The most common Active Directory related disasters are due to accidentally deleted objects. Once the object is deleted from Active Directory, it is not permanently deleted. As soon as an object is deleted, it will set the isDeleted object value to True and move the object under CN=Deleted Objects:
Then, it stays there until system reaches the tombstone lifetime value. By default, it is 180 days, and this can be change if required. As soon as the object passes the tombstone lifetime, it is available for permanent deletion. When I explained about the Active Directory database in the previous section, I mentioned online defragmentation. It uses the garbage collector service to remove the deleted objects from the Active Directory database and release that space to database. This service runs every 12 hours. Once the deleted object exceeds the tombstone lifetime value, it will be permanently removed in next garbage collector service cycle. The problem with this one is, during the tombstone process, most of the object values are striped off. So even if you were able to recover, these objects values will need to be re-entered.
With Windows Server 2008 R2, Microsoft introduced Active Directory Recycle Bin feature. When this feature is enabled, once the object is deleted, it still sets the isDeleted object value to True and moves the object under CN=Deleted Object. But instead of the tombstone lifetime, now it's controlled by deleted object lifetime (DOL). Object attributes will remain the same in this stage, and it is easily recoverable. By default, the DOL value is equal to the tombstone lifetime. This value can be changed by modifying the msDS-deletedObjectLifetime object value. Once it's exceeded the DOL, it is moved into the Recycled state and the isRecycled object value is set to True. By this state, it will not be able to recover, and it will be in that state until the tombstone lifetime value is exceeded. After it reaches the value, it will be permanently deleted from the AD.
This feature can be enabled using the following command:
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target rebeladmin.com
In the preceding command, -Target can be changed with your domain name:
Once it is enabled, we can revive the objects, which are deleted using the following command:
Get-ADObject -filter 'isdeleted -eq $true' -includeDeletedObjects
It will search for the objects where the isdeleted attributes are set to true.
Now, we know the deleted object, and it can be restored using the following command:
Get-ADObject -Filter 'samaccountname -eq "dfrancis"' -IncludeDeletedObjects | Restore-ADObject
The preceding command will restore the user object, dfrancis:
