Editors note: This is the 3rd in a series of
The previous post in this series discussed the joys of Active Directory object recovery in an environment without the AD Recycle Bin. If you missed that post, I strongly encourage you to go back and read it as it is arguably the single greatest blog post I have ever written about Active Directory object recovery in an environment without the AD Recycle Bin. To summarize, when an Active Directory object is deleted in a domain without the AD Recycle Bin it becomes a “tombstone”. This object, stripped of the majority of its attributes, then hangs out in the partition’s Deleted Objects container for the duration of the domain’s tombstoneLifetime. During this period the object is technically recoverable, but its lost attributes can be generally considered to be irrecoverable. After the tombstone exceeds the tombstoneLifetime value, the object is garbage-collected into non-existence. This summary is further simplified in the following illustration:
The Active Directory Recycle Bin was introduced in the Windows Server 2008 R2 release. The goal of this feature was to facilitate the recovery of deleted Active Directory objects without requiring restoration of backups, restarting Active Directory Domain Services, or rebooting domain controllers. To accomplish these goals, the AD Recycle Bin introduced changes to the behavior of the Active Directory object deletion lifecycle.
The fundamental change introduced by the Active Directory Recycle Bin relates to the management of a deleted object’s attributes. After enabling the AD Recycle Bin, the majority of a deleted object’s attributes, including its link-valued attributes, are preserved for a period of time. This change greatly simplifies the process of fully-restoring deleted objects to the state they were in immediately prior to their deletion.
Objects in this new recoverable state are referred to as a “deleted object” and the period of time which they retain their attributes is defined in a new attribute, msDS-DeletedObjectLifetime. When the AD Recycle Bin is enabled, the value of the msDS-DeletedObjectLifetime attribute defaults to the value of the tombstoneLifetime attribute. If the value of the msDS-deletedObjectLifetime attribute is null or the attribute itself simply doesn’t exist, its value is interpreted to be equivalent to the value of the tombstoneLifetime attribute. If there’s also no tombstoneLifetime value, both values default to 60 days.
After the object’s time as in a deleted object state exceeds the period of time specified in msDS-DeletedObjectLifetime, the object is recycled. A “recycled object” looks suspiciously like a tombstone with an isRecycled attribute slapped on and set to TRUE. Like a tombstone, the majority of its attributes are removed and it persists in Active Directory for the duration of the tombstoneLifetime before being cleaned up by Active Directory’s garbage collection.
A simplification of the Recycle Bin deleted object lifecycle looks like this:
Now that everyone has a basic understanding of the AD Recycle Bin’s deleted object behavior, let’s fire up the LDP utility and take a closer look with the help of my sacrificial user account.
As you can see, thanks to the wonders of the PowerShell script that both creates and resuscitates him, we have plenty of attributes populated.
After deleting the object, we can see that the behavior has definitely changed as the majority of its attributes persisted into the deleted object state.
Here is a summary of the changes which occurred as a result of the object’s deletion: