locked
Any reason not to enable AD Recycle Bin?? RRS feed

  • Question

  • I am running a Domain Functional level of 2008r2.  Is there any reason why I would not want to enable the AD recycle bin?

    thanks

    Thursday, January 4, 2018 5:39 PM

Answers

  • I'd agree with Jasper - especially given the size of DIT.

    Simply monitor your DIT growth once you enable Recycle Bin. If necessary, apply the hotfix

    hth
    Marcin

    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:44 AM
    • Marked as answer by Poly Admin Wednesday, January 10, 2018 2:44 PM
    Friday, January 5, 2018 5:46 PM
  • Yes, you can do that.

    The process is very well explained here -> https://technet.microsoft.com/en-us/library/dd379481(v=ws.10).aspx


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:45 AM
    • Marked as answer by Poly Admin Wednesday, January 10, 2018 2:43 PM
    Thursday, January 4, 2018 7:28 PM
  • A potential negative implication of enabling Recycle Bin is DIT size - in particular when using AD-integrated DNS zones (more at http://support.microsoft.com/kb/2548145 )

    Another one is the limitation in terms of reverting the AD functional level - more at https://blog.workinghardinit.work/2014/01/22/reverting-the-forest-domain-functional-levels-in-window-server-2008-r2-2012/

    hth
    Marcin




    • Edited by Marcin PolichtMVP Thursday, January 4, 2018 8:32 PM
    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:45 AM
    • Marked as answer by Poly Admin Wednesday, January 10, 2018 2:43 PM
    Thursday, January 4, 2018 8:28 PM
  • Assuming that you are running Windows Server 2008 R2 DCs, verify whether the hotfix referenced at https://support.microsoft.com/en-us/help/2548145/active-directory-size-increases-rapidly-on-a-windows-server-2003-or-wi is applicable - and if so, consider installing it on your DCs.

    Take into account the current size of your AD database and the rate of deletions - on average, you might expect the growth in the range of 10-20%, but of course YMMV.

    My comment didn't mean to function as a deterrent, but simply as factor to take into account. Overwhelming majority of AD implementations I'm aware of have the Recycle Bin enabled

    hth
    Marcin

    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:45 AM
    • Marked as answer by Poly Admin Wednesday, January 10, 2018 2:43 PM
    Thursday, January 4, 2018 10:06 PM
  • I agree.

    No, I don't really have clients registering 100's of times each day.  We only have about 50 clients.

    How long will the DNS objects stay once the hotfix is installed?

    I will sleep on it over the weekend and plan on enabling AD recycle bin early next week unless more information is discovered.  Then like you said I will monitor the situation and see how it effects the growth of my AD database.

    I appreciate your help with this.
    If DNS client re-registration works as supposed (with or without hotfix), the DNS record will stay as a 'live object'. It will only be moved to the recycle bin if it is deleted, manually or automatic. A deleted object will stay in the bin, when enabled, for 180 days (default), and then garbage collected for another 180 days (default). After that, it will be permanent deleted.

    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.


    • Edited by Jesper Vindum Friday, January 5, 2018 6:03 PM
    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:44 AM
    • Marked as answer by Poly Admin Wednesday, January 10, 2018 2:44 PM
    Friday, January 5, 2018 6:01 PM

All replies

  • Hi,

    No

    Your database might increase a bit, depending on your environment and it cannot be reverted. But beside that, it is a nice feature which let you recover objects easily.


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:44 AM
    Thursday, January 4, 2018 5:59 PM
  • I am running a Domain Functional level of 2008r2.  Is there any reason why I would not want to enable the AD recycle bin?

    thanks


    Nothing :)) Even it's an useful feature.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:44 AM
    Thursday, January 4, 2018 6:01 PM
  • Thanks for the quick replies. 
    Can you tell me the best way to enable the AD recycle bin?  Should I use the following command from the Active Directory Module for Windows PowerShell?

    Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mydomain,DC=com' –Scope  ForestOrConfigurationSet –Target 'mydomain.com'

    Thursday, January 4, 2018 7:07 PM
  • Hi,

    Yes you can use the said command. Enabling using powershell will be faster and safe method.

    Thanks

    Syed


    Dont forget to mark as Answered if you found this post helpful.

    Thursday, January 4, 2018 7:23 PM
  • Yes, you can do that.

    The process is very well explained here -> https://technet.microsoft.com/en-us/library/dd379481(v=ws.10).aspx


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:45 AM
    • Marked as answer by Poly Admin Wednesday, January 10, 2018 2:43 PM
    Thursday, January 4, 2018 7:28 PM
  • ok, I will use the powershell command.  I will run it later today.  Please hang with me for a little longer in case I have errors running the command.
    Thursday, January 4, 2018 7:32 PM
  • A potential negative implication of enabling Recycle Bin is DIT size - in particular when using AD-integrated DNS zones (more at http://support.microsoft.com/kb/2548145 )

    Another one is the limitation in terms of reverting the AD functional level - more at https://blog.workinghardinit.work/2014/01/22/reverting-the-forest-domain-functional-levels-in-window-server-2008-r2-2012/

    hth
    Marcin




    • Edited by Marcin PolichtMVP Thursday, January 4, 2018 8:32 PM
    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:45 AM
    • Marked as answer by Poly Admin Wednesday, January 10, 2018 2:43 PM
    Thursday, January 4, 2018 8:28 PM
  • I don't really like the sound of that.  I am not sure what to do.  I do use AD integrated zones.
    Thursday, January 4, 2018 8:36 PM
  • Assuming that you are running Windows Server 2008 R2 DCs, verify whether the hotfix referenced at https://support.microsoft.com/en-us/help/2548145/active-directory-size-increases-rapidly-on-a-windows-server-2003-or-wi is applicable - and if so, consider installing it on your DCs.

    Take into account the current size of your AD database and the rate of deletions - on average, you might expect the growth in the range of 10-20%, but of course YMMV.

    My comment didn't mean to function as a deterrent, but simply as factor to take into account. Overwhelming majority of AD implementations I'm aware of have the Recycle Bin enabled

    hth
    Marcin

    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:45 AM
    • Marked as answer by Poly Admin Wednesday, January 10, 2018 2:43 PM
    Thursday, January 4, 2018 10:06 PM
  • There is one potential legal reason of not having it enabled, it's compliance. Depending on your company's business you might be subject to some potential e-discovery requests and other kinds of investigations that may force you at some point to go back to a certain point of time to reveal the actions done in the past to the investigators (such as fraud investigators).

    By keeping the entire history of deletions of all AD objects in your AD Recycle Bin for more years than required, you are essentially exposing yourself to potentially deeper investigations, which may cause more pain to you (such as your auditor or investigator asking about what permission were assigned to some user account deleted 10 years ago?).

    It sounds a bit paranoid, but I have seen some companies disabling this really nice feature for this very reason or using alternate 3rd party solutions or scripts that purge the history of deletions done more than some specific number of years ago.

    Friday, January 5, 2018 1:45 AM
  • You can follow this informative guide containing step by step details to enable recycle bin in your ad environment - https://www.lepide.com/whitepaper/reanimating-the-deleted-objects-of-active-directory.pdf
    Friday, January 5, 2018 5:04 AM
  • There is one potential legal reason of not having it enabled, it's compliance. Depending on your company's business you might be subject to some potential e-discovery requests and other kinds of investigations that may force you at some point to go back to a certain point of time to reveal the actions done in the past to the investigators (such as fraud investigators).

    By keeping the entire history of deletions of all AD objects in your AD Recycle Bin for more years than required, you are essentially exposing yourself to potentially deeper investigations, which may cause more pain to you (such as your auditor or investigator asking about what permission were assigned to some user account deleted 10 years ago?).

    It sounds a bit paranoid, but I have seen some companies disabling this really nice feature for this very reason or using alternate 3rd party solutions or scripts that purge the history of deletions done more than some specific number of years ago.

    If I am not mistaken the default TSL is 180 days (server 2003 sp1) and as such an object will be kept 180 in recycle bin (when enabled), and after that garbage collected for another 180 days before it gets tombstoned?


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Friday, January 5, 2018 6:03 AM
  • I don't really like the sound of that.  I am not sure what to do.  I do use AD integrated zones.

    If your ntds.dit starts to grow beyond what's expected, I believe you have a design flaw or a misconfiguration somewhere.

    An active directory database with 15000 users, 10000 computer accounts and 5000 OU's is no more than 500mb.


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Friday, January 5, 2018 6:59 AM
  • My NTDS.dit file is 72MB

    I have 4 domain controllers.  One Windows Server 2016 DC and three Windows Server 2008r2 DC's.  I do use AD integrated zones.  I do have the DNS server role installed on all DC's. 

    According to the article referenced: https://support.microsoft.com/en-us/help/2548145/active-directory-size-increases-rapidly-on-a-windows-server-2003-or-wi   I assume I would need to install the hotfix on all 3 2008r2 servers.

    I have always been leary of hotfixes.  I am unsure.







    Friday, January 5, 2018 4:57 PM
  • The issue needs to exist, before you apply a hotfix.

    Do you even have clients registering hundreds of times each day?

    If the issue does occur, those DNS object wont stay forever. Eventually they will get deleted,.after 360 days.

    However, I doubt with 72mb, it will become a problem. You can always monitor the situation and react accordingly if needed, but I'm pretty sure you wont face any issue in your case :)


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Friday, January 5, 2018 5:35 PM
  • I agree.

    No, I don't really have clients registering 100's of times each day.  We only have about 50 clients.

    How long will the DNS objects stay once the hotfix is installed?

    I will sleep on it over the weekend and plan on enabling AD recycle bin early next week unless more information is discovered.  Then like you said I will monitor the situation and see how it effects the growth of my AD database.

    I appreciate your help with this.
    Friday, January 5, 2018 5:44 PM
  • I'd agree with Jasper - especially given the size of DIT.

    Simply monitor your DIT growth once you enable Recycle Bin. If necessary, apply the hotfix

    hth
    Marcin

    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:44 AM
    • Marked as answer by Poly Admin Wednesday, January 10, 2018 2:44 PM
    Friday, January 5, 2018 5:46 PM
  • I agree.

    No, I don't really have clients registering 100's of times each day.  We only have about 50 clients.

    How long will the DNS objects stay once the hotfix is installed?

    I will sleep on it over the weekend and plan on enabling AD recycle bin early next week unless more information is discovered.  Then like you said I will monitor the situation and see how it effects the growth of my AD database.

    I appreciate your help with this.
    If DNS client re-registration works as supposed (with or without hotfix), the DNS record will stay as a 'live object'. It will only be moved to the recycle bin if it is deleted, manually or automatic. A deleted object will stay in the bin, when enabled, for 180 days (default), and then garbage collected for another 180 days (default). After that, it will be permanent deleted.

    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.


    • Edited by Jesper Vindum Friday, January 5, 2018 6:03 PM
    • Proposed as answer by Wendy Jiang Monday, January 8, 2018 7:44 AM
    • Marked as answer by Poly Admin Wednesday, January 10, 2018 2:44 PM
    Friday, January 5, 2018 6:01 PM

  • How can I tell if DNS client re-registration is working like it is supposed to be where records stay as live objects?  I would like to know if possible.

    I will mark the post as answered later today.

    thanks
    • Edited by Poly Admin Monday, January 8, 2018 4:15 PM
    Monday, January 8, 2018 4:14 PM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 10, 2018 1:43 AM
  • I was hoping to get an answer to my question from Jan 8 if possible.  Anyone?
    Wednesday, January 10, 2018 2:41 PM
  • I would try do a search and see if there is are unusual many entries of the same DNS object, using this article

    https://support.microsoft.com/da-dk/help/284928/how-to-search-for-deleted-objects-in-active-directory


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.


    Sunday, January 21, 2018 9:52 PM
  • Will do.  Thanks
    Monday, January 22, 2018 3:32 PM