Active Directory Recycle Bin: Restoring Deleted Objects in Windows Server 2008 R2 and 2012, Lecture notes of Operating Systems

Download Active Directory Recycle Bin: Restoring Deleted Objects in Windows Server 2008 R2 and 2012 and more Lecture notes Operating Systems in PDF only on Docsity! 1 Windows Server 2008 R2 introduced Active Directory Recycle Bin, a Windows PowerShell– based feature that allowed you to restore objects deleted from the Active Directory Domain Services database. Windows Server 2012 brings this functionality of Active Directory Recycle Bin to Active Directory Administrative Center, the graphical tool for managing Active Directory Domain Services that also first appeared in Windows Server 2008 R2. This section covers the following topics: Enable Active Directory Recycle Bin 2 Set the deleted object lifetime in a domain Restoring deleted objects in Active Directory Before Windows Server 2008 R2, there were just two methods you could use to restore an object that had accidentally been deleted from Active Directory Domain Services: You could perform an authoritative restore with the Ntdsutil command-line utility, or you could use a procedure called tombstone reanimation. Both of these methods, however, had significant drawbacks. With Ntdsutil, the drawbacks were that you first had to boot the domain controller into Directory Services Restore Mode (making the domain controller temporarily unavailable to clients on the network) and that you could only restore deleted objects that you had previously backed up. With tombstone reanimation, the drawbacks were that it was a complicated procedure and it couldn’t be relied on to restore an object’s group memberships. For more information about performing an authoritative restore with Ntdsutil, visit http://technet.microsoft.com/en-us/library/cc755296(v=WS.10).aspx. For more information about reanimating tombstoned objects, visit http://technet.microsoft.com/en- us/magazine/2007.09.tombstones.aspx. Active Directory Recycle Bin Windows Server 2008 R2 and Windows Server 2012 have removed these drawbacks with Active Directory Recycle Bin. With Active Directory Recycle Bin, you don’t have to take the domain controller offline to restore a deleted object, and the original group memberships of the deleted objects are preserved when you restore them. Windows Server 2008 R2 introduced Active Directory Recycle Bin in a Windows PowerShell- only mode. Windows Server 2012 makes this new feature more accessible by bringing its functionality to the graphical Active Directory Administrative Center tool. For the exam, you need to know how to enable and use Active Directory Recycle Bin in both Windows PowerShell and Active Directory Administrative Center. ENABLING ACTIVE DIRECTORY RECYCLE BIN For the exam and the real world, remember that the Active Directory Recycle Bin is not enabled by default. You can use Active Directory Recycle Bin to restore only those objects that have been deleted after the feature is enabled. Objects you deleted before then can be restored only through authoritative restore or tombstone reanimation. To enable Active Directory Recycle Bin in Windows PowerShell, first make sure that all domain controllers in the domain are running Windows Server 2008 R2 or Windows Server 2012. In addition, the functional level of your forest must be set to Windows Server 2008 R2 or higher. You can use the Get-ADForest cmdlet to check the functional level of your forest: 5 To restore an object to a different container, select Restore To and select the new container in which you want the object to appear. The Locate Parent option opens the former parent container in the console. One potential complication in restoring an object might occur if you have deleted both the container and the object. In this case, you need to restore the parent before the child object, or choose to restore the object to another container. RESTORING DELETED OBJECTS IN WINDOWS POWERSHELL To restore a deleted object in Windows PowerShell, first use the Get-ADObject cmdlet with the - Filter and -IncludeDeletedObjects switches, and then pipe the result to the Restore-ADObject cmdlet. For example, to restore a deleted user with the display name “Mary,” type the following command at an elevated Windows PowerShell prompt: 6 Objective review Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of the chapter. 1. You are a network administrator for Contoso.com. You have learned that a user account was accidentally deleted from the Contoso.com Active Directory domain. The domain controllers in your network are all running Windows Server 2012. Active Directory Recycle Bin is not yet enabled. 7 You want to restore the deleted user account without taking any domain controller offline. What should you do? A. Perform an authoritative restore of the deleted user account with the Ntdsutil utility. B. Reanimate the tombstone of the deleted object. C. Enable Active Directory Recycle Bin, and use Active Directory Administrative Center to restore the object. D. Enable Active Directory Recycle Bin, and use Windows PowerShell to restore the object.