Azure AD Connect: on-premises Active Directory Recycle Bin

Active Directory, Azure AD Connect, Office 365, Uncategorized Leave a comment

If you are using Azure AD Connect to sync accounts to Azure AD, it is highly recommended that you enable the AD Recycle Bin feature in the on-premises Active Directory.

If it isn’t enabled when you configure Azure AD Connect, it’ll warn you about it:

The Active Directory Recycle Bin is not enabled for your forest (x500.co.uk) and is strongly recommended.

ADRecycle05

Why?

If a user object is accidentally deleted from the on-premises Active Directory, the user object will also be deleted from Azure AD the next time an Azure AD Connect sync runs (every 30 minutes by default).

Although it will be kept in a soft-deleted state in Azure AD for 30 days (again by default), re-linking it to a new on-premises AD user object wouldn’t be a particularly nice job.  Nor would restoring access to on-premises resources (file share permissions, group membership, application access, etc.)

When the AD Recycle Bin feature is enabled, the on-premises AD object can be restored without having to change Source Anchor values.  When the recovered object is synched to Azure AD, Azure AD will restore the soft-deleted user object.

Enabling the AD Recycle Bin

Windows Server 2012 R2

In Server Manager, click Tools, then click Active Directory Administrative Center.

ADRecycle01

In the left hand pane, click on the (local) domain.

Then in the right hand pane, click on Enable Recycle Bin …

ADRecycle02

Please refresh AD Administrative Center now.

AD DS has begun enabling Recycle Bin for this forest.  The Recycle Bin will not function reliably until all domain controllers in the forest have replicated the Recycle Bin configuration change.

Click OK.

ADRecycle04

Enable Recycle Bin Confirmation

Are you sure you want to perform this action?  Once Recycle Bin has been enabled, it cannot be disabled.

Click OK.

ADRecycle03

Verification

In event viewer (Directory Service) you’ll see the following three entries.

First: Event ID 2136

2136

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 2136
Task Category: Internal Configuration
Level: Information
Keywords: Classic

Description:

Internal event: An optional feature has been enabled.

Optional feature name:
Recycle Bin Feature

Optional feature guid:
766ddcd8-acd0-445e-f3b9-a7f9b6744f2a

Scope of optional feature:
CN=Partitions,CN=Configuration,DC=x500,DC=co,DC=uk

Second: Event ID 2119

2119

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 2119
Task Category: Internal Configuration
Level: Information
Keywords: Classic

Description:

This Active Directory Domain Services server now supports the Recycle Bin optional feature. When all servers support the optional feature, objects may be undeleted without loss of data.

Third: Event ID 2404

2404

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 2404
Task Category: Internal Configuration
Level: Information
Keywords: Classic

Description:

This Active Directory Domain Services server now supports the “Recycle Bin Feature” optional feature.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s