News Stay informed about the latest enterprise technology news and product updates.

Built-in Active Directory backup feature falls short

Windows Server 2008 R2's Active Directory Recycle Bin feature is limited, so IT pros who need full features might be better off using third-party backup tools.

IT pros excited about the Recycle Bin feature for Active Directory should prepare for disappointment; what Microsoft delivered is a watered-down version of existing third-party back up tools.

Microsoft's new "Recycle Bin" feature in Windows Server 2008 R2 Active Directory lets IT pros recover deleted objects, but third-party software companies have been offering tools that do that and so much more for many years, said Don Jones, a Microsoft MVP, IT consultant and co-founder of Concentrated Technology.

"Microsoft has been providing less in the way of native backup, but they stuck this feature in there to check off something on a list of what people were asking for," Jones said. "Unfortunately, Microsoft didn't actually give people what they wanted."

How Active Directory Recycle Bin works

With the Recycle Bin in Windows Server 2008 R2, a deleted object is put into a new state called a logically deleted object, and all of its links and attributes are preserved.

More on Active Directory

Windows shops offer vision for next Active Directory

Active Directory tops the list of hot Windows Server 2008 R2 features
The deleted object is then moved to the Deleted Objects container, where it remains for the deleted object's lifetime and can be recovered by administrators. At the end of the deleted object's lifetime (180 days by default), Windows Server strips down the object, and "it sits on a system taking up space," said Michael Cherry, who authored a report on AD enhancements.

But getting the feature to work is a cumbersome task, and it doesn't do everything administrators would like.

The Recycle Bin feature in Windows Server 2008 R2 is inactive until every domain controller has been upgraded to that version of Windows, and every domain in your environment and forests have to be up to the Windows Server 2008 R2 functional level, according to information on Microsoft TechNet.

Once the domain controllers, domains, and forests are upgraded, the Active Directory Recycle Bin functionality has to be manually enabled. And when the Active Directory Recycle Bin is turned on, it can't be disabled.

"Prior to turning it on, you have to be sure your company can use it," Jones said. "It could cause you to violate information security rules, because the data doesn't get deleted."

For example, it is illegal in many European countries to retain personally identifiable information in certain circumstances, so the Active Directory Recycle Bin may unacceptably retain data without you realizing it, Jones reported.

What is lacking in the AD Recycle Bin

There are a number of quirks with the feature that make it less intuitive than one would expect, starting with the fact that the Deleted Objects container is not displayed via the familiar Recycle Bin desktop icon, or in any other way for that matter, without some scripting work.

"Because there isn't a way to find the container, deleted objects are inaccessible from most native Active Directory management tools," Jones said. Instead, "you'll need to use low-level directory editors, scripting, or other complex means to reanimate objects from their 'deleted' state."

And not all states can be restored using the Recycle Bin feature, Cherry said.

"Restoration comes in to play in two ways; You would either restore because you deleted something, or because something has been changed so badly that you want to go to a previous state," Cherry said. "I'm not sure you can do the latter."

In fact, you can't. The Recycle Bin feature doesn't allow you to roll back changes the way most third-party recovery tools can.

Plus, the new Active Directory Recycle Bin only works on objects that actually live in Active Directory, so, for instance, it doesn't work for mission-critical Group Policy Objects that reside on disk, Jones said.

Active Directory also has to be fully operational. "If something goes wrong with your entire forest, you may not even have a functional directory to work with – and even if you do, manually recovering an entire forest is a tricky task," Jones reported.

It seems the new Recycle Bin feature won't eliminate the need for expensive third-party backup tools, as IT pros hoped it would. In fact, Microsoft's Recycle Bin capabilities are so minimal that channel partners aren't concerned about losing sales.

"Given what people are used to using, [Microsoft's Recycle Bin] doesn't offer a whole lot," Jones said. "It's really a surprise that Microsoft is even pushing Recycle Bin as an added feature."

There are many Active Directory backup offerings on the market today from Microsoft partners, such as Quest Software's Recovery Manager, Symantec's Backup Exec product family, ScriptLogic's Active Administrator, SonicWall's backup and recovery products and NetWrix's Active Directory Object Restore Wizard.

Let us know what you think about the story; email Bridget Botelho, News Writer

Dig Deeper on Windows systems and network management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.