Restoring Active Directory is a real pain. Any admin who accidentally deleted a user or an entire OU has learned this the hard way.
This is why you should always enable the AD recycle bin option when installing (or taking over) an Active Directory environment.
The option is straightforward to set up, and someday it can save you a lot of labor!
Pre-requisites for Enabling the AD Recycle Bin
To enable this feature, you need to be running the AD forest mode of Windows Server 2008 R2 or later.
To check your current forest mode, run the following PowerShell command (from your domain controller or install RSAT):
PS C:\> Get-ADForest | fl ForestMode ForestMode : Windows2016Forest
If you’re not at the proper level, you need to change it. This can be done using the following command:
Set-ADForestMode [-Identity] <ADForest> [-ForestMode] <ADForestMode>Using PowerShell to Enable the AD Recycle Bin
With the proper forest mode level configured, you can move forward.
Use the following PowerShell command to enable the recycle bin in your Active Directory:
Enable-ADOptionalFeature -Identity <ADOptionalFeature> -Scope <ADOptionalFeatureScope> -Target <ADEntity>- The Identity parameter should be the distinguished name of the Active Directory recycle bin object.
- The Scope parameter indicates the scope of the recycle bin feature, and you would typically set this to ‘ForestOrConfigurationSet’
- The Target parameter must be set to your AD domain name
The following command shows how to run this command using sample values for all parameters:
PS C:\> Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=easy365manager,DC=local' -Scope ForestOrConfigurationSet -Target 'easy365manager.local' WARNING: Enabling 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=easy365manager,DC=local' is an irreversible action! You will not be able to disable 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=easy365manager,DC=local' if you proceed. Confirm Are you sure you want to perform this action? Performing the operation "Enable" on target "Recycle Bin Feature". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
Confirm the action to enable the Active Directory recycle bin feature. That’s it!
How to Verify if the AD Recycle Bin Feature is Enabled
To confirm if the Active Directory recycle bin feature is enabled, run the following command:
PS C:\> Get-ADOptionalFeature -Filter 'Name -eq "Recycle Bin Feature"'
DistinguishedName : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=easy365manager,DC=local
EnabledScopes : {CN=Partitions,CN=Configuration,DC=easy365manager,DC=local, CN=NTDS Settings,CN=DC-01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=easy365manager,DC=local}
FeatureGUID : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
FeatureScope : {ForestOrConfigurationSet}
IsDisableable : False
Name : Recycle Bin Feature
ObjectClass : msDS-OptionalFeature
ObjectGUID : ca33df70-7f72-48bd-8b63-24e5edbbbc0d
RequiredDomainMode :
RequiredForestMode : Windows2008R2ForestThe output may vary depending on the number and names of your domain controllers.
Look for any value in the EnabledScopes attribute to verify the AD recycle bin is enabled (otherwise this attribute is empty).
The above PowerShell command should be one of the first commands you run when entering a new position as an IT admin. It’s a very low effort, and the day the AD recycle bin is needed, it will save you a lot of trouble.
How to Restore an Office 365 Mailbox with the AD Recycle Bin
If you’re managing a hybrid Office 365 setup, the accidental deletion of synchronized AD users with Office 365 mailboxes carries an additional penalty.
Deleting an AD user will cascade to Office 365, where both the Azure AD user and the Exchange Online mailbox are deleted.
You can quickly save the day if you have enabled the AD recycle bin BEFORE deleting the AD user.
Restore the AD user using PowerShell:
Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObjectThe restored AD user will replicate to Office 365 causing both the Azure AD user and the Exchange Online mailbox to restore/reconnect with the AD user.
Summary
It’s highly recommended to enable the AD recycle bin in your Active Directory. Manual restore of objects from backup can be a real pain.
If you’re a fan of working in the fastest and easiest way possible, have a look at Easy365Manager:
With Easy365Manager you can manage all email attributes, Office 365 licenses and Office 365 mailboxes directly from AD Users & Computers.
Easy365Manager will save you time and money and allows you to permanently remove your on-premises Exchange server.
Easy365Manager is the missing link between on-premises and Office 365.
MARTIN DUGGAN
Technology Infrastructure Lead
Easy365Manager has saved us tons of time and allows us to seamlessly manage our hybrid environment.
MATT BRYANT
IT Systems Administrator
Easy365Manager installation and Exchange removal was performed smoothly and rapidly.
ERIC GAILLARD
IT and Facilities
Have a look at the feature list and download the fully functional 30-day trial.