Hi All,
The accidental deletion of an Active Directory object or objects can cause downtime for end users and a great deal of work for the IT department. A really nice feature that was added into Active Directory with Windows 2008 R2 is the Active Directory Recycle bin. This will allow you to restore objects such as users and computers in a timely manner. The recovered objects will retain all of their attributes and backlinks without having to do an authoritative restore. The requirement for enabling the Active Directory Recycle Bin is that you will need to be running at a Windows 2008 R2 Forest Functional level. What this means is that every Domain Controller in the Forest is running Windows 2008 R2 and you have raised the Forest Functional Level to Windows 2008 R2. In Windows 2008 R2, you do have the ability to lower the Functional level back to a Windows 2008 functional level if you have NOT enabled the AD Recycle Bin yet. Enabling the AD Recycle Bin is an irreversible change and once it is enabled you can not lower the Forest Functional level back to Windows 2008. Follow the steps below to enable the recycle bin.
1. Log on to the Domain Controller in your forest that host the Domain Naming Master FSMO role with an account that has Enterprise Admin rights.
2. Open PowerShell as administrator and add the Active Directory Module by typing the following command:
Import-Module ActiveDirectory
3. After the module is loaded type the following command replacing the pipe2text.com information for both the identity and scope with the forest root information from your environment (I have bold faced the lettering of what you would need to change).
Enable-ADOptionalFeature -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=pipe2text,DC=com‘ -Scope ForestOrConfigurationSet -Target ‘pipe2text.com‘
After you run the above command you will receive a warning that the change is irreversible and you will need to type “Y” to confirm the change.
4. After you have run the above command with your environment’s information, you can verify that it ran properly by typing the following command:
get-adoptionalfeature
You will notice that the “Enabled Scopes” property will be populated.
Note: When I was testing this command in my lab, I initially received the following error:
“Enable-ADOptionalFeature : A referral was returned from the server At line:1 char:25 + Enable-ADOptionalFeature <<<< -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Window NT,CN=Services,CN=Configuration,DC=pipe2text,DC=com’ -Scope ForestOrConfigurationSet -Target ‘pipe2text.com’ + CategoryInfo : NotSpecified: (CN=Recycle Bin …pipe2text,DC=com:ADOptionalFeature) [Enable-ADOptionalFeature], ADException + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.EnableADOptionalFeature”
In my lab I had the Schema Master FSMO role running on a Domain Controller in a child domain. After transferring the Schema Master role to the same Domain Controller that hosted the Domain Naming Master I was able to run the command again without any issues.
As always, test this change in your lab first. For more information about enabling the AD Recycle Bin you can visit Microsoft’s Technet library. If you have any questions or feedback please leave a comment. I hope this helps!
Related Links: