Shulou(Shulou.com)06/01 Report--

It is believed that many inexperienced people don't know what to do about how to use Directory to realize the recycle bin function in Active. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Upgrade the AD feature level to Windows Server 2008 R2

Before using the Recycle Bin, you must upgrade the functional level of AD. Basically, we must run ADPREP/FORESTPREP on the forest architecture host, then ADPREP/DOMAINPREP on the infrastructure host, and use the ADPREP version on the Windows Server 2008 R2 installation disk. It is recommended that you refer to this website article "how to raise the functional level of an Active Directory domain to Server 2008 R2".

Enable the AD Recycle Bin

Simply upgrading the AD feature level is not enough to enable the AD Recycle Bin. The function of the Recycle Bin must be explicitly enabled. Note: this process is irreversible. Once we have enabled the AD Recycle Bin, we cannot disable this feature. Since this step will affect our backup strategy, we need to fully understand how the Recycle Bin works before using this feature.

There are two ways to enable the Recycle Bin feature. We can use PowerShell or Ldp.exe, a GUI tool that manages lightweight Directory access Protocol (LDAP). The process of using Ldp.exe is a bit complicated, so it is recommended that you choose PowerShell:

Enable-ADOptionalFeature-Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=com'-Scope ForestOrConfigurationSet-Target' domain.com'

We can copy this command and replace the domain name as needed. To enter this command into the AD module for Windows PowerShell, you can find this module under the Administrative tools folder on the start menu of the Windows Server 2008 R2 domain controller. Remember to start Shell as an administrator.

Recover AD objects through the Recycle Bin

Microsoft also describes two ways to recover AD objects through the Recycle Bin (PowerShell and Ldp.exe). However, I personally feel that neither of these methods is convenient. If you want to quickly recover an AD object that has been accidentally deleted, you certainly don't want to enter a long list of PowerShell commands. And it's not very convenient to use Ldp.exe GUI. Because it takes seven steps to recover an object in this way, and a lot of information is entered. If users want to restore multiple objects, they will certainly find this method too troublesome.

Fortunately, there are easier ways to recover AD objects in the Recycle Bin than either of these methods. We can use free tools to restore AD objects, such as Quest Object Restore for Active Directory or ADRestore.NET. These two tools were used to recover Tombstone objects in the past, but they are also useful for deleted objects in the Windows Server 2008 R2 domain. If users use these two tools in Server 2008 R2 domains that do not have the Recycle Bin enabled, or in previous domains, they can only recover Tombstone objects, that is, objects that have lost most of their properties. However, in AD with the Recycle Bin enabled, they restore all properties of the deleted object. The functions of the two tools are similar.

PowerShell is more appropriate if the user wants to recover a large number of objects. Microsoft TechNet provides some demonstration scripts. However, if the user only needs to recover a few objects, it will be faster to use the two tools described above.

Change the useful life of deleted objects

Users can only restore deleted objects within their validity period, which is 180 days by default. In general, this period is sufficient for objects that have been accidentally deleted. But the validity period of the deleted object also determines how long we recover the AD object from the backup. In some circumstances, 180 days may be a little short.

Many backup strategies support one-year backups. If the user wants to restore a specific object and the deleted object is valid for only 180 days, then these backups are basically useless. Although, we can change the validity period of the object, although the process is a bit cumbersome, but considering that we only need to do this once, it doesn't matter.

After reading the above, have you mastered how to use Directory to achieve the Recycle Bin function in Active? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.