A. Windows Server 2008 R2 introduces a number of new AD features, and the AD Recycle Bin is one of those features getting the most attention.

Normally, when an AD object is deleted it's tombstoned—the object is marked as deleted, this tombstone status replicates to all domain controllers (DCs), and after the tombstone lifetime passes the object is actually deleted by the garbage collection process. As soon as you delete an object, most of its attributes are removed and all linked value attributes, including group memberships, are deleted. If you want to recover a deleted object, you can boot a DC into Directory Services Restore Mode (DSRM), restore a backup, and then mark an object (or objects) as authoritative, which will bring the object back. An alternative approach is to reanimate a tombstoned object, which removes the tombstone status and makes the object available again. However, the reanimated object will have lost all group memberships and most attributes (but it keeps the same SID).

You can enable the Recycle Bin in Windows Server 2008 R2. The Recycle Bin requires the forest mode to be Windows Server 2008 R2, so every DC in the forest must be running Windows Server 2008 R2. Also, once you enable the Recycle Bin, you can't disable it.

Once the Recycle Bin is enabled, the lifecycle of a deleted object changes. When an object is deleted, none of its attributes or linked value attributes are deleted, its name is mangled slightly, the isDeleted attribute is set to TRUE, and the object is moved to the Deleted Objects container. The object stays in this state for the duration set in msDS-deletedObjectLifetime, which by default is the same as the duration of tombstoneLifetime, 180 days. Once the deleted object's lifetime has passed, it moves into a recycled state. In this state its isRecycled attribute is set to TRUE, linked value attributes are removed (groups etc) and most of its normal attributes are removed, the same as in systems without Recycle Bin. The object can't be restored through any means once it enters this state and is physically deleted by garbage collection once the tomestoneLifetime passes.

While the object is in the Deleted state, it can be undeleted with no loss of attributes or group memberships using a PowerShell cmdlet or the Ldp tool. The Recycle Bin cycle is shown here.





Note that when you enable the Recycle Bin, any object that was tombstoned before becomes recycled and can't be restored.

Related Reading:

Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.