I’ve done it, I know people who have done it, and I bet you have done it before as well.  Right-click an object in Active Directory Users and Computers and instead of clicking the properties link you accidentally hit delete.  Boom, gone and the only way to get it back is via a restore from backup.  Restart the DC, boots into Directory Services Restore Mode (DSRM), restore the system state backup and apply either a authoritative or non-authoritative restore.

Guest author, Sean Kearney, covers this new feature in Windows Server 2008 R2.

-------------------------

One of the fantastic features provided in Server 2008 R2 is the new Recycle Bin for Active Directory.

I recognize that nobody here is going to intentionally mess up their own Active Directory.  But problems can happen.   A Junior technician misheard the phrase “Disableith “Deletea malicious Administrator leaving the company, dumb luck.  Any number of problems can occur and this feature will save the day.

There are a few caveats to using this

• You must have the Domain functional level in Server 2008 R2 mode.
• You must enable the feature by using LDP.EXE

For as long as we have had Active Directory domains, we have been required to to join client to the domain while they were online and connected to AD.  Without that the join would fail.  Now you always had the ability to join with a script using the NETDOM command but with Windows Server 2008 R2 we can now join a client to our AD domain while offline.  The real benefit hear is that there is no need to supply or enter domain admin credentials.  As you’ll see below a TXT file is created but just for fun open it up with notepad and see what you can make out :)

It is a simple three step process that requires you to run a new utility called DJOIN from an already joined Server 2008 R2 computer.

1. Create a text file with DJOIN that contains the required information for a computer to join AD
2. Import the text file using DJOIN on the target computer you wish to join AD
3. Once connected to the domain, reboot the computer and it will join AD

For joining a computer to the domain using DJOIN there are some switches you need to know about first.

• /provision sed when there is

Hardware dies, it always has and it always will eventually.  And if you ever had a Windows 2000/2003 domain controller die on you, you’ve no doubt gone through the painless but time consuming process of removing a failed DC.  I wrote an article on it a few years ago and while you might be planning to migrate your DCs to 2008, or already have, one thing you’ll like is the automated metadata clean up when removing a failed Windows Server 2008 based DC from your AD domain!

Now a DC can be removed in three simple steps!  First right-click the computer account in Active Directory Users and Computers and select delete.  You will be prompted with a warning asking you to confirm.

Ensure you have selected the proper DC and then click Yes.  You will then be presented with another box telling you to perform a DCPromo to demote the server.  Since the server is dead and we can’t do such a thing, check the box about the DC being offline permanently and then click Delete.

As with each edition of Windows Server, the 2008 release also includes some new additions.  In order to take advantage of some of these new features you need to upgrade your Active Directory Forest and Domain functional levels.  You can read about the Windows 2000/2003 domain and forest functional levels as a refresher if you like, but here we'll cover the 2008 versions.

Windows 2008 Forest Functional Level

The Windows 2008 Forest functional level does not provide any additional features to your Active Directory forest.  It does require that all Domain Controllers in the forest are running Sever 2008.  You should only change this once you have upgraded all DCs in the forest to Server 2008.

Windows 2008 Domain Functional Level

The Windwos 2008 Domain functional level does provide quite a few useful new features to your Active Directory forest.  Some of these you've probably been asking for!  All Domain Controllers in the domain (but not forest) will need to be running Windows Server 2008.

• Fine grained password policies.  Finally you can have seperate password policies for different OUs aside from the domain level policy.
• Last Interactive Login information.  You can use this information to get details on the last time an