraDavis has its isRecycled attribute set to TRUE. Its isDeleted attribute stays set to TRUE. The SaraDavis object stays in the CN=Deleted Objects,DC=Contoso,DC=Com container.
Note: At this point, SaraDavis is a recycled object that cannot be recovered by an administrator, and no longer contains all of its attribute data. Its only purpose now is to let other DC’s know that the object is gone and that the object is now a normal, run of the mill tombstone.
6. After the SaraDavis recycled object has existed for the value of the Tombstone Lifetime, it is then physically deleted from the database via garbage collection . At the next online defrag, that whitespace will be recovered from the database.
* The tombstone lifetime in a new forest is always 180 days.
Set-AdForestMode -identity contoso.com -server dc1.contoso.com -forestmode Windows2008Forest
Set-AdDomainMode -identity contoso.com -server dc2.child.contoso.com -forestmode Windows2008Domain
1. Logon to your “Domain Naming Master” DC as an Enterprise Administrator and start PowerShell.exe - it’s that big blue icon on your taskbar.
2. Load the AD PowerShell module:
3. Run the following cmdlet to turn on the Recycle Bin:
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target <your forest root domain name>
So for example, where my forest root domain is contoso.com:
4. The command will prompt you for a last chance. Enter “Y” to turn the Recycle Bin on.
5. That’s it, you’re done.
And since you are using Windows Server 2008 R2 at this point, you can even make use of the new group policies for granular auditing:
Yes, I know – woooo, scary, there’s no GUI! It’s just a little command-line work; I have faith in you.
Error: An attempt was made to add an object to the directory with a name that is already in use
Cause: Someone has created an object with the same distinguished name. This may be because someone jumped the gun and tried to ‘fix’ the deleted user by recreating it. Just move it elsewhere temporarily, make sure it has no other attribute duplications as well, finish the restore of the real object, then go figure out what happened.
Error: The operation could not be performed because the object's parent is either uninstantiated or deleted
Cause: The object’s parent was also deleted and hasn’t been restored. Usually it’s an OU. Restore that parent first.
Error: Illegal modify operation. Some aspect of the modification is not permitted
Cause: Often this is caused by trying to restore an object without having the Recycle Bin enabled. You may see this error in other scenarios though.
- Ned ’10 cent deposit’ Pyle
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.