Enabling AD Recycle Bin on Server 2008R2

Caution: Seasoned Domain Admins Only this is Active Directory and Irreversible

“you break it you bought it…”

All domain controllers must be Server 2008R2 (2K8-R2) And Forest Functional level must be 2008R2

If you already have a 2K8-R2 forest installation you can skip the ADprep steps below

First you need your 2K8-R2 media

Copy the folder \support\Adprep to a path on your schema master domain controller

Open a command prompt as Administrator and change your operating path to the local Adprep folder

Then run the adprep /forestprep

You will then be prompted with the following warning. READ IT and if you agree press ”C”

clip_image001

I am going to assume the same server is your schema Infrastructure operations master, if not repeat the steps above to copy the adprep directory from the server installation media.

From the command prompt as Administrator

Then run the adprep /domainprep /gpprep

If you have a RODC Read Only Domain Controller from the command prompt as Administrator

Then run the adprep /rodcprep

If you have AD LDS running those also must be running 2K8-R2

Now to actually enable the Active Directory Recycle Bin

Open Powershell as an Administrator:

(I found it easier to type the initial command and be prompted rather than one long string)

Enable-AdOptionalFeature ‘Recycle Bin Feature’

You will be prompted for the Scope: ForestOrConfigurationSet

You will be prompted for the Target:forest_name.com IN my example Target:ko.internal

You will then be prompted with the following IRREVERSABLE Warning

clip_image003

Select “Y” to perform the operation.

After you type “Y” and hit enter you are returned to the command prompt there is no indication it ran

If in doubt and you run it again it will tell you it is already exists.

Now you can use Powershell to restore items from your AD recycle bin using the following cmds

Get-ADObject to locate the desired object

Restore-ADObject to perform the actual restoration

For Example I delete Kim A from users in AD to restore it I use the command:

Get-ADObject –Filter ‘displayname –eq “Kim A”’ –IncludedDeletedObjects |Restore-ADObject

Using the AD Recycle bin avoids the hassle of tombstones, authoritative restores and also it restores the AD object in a more thorough manner with groups and other information still intact.

Comments

Post a Comment

Popular posts from this blog

FRS to DFSR Post Cleanup “File Replication NtFrs Stopped”

Image
After successfully migrating from FRS to DFSR you get the File Replication NtFrs service is Stopped error on the local servers AD DS Services list. In the Event logs you may see Event id 13575 13577. You can confirm your migration completed by opening a cmd prompt as administrator and typing in: dfsrmig /getmigrationstate After your migration to DFSR is completed and you have given your servers ample time to propagate this service is no longer required. Since it is set to “Automatic”, as shown below” it shows in logs as a false positive error. Edit the File Replication Service and change it to “Disabled”, as shown below: Once it is listed as “Disabled” it will no longer show in the Console as an “error” Note : it may take some time to clear from the active view
Read more

Domain Migration SubinACL /Migratetodomain How To:

Caution : DO NOT run this on Domain Controller C:\ and only run on roaming profiles folders, or my docs shares day of migration to avoid ownership change issues. Confirm Domain trust is in place and users and groups have been migrated Test ping of olddomain.org from new domain Test ping of newdomain.org from olddomain Add newdomain.org domain controller host records to olddomain.org including reverse DNS records Confirm the user running the app is a domain admin in BOTH domains Download SubinACL here: http://www.microsoft.com/en-us/download/details.aspx?id=23510 /Migratetodomain- command will add the permissions of the new user to the old files and folders for example if jimbob@olddomain.org was migrated to the new domain jimbob@newdomain.org and you run the command below any file or folder in that path that has jimbob@olddomain.org will add Jimbob@newdomain.org with the exact same permissions. This is a safer way to migrate by keeping the old and new permissions intact while a...
Read more

How to configure HP LaserJet Printer IPsec Encryption

Image
  I always recommend using a static IP for network printers. Once you have that configured use the printers web interface by going to that IP address using internet explorer. Select the” Networking” Tab > “IPsec/Firewall” as shown below: First we will add a rule to allow unencrypted traffic from all connections we will later define IPsec rules specific to the print server. You can set encrypted for all but keep in mind if it fails you will have a harder time remotely repairing it. Select “Add Rules” > “All IP Addresses” as shown below: Select “All Services” >”Next” as shown below: Select “Allow traffic…” >”Next” as shown below: Select “Finish” >”Next” as shown below: Select “OK” as shown below: It should take you back to the ” Networking” Tab > “IPsec/Firewall” as shown below: Note: “Enable IPsec/Firewall” is unchecked Now we will add an Encrypted Rule: Select “Add Rules” > “New” as shown below: Name the Rule, Specify the local and remote IP Addresses ...
Read more