The Active Directory Recycle Bin is a set of Microsoft trademarked services that is an integral part of the Windows 2000 architecture. Like other directory services, AD is a centralized and standardized system that automates network management of user data, security, and distributed resources and allows you to interact with other directories. The Active Directory Recycle Bin is designed specifically for distributed network environments and is an important component in the operation of the operating system.
Basic concepts
Active Directory is a system database that tracks information about user accounts and passwords in an organization. Allows you to store data in one secure place, which increases security and reduces vulnerability.
AD is divided into one or more domain names. A domain is a security edge. Each of them is hosted on a server called a domain controller and manages all the accounts and passwords for the domain.
Domains get their name using the domain name system. The security domain in AD is directly bound to DNS.
For large organizations, Active Directory is subdivided into child domains (for example, based on geography). Each requires a server computer.
Active Directory plays a paramount role in the safe operation of Windows networks. The service allows administrators to protect the directory from a hacker attack and delegate tasks to other users. It is precisely for this possibility that the AD privacy model is responsible, which associates the level of access control with the attribute of the container and item in the catalog.
Active Directory Recycle Bin: Features
The main functionality of the AD service:
- X-500 standard support for global catalogs.
- The ability to safely expand network operations on the Internet.
- A hierarchical organization that provides a single access point for system administration (for example, managing accounts, clients, servers, and applications) to reduce redundancy and errors.
- An object-oriented storage organization that provides easier access to information.
- Elementary Access Protocol (LDAP) support for inter-directory compatibility.
Utility components of Active Directory store information about network components and allow you to find objects in a named environment. This term refers to the area in which the network component is located. This can be explained by the example of a book where the table of contents creates a namespace in which sections correspond to page numbers. DNS is a namespace that assigns host names to IP addresses.
This article provides step-by-step recommendations and reference information for enabling and using the Active Directory Recycle Bin feature in Windows Server 2008 R2. It also lists many of the distinguishing features that were implemented in this version of the operating system.
Active Directory Recycle Bin in Windows Server 2008
Active Directory features help reduce the time it takes to shut down a directory service, increasing the ability of a system to store and reanimate accidentally deleted files without restoring data from backups, restarting domain services, or rebooting controllers.
When you turn on the Active Directory Recycle Bin for the first time, all attributes with a value binding and no reference to deleted content are saved, and the data is fully restored to the state in which it was committed before deletion. For example, they restore user credentials in an automated mode of community membership and the corresponding access rights that they had before the deletion.
Characteristics
The Active Directory Recycle Bin in Windows Server 2008 R2 is deactivated by default. To enable it, you must first upgrade the functionality of your AD environment to version 2008 R2. Then use the instructions below to enable Active Directory Recycle Bin settings.
In Windows Server 2008 R2, the recycle bin algorithm cannot be canceled subsequently. After you enable the service in your environment, the user will not be able to disable it.
How to enable AD trash?
Walkthrough:
start the “Central Administration” directory service;
select a domain;
activate the “Enable Cart” option in the “Tasks” menu, it is also possible to click your domain name and select “Enable Cart” in the drop-down menu.
After you decide to enable the basket, you will be asked to send a message asking you to confirm the activation of the service. After the basket is turned on, it cannot be turned off.
After activation, depending on the size of the infrastructure of the active directory, a certain amount of time may pass before the service is ready for use.
When you start the Active Directory Recycle Bin, all settings that were deleted before the service was activated cannot be restored. The only way to reanimate these objects is to use authoritarian recovery from an AD DS backup that was performed before the AD recycle bin started.
Remote state
The deleted object retains all its attributes, links, and group memberships that existed before the deletion. The object will remain in this status for a certain period of time, which is called the lifespan of the deleted objects. After the end of its service life, the object is transferred to a restored state. In the “Deleted” state, an item can be restored with all its original attributes, links, and group memberships.
Secondary state
When a remote object is transferred to a restored state, only the attributes necessary to replicate the new status remain. The element will remain in a restored state for a configurable period of time, which is called the lifetime of the recycled object.
Deleted items can also be restored using authoritative recovery from an AD DS backup.
To restore an object, you must open the Active Directory Recycle Bin Central Administration in Windows Server 2012 and click the Deleted Objects folder. Then you need to search the list of deleted objects to find the item that you want to recover. Right-click the desired item and select "Restore" from the drop-down menu.
Enabling Active Directory Recycle Bin will increase the size of the AD database file. Before activating the service, make sure there is enough disk space. The default limit for the basket is 20,000 objects, but this can be changed up to 100,000 objects by selecting “Control list settings” in the “Management” menu.
Data backup
The Active Directory Recycle Bin procedure in Windows Server 2012 r2 should not replace the normal backup procedure . An important nuance to consider to prevent accidental deletion of data: you must block the default delete permissions for AD objects.
Backing up and restoring Active Directory is what you need to plan. One way to quickly restore AD objects is to enable the recycle bin.
Pros and cons of service work
Benefits of the Active Directory Recycle Bin:
- Directory downtime
- recover deleted items without restoring data from backups, restarting DSRM, or rebooting domain controllers;
- turning on the recycle bin saves all attributes with reference to the deleted items link, when you restore deleted objects, they return to the same consistent logical state in which they were before they were deleted.
The disadvantage of the traditional Active Directory workflow is that the process must run in service directory backup (DSRM) mode. When the server boots into DSRM, it must remain offline, which prevents it from serving client requests and has an uncritical effect on overall performance. In addition, any changes to objects that occurred between backups and restores cannot be restored. For example, if you put a user account in a new group and then accidentally delete it, authoritarian recovery of this user data information from a backup that was done 2 days before will restore the account but lose information about membership in the last group.