Enable Active Directory Recycle Bin A referral was returned from the server

In this quick guide, we will explain how to enable Active Directory Recycle Bin to restore deleted AD objects along with their attributes. Let’s get started!

Using the AD Recycle bin to Restore Deleted Objects

Authoritative restore is the preferred method for administrators to restore accidentally deleted or corrupted AD objects (such as users, groups, computer accounts, and OUs). With Windows Server R2, administrators were introduced to the Active Directory Recycle Bin. The active directory recycle bin can now be used to restore deleted objects from a hidden container called “deletedobjects”.

In the previous versions of active directory, most of the deleted objects were devoid of their attributes and resided in the “deletedobjects” container in “isrecycled” state. Therefore, if the object was not restored back from the “isdeleted” state (logical deletion state), all its attributes were lost.

However, with Active Directory recycle bin (ADRB) in Windows R2 Server, the attributes of deleted objects are reinstated, making the AD restoration process simpler and less time-consuming. But before you enable the AD Recycle Bin, some requirements must be met.

Requirements for Enabling the AD Recycle Bin

Firstly, the functional level of your environment must be set to Windows Server 2008 R2. In order to raise the functional levels, two methods can be used, viz., Set-ADForestMode Active Directory module cmdlet and Ldp.exe. The active directory schema must also be updated using the adprep.exe utility so that the pre-R2 domain controllers are not required before raising the functional levels.

Once the forest functional level of your environment is set to Windows Server 2008 R2, the Active Directory Recycle Bin can be enabled using one of below given two methods:

1. Using Enable-ADOptionalFeature Cmdlet
2. Using Ldp.exe

Enable Recycle Bin Using Enable-ADOptionalFeature Cmdlet

Below are the steps to enable Recycle Bin Using Enable-ADOptionalFeature Cmdlet

1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:

   Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=www,DC=domain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘www.domain.com’

Enable Recycle Bin Using Ldp.exe

Below are the steps to enable Recycle Bin Using Ldp.exe

1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.
2. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connection, click Connect, and then click Bind.
3. Click View, click Tree, in BaseDN, select the configuration directory partition, and then click OK.
4. In the console tree, double-click the distinguished name of the configuration directory partition, and then navigate to the CN=Partitions container.
5. Right-click the CN=Partitions container’s distinguished name, and then click Modify.
6. In the Modify dialog box, make sure that the DN box is empty.
7. In the Modify dialog box, in Edit Entry Attribute, type enableOptionalFeature.
8. In the Modify dialog box, in Values, type

   CN=Partitions,CN=Configuration,DC=mydomain,DC=com:766ddcd8-acd0-445e-f3b9-a7f9b6744f2a.

   Replace mydomain and com with the appropriate forest root domain name of your AD DS environment.

Lepide Object Restore – An Easier Way to Restore Deleted Objects

If you are unable to upgrade the functional level of your environment to R2 and you have to continue with your current Windows Server version, then there may be an easier way to ensure you are able to restore AD objects. As part of our Lepide Data Security Platform, we created Lepide Object Restore solution that allows you to restore deleted objects from the local domain complete with their attributes. Using this solution you won’t have to use different utilities to perform the restoration.

Download Lepide Object Restore

In this tutorial, you will learn how to enable the Active Directory Recycle bin on Windows Server 2016.

I’ll show you how to enable it through the GUI as well as with Powershell.

The AD recycle bin comes in handy when you accidentally delete an AD object and need to restore it.

The AD Recycle bin allows you to quickly recover deleted objects without the need to restore an Active Directory backup.

The recycle bin feature preserves all link valued and non link valued attributes. This means that a restored object will retain all its settings when restored.

By default, a deleted object can be restored within 180 days. This time is controlled by the Deleted Object Lifetime (DOL) which can be set on the msDS-deletedObjectLifetime attribute.

In addition, its default value is the same as the Tombstone Lifetime.

Confused?

Just remember the default setting to restore a deleted object is 180 days.

If you want a deeper dive into these settings then check the AD Recycle Bin guide from Microsoft.

Related: Dcdiag: How to Check Domain Controller Health

Steps to Enable the AD Recycle Bin on Windows Server 2016

Note: Once you enable the Active Directory Recycle Bin you can’t turn it off.

Follow these simple 3 steps:

Step 1: Open Server Manager

Step 2: Open the Active Directory Administrative Center

From the Server Manager go to tools and select Active Directory Administrative Center

Step 3: Enable Recycle Bin

Within the Active Directory Administrative Center click on your local domain then click on “Enable Recycle Bin”

Click OK to confirm

Click OK on the next pop up

All done, AD recycle bin is now enabled.

Enable AD Recycle Bin with PowerShell

Follow these steps to enable the recycle bin with PowerShell

Step 1. Logon to your Domain Controller

Step 2: Load the AD Powershell module

Step 3: Run the following cmdlet to enable the Recycle Bin

Here is an example using the ad.activedirectorypro.com domain.

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target ad.activedirectorypro.com

How to Verify AD Recycle Bin is enabled

Use this Powershell command to verify it is enabled

Get-ADOptionalFeature -filter *

Notice the enabled scope, if it was not enabled the scope would be empty.

How do I enable the Active Directory Recycle Bin?

Start AD Administrative Center(start->run->dsac.exe). Click on your domain name and in the "Tasks" pane click "Enable Recycle Bin...". Alternatively, right-click your domain in overview, and click “Enable Recycle Bin...”.

Which tool is used to enable Active Directory Recycle Bin?

Enable-ADOptionalFeature can be used to enable the Active Directory Recycle Bin.

Should I enable AD Recycle Bin?

The Active Directory Recycle Bin allows you to recover objects immediately, without the need to use your System State backups. Before you recover any deleted objects, you must first enable Active Directory Recycle Bin.

What is the Windows PowerShell command to enable Recycle Bin under Active Directory?

To do this, you need a domain admin user account. Start AD Administrative Center(start->run->dsac.exe). Click on your domain name and in the "Tasks" pane click "Enable Recycle Bin...". Alternatively, right-click your domain in overview, and click “Enable Recycle Bin...”.