Skip to main content

Set up Active Directory Recycle Bin for AD LDS

You can expand the functionality of the AD Recycle Bin to your Active Directory Lightweight Directory Services (AD LDS) deployments.  This example assumes that we have an AD LDS instance called ‘App1’. It will be on a server called ‘MCT-1’ in a domain called ‘MCTNET.com’. We can attach to it on port 53414.  The application partition is ‘CN=App1,DC=MCTNET,DC=COM

On the server hosting the AD LDS instance, open PowerShell.

First verify that your Forest functional level is Windows Server 2008 R2.

Type Get AD-Forest and press enter.  You can see from the results below that we are at the correct forest functional level.
image

Open a command prompt with administrative credentials.
Change your directory to c:\Windows\Adam.

Type Ldifde.exe –i –f MS-ADAM-Upgrade-2.ldf –s MCT-1:53414 –b administrator MCTNET Pa$$w0rd –j . –$ adamschema.cat

For your environment replace:
 MCT-1 with the name of your server.
53414 with the port number of the AD LDS instance you are turning the AD Recycle bin on.
MCTNET with your domain name
Change Pa$$w0rd to the password for the account being used.
image

This will upgrade the schema of your AD LDS. 

We will now be able to recover objects that are deleted from AD LDS from this point forward.  Any objects there were deleted prior to the the AD Recycle Bin being applied to your AD LDS instance will not be recoverable.  Also, you will not be able to recover objects from other instances of AD LDS until you run the above procedure on them.

In my AD LDS instance, I deleted two user objects; Barney and Bert. We now need to bind to the AD LDS instance to fid our deleted objects. 

For a command prompt with elevated privileges, type LDP and press Enter.

In the LDP window, click Options \ Controls


From the Load Predefined drop down box, select Return deleted objects.

image

Click OK to close the Controls window.

In the LDP window, click Connection \ Connect…

Provide the server name and the port to connect to the AD LDP Instance.

Click OK

image

Click View \ Tree.

In the Tree View window, enter the BaseDN of the AD LDS instance.  In our case it is CN=App1,DC=MCTNET,CD=COM

Click OK

image

In the LDP window, click Connection \ Bind

Click OK to close the BIND window.

In the LDP Window, expand your AD LDS instance.

image

Double click CN=Deleted Objects,CN=App1,DC=MCTNET,DC=COM

You will now see the objects that are being held in the Active Directory Recycle Bin.

image

Right click the object that you want to recover and select Modify.

image

In the Attribute: field, click isDeleted

In the Operation section, select Delete

Click Enter.

image

In the Attribute type distinguishedName.

In the Values field, type the Distinguished Name of the object that you want to recover.  In our case, it is CN=Barney,CN=App1,DC=MCTNET,DC=COM.

In the Operation area, select Replace

At the bottom left of the Modify window, check Extended.

Click Run

image

Click Close

If you look in the LDP window, you will see something similar to this:

image

If you open your AD LDS instance in the ADSI Editor, you will see that your object, Barney, has been restored.

image

Comments

Anonymous said…
Thanks for the information. It works well !

But when we restore a OU, its children are not restored. We must restore them one by one.

Do you know how we could make the restore recursive, somewhat using the lastKnowParent attribute ?
I see no reason as to why we cannot do this with PowerShell. I'm on a project right now, but I'll get back to this when I can and see what I can come up with.

Popular posts from this blog

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.

How to run GPResult on a remote client with PowerShell

In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.

Error icon when creating a GPO Preference drive map

You may not have an error at all.  Take a look at the drive mapping below. The red triangle is what threw us off.  It is not an error.  It is simply a color representation of the Replace option of the Action field in the properties of the drive mappings. Create action This give you a green triangle. The Create action creates a new mapped drive for users. Replace Action The Replace action gives you a red triangle.  This action will delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping. Update Action The Update action will have a yellow triangle. Update will modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the ma...