Using the Windows 2008 R2 Active Directory Recycling Bin

So let's see how that Recycle Bin works. First we need to enable it. It is good to note again. You cannot enable this unless all your DC's are windows 2008 R2 and you raise your forest functional level to 2008 R2. For me in the lab, this is simple, in a real environment, this takes days and weeks of planning and effort to get to this step!

Some generic information about this feature:

• Deleted items are retained for up to 180 days by default. I imagine that this can be edited to be shorter or longer somehow, but I was not able to find this.
  
• You can view and restore items using either LDP or Powershell, but I was NOT able to get Powershell to work. More on that below.
  
  

From this article:
http://technet.microsoft.com/en-us/library/dd379481.aspx

There are two ways to add the Recycle Bin. Powershell or LDP as specified in that article. I like powershell a LOT, so I will go with this. Keep in mind, "regular" powershell will not recognize these commands, you need to choose to use the AD powershell from under your administrative tools.

So I guess it's time to put on my silly admin hat.

Create a new user:

Much more information on a single screen here now:

Do note the "Protect object from accidental deletion" If you google this, you will see it actually has NOTHING to do with the AD recycle bin, its a pre-existing feature.

So first, we need to use LDP to view the recycle bin as per this article: http://technet.microsoft.com/en-us/library/dd379509.aspx

Here, I have connected and bound and am opening tree view:

And then I can see the deleted objects:

So let's delete an unfortunate soul:

After doing this, I can refresh the LDP window and see this:

So we right click the user and choose Modify:

So we are presented with the modify dialog, and I added "isDeleted" and selected delete:


Then hit Enter:

Then, enter distinguishedName and for the value, put the original DN of the object and choose replace.

Then hit enter. Clearly here, you are building a list of changes to be performed to undelete the object.

Most importantly, check the "extended" check box. Then you can hit run.

The screen will stay up, but you can view the main LDP window to see the status of this change:

Then, refresh your AD Administrative Center, and our "Test User" object is there again!

Now, let's nuke him again and restore him from Powershell!

This is where I seemed to hit a glitch of some sort:

From the Microsoft Help page:

Obviously, the command should be "Get-ADObject -filter" but hey missed a space there. This code will not work for me. Actually, even if I do "get-ADObject" with no parameters, I should get back a long list of objects. Instead I get this. Granted, this is beta code, and I might be missing something, but I couldn't get this working as cleanly as the LDP instructions above. I guess it's a good thing there are more than one way to recover these!

I later solved this issue in another post on recovering objects using Powershell.

Implementing a Windows 2008 R2 domain controller

Since I already have a home 2008 domain that has some production work in it, I opted to install a new forest and domain for beta code, so that if I did break anything or need to rip R2 beta out, it won't affect other services. Once this OS releases, I will definitely be migrating to it at home and will review the 2008 to 2008 R2 upgrade process some more.

Run Dcpromo from Start-Run and this ran for a short while, but that might be because I allocated hardly any RAM to this box :)

Advanced Mode… I like the sound of that!

And we get this glorious warning about security.

After reading up at http://go.microsoft.com/fwlink/?linkId=104751, there is a workaround if you do experience any of the symptoms of this. So I will press on:

I went with a simple and easy to remember name, that I likely will never use again on this blog, unless I do additional 2008 R2 features on this domain.

This then checks DNS and Netbios for existing names that would conflict, then prompts you for the NETBios name (yes, still, with the netbios, but a fair amount of things still rely on it!)

Now, the Forest Functional Level (FFL)

I of course chose the R2!

Time to delve into the reviewers guide for what features are unlocked with the 2008 R2 Forest Functional Level, which contains everything 2008 did, plus the AD Recycle Bin, which when enabled provides the ability to restore objects without stopping AD and doing a Directory Restore.

For more on the AD Recycle bin, check out: http://blogs.technet.com/activedirectoryua/archive/2009/01/30/introducing-active-directory-recycle-bin.aspx

Of course, choosing the R2 Forest functional level means I would also be doing the 2008 R2 domain functional level. This includes all previous DFL features, plus Authentication Mechanism Assurance. You can read more about this feature here:
http://blogs.technet.com/activedirectoryua/archive/2008/11/21/authentication-mechanism-assurance-in-windows-server-2008-r2.aspx

Once past the FFL screen, we are asked what other DC options to install with. Being the first DC in a new forest, I cannot choose much here. I do wonder why I would even be given the option to not install DNS.

I had set a static IPv4 address, but left IPv6 using dynamic addressing, so I got a warning:

I chose to ignore this for now, and chose YES.

Accepted the default storage locations, and then set my DSRM password:

I was *really* hoping that "advanced" let me choose a different site name than "Default-First-Site-Name" this time around. Oh well. I think if it was an option here, far fewer installations would be scared to change this.

A quick review of my settings, and we are OFF:

I really like the reboot checkbox, so I checked the box. This is really nice to have, especially if you were bringing up new DC's en masse for a larger existing domain and didn't want to have to keep checking on it.

Once rebooted, I see a new MSC, the "Active Directory Administrative Center"

My stars, this looks very different!

Oh wait, there's what looks more familiar..

Next post will cover USING the recycle bin!

OCS 2007 R2 Teaser videos

These cover new features in OCS R2 and some are pretty funny.

For all videos:
http://www.youtube.com/profile?user=OCSR2Launch&view=videos

My favorites embedded:

Windows Fundamentals for Legacy PCs

WFLP is a product offering that comes with Microsoft Software Assurance (SA) licensees. This is a very overlooked benefit, but it is a GREAT answer for those "what do we do with all those old machines" question. WFLP is made to run on less than optimal hardware and can even be used to make an old PC turn into a simple thin client.

More information on Wikipedia here: http://en.wikipedia.org/wiki/Windows_Fundamentals_for_Legacy_PCs

Or at Microsoft.com here: http://www.microsoft.com/licensing/sa/benefits/fundamentals.mspx

Software Assurance has a LOT of benefits, this is only one of them.

That failed, because my pesky Windows 2008 server wanted authentication. I am guessing that WFLP will connect fine to a 2000/2003 based Terminal server but does not have the new RDP client built in, so I will do the full install.

Product Key, and then Date/Time Settings, and then…

Slightly different GUI for disk allocation

Interesting to note - unlike most XP installs, it will not let you proceed with a blank admin password.

Doubly interesting, it even didn't like my first attempt:

Another different looking screen:

One last dialog asking if you want to do domain or workgroup. I typically choose workgroup and do domain later, but I took a chance on it.

Following this screen, there is a review your settings, and then you can proceed installing.

After a reboot, I got a lovely BSOD. I was running this in ESX at first, but I think there was an issue with the SCSI driver as the first boot would BSOD there. I reinstalled on Hyper-V because it supports IDE drives (more commonly seen for a desktop OS) and it worked flawlessly.

Seems some background tasks occur under this, a lot of text went by as it registered classes, devices, etc. There was no user interaction required during this step.

Once completed, another reboot occurs, and we are up and running WFLP. waiting for more things to install:

Looks like the domain stuff did not work. Looks like it's the lack of NIC. Notice here, the RAMdisk controller.

So, I installed the Hyper-V integration disk and crossed my fingers.

Now, I am able to join the domain:

Of course, a limited OS is not without its downfalls:

After spending some time using WFLP to do Windows Updates and browse the web, I realized - this is not too bad. But then again, I have 512MB of RAM and it is reporting a Xeon 3220 processor (that's what the Hyper-V server has) so I decided it was time to downscale the VM to see how it ran.

So I shut it down after patching and made the above screen look more grim:

Odd, I was hoping selecting this would put a different processor in here. Kind of wishing I had ESX's processor options now.

Another thing to note. Regular Windows Update cannot get you SP3 - you need to download this version:

http://www.microsoft.com/downloads/details.aspx?FamilyID=B0AACB27-707D-4ED1-8BD9-25A821096281&displaylang=en

Final notes on WFLP.. Where is this a good fit? Where would you use this?

• Organizations that go through a hardware migration that might also be able to use a few old PC's for kiosks or terminal consoles (not using Windows 2008 Remote Desktop Services.
  
• Anyone needing simple email/IE only type access without any additional heavy applications.
  
• Fully patched, this install is only using 2GB of the 8GB I allocated it. That means it might be feasible to also have these thin clients booting off a USB device as well, even further reducing the footprint (and moving parts) on an aging desktop machine
  

  
  

  
  

  
  

Creating a Virtual iSCSI SAN under ESX!

• Go here and request access to the 30 day eval
  http://www.lefthandnetworks.com/vsa_eval.aspx
• Download the OVF file for easiest import.
• Choose to Import a Virtual Machine into ESX

Important step here. ADD a hard drive to this config with the needed storage space and map it to SCSI 1:0 to ensure the rest works!

Launch the CMC Console, and choose to Configure RAID. Choose RAID (virtual) and it will configure your disk.

Create a management group:

Set a NTP server:

I chose a standard cluster for now.

Name your cluster:

Configure VIP:

Creating a test 30GB Volume:

If you end up waiting here and re-seeing this screen, launch the VSAN console and log in using your new creds.

And we are DONE:

Now, it's time to add a server that will attach to this.

On the Servers Tab, click New Servers:

Now, I am using a Windows 2008 host for this. If you use anything from pre-vista/2008, you need to install the iSCSI initiator from:
http://www.microsoft.com/downloads/details.aspx?familyid=12cb3c1a-15d6-4585-b385-befd1319f825

In 2008 and Vista , it is included in the control panel:

Makes good sense:

An invaluable resource for decoding this:

Since this is for LAB only, I went with a secret-less config:

After adding the server, we can assign the volume:

Once added, you can go to targets:

Choose log on:

Launch Disk Management, and you will see:

From here, it's simple - format the disk, and you can use it!

I should note at this point that 2008UTILITY is actually on Hyper-V, so I am actually having this traffic transverse multiple machines!

One thing to add.. Any issues with VSA, check here first:http://vsaforum.lefthandnetworks.com/