Enable Recycle Bin Feature In Active Directory

The Active Directory Recycle Bin feature is disabled by default in Windows Server 2012 R2. To enable the Active Directory Recycle Bin feature the forest functional level should be Windows Server 2008 R2 or higher. Enable the Active Directory Bin Feature on Windows Server 2012 R2 by log in with a user account that have “Enterprise Admins” or “Schema Admins” group permissions.

From the Server Manager, click on Tools and click Active Directory Administrative Center. Right click the target domain in the left navigation pane and click Raise the forest functional level.



In my Domain Active Directory Forest Functional level is already Windows Server 2012 R2. To enable the Active Directory Recycle Bin feature the forest functional level should be Windows Server 2008 R2 or higher


To check the current Forest functional level of your organization using powershell command:

Get-ADForest -Identity sysghosta.local


To raise the forest functional level using powershell command, then launch Active Directory Module for Windows Powershell and execute:

Set-ADForestMode 6 -Identity SYSGHOSTA.LOCAL


6 – Raise the forest functional level to Windows Server 2012 R2

5 – Raise the forest functional level to Windows Server 2012

4 – Raise the forest functional level to Windows Server 2008 R2


Now open Active Directory Administration console and Right click on the target domain and click Enable Recycle Bin.




Click OK



Refresh Console now




To enable the Active Directory Recycle Bin feature using Powershell command:

Enable-ADOptionalFeature -Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=sysghosta,DC=local" -Scope ForestOrConfigurationSet -Target "sysghosta.local"

And command to verify the result:

Get-ADOptionalFeature -filter *


Now go to Administrative console and you will see container called Deleted Object.


Now to test if its working or not, i will delete a test user account and restore it using recycle bin:



The user Temp is deleted and you can see this user in Recycle Bin of AD with following command:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=sysghosta,DC=local" -ldapFilter:"(msDs-lastKnownRDN=*)" -IncludeDeletedObjects -Properties lastKnownParent




Now we will restore this account as:



after this you will be able to see this user again on same location:


To restore the deleted object back to the original location using powershell command:

Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" -IncludeDeletedObjects | Restore-ADObject


Migrate WSUS from server 2003 to Server 2012/2012 R2 including approved updates and settings

Also, you can follow this video which explain each step for migration of WSUS with all approved updates.

Step by step procedure for migrating WSUS from server W2K3 to W2K12:

Migrate WSUS update

  1. Stopped WSUS service and synchronization schedule on W2K3 server.
  2. Installed WSUS role on the W2K12 server. Leave the configuration wizard at the end of installation of role.
  3. Then created a NT Backup task to the entire WSUS Backup content folder.
  4. Copy the NT Backup binaries from a W2k3 server and copied it to the W2K12 server. 

Migrate WSUS security groups

No need to do anything specific in this step if all the users, groups and security permissions are exact same in new setup. for double you can refer to article described here.

Back up the WSUS database

This is the most important step. You also can see how to do it here. Remember you need to install SQL Server 2012 Management Studio in your W2K12 server as 2005 version is not supported in 2012. This is required for WSUS database import.

Final steps

  1. After completing the WSUS database migration, open up WSUS console in the W2K12 server. You may notice that approved updates along with rest updates are there.
  2. Configure the new WSUS server with exact same configuration (products, classifications, automatic approvals, sync schedule etc… ).
  3. In group policy of WSUS. Change the host name to the new one.
  4. Start a manual synchronization in the new server. Once it is finished make sure that the sync is Succeeded.
  5. As you have change the WSUS server in the domain group policy, you may need to log off and log in to client computers or run a gpupdate /force. Alternatively follow the step in the TechNet article to manually detect a client computer.

Active Directory Authoritative and Non-Authoritative Restore Server 2008

Take systemstate backup.

After installation of Role Windows Backup/Restore with Command line option selected, Run wbadmin from an elevated command prompt. (To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator

Syntax: Wbadmin start systemstatebackup –backupTarget: <VolumeName>[-quiet]
Example: Wbadmin start systemstatebackup –backupTarget:D:

Restore Server 2008 Active Directory (non-authoritative)

1. On Server 2008 DC, open the command prompt on the server.

2. Run below commands to enter Directory Services Restore Mode (DSRM).

Bcedit / set safeboot dsrepair
Shutdown –t 0 -r

Note: To manually boot in Directory Services Restore Mode, press the F8 key repeatedly. Use the up/down arrow keys to select Directory Services Restore Mode or DS Restore Mode. Then press the Enter key.

3. Login using administrator and DSRM password.

4. Run below command (note that e: is the drive letter of your backup), this will show you the version identifier of the backup.

Wbadmin get versions –backuptarget:D:

5. Run below command to start the restore.

Wbadmin start systemstaterecovery -version:18/09/2013-16:57–backuptarget:d:

6. After the restore process is completed, run following commands to reboot.

Bcedit /deletevalue safeboot
Shutdown –t 0 -r

Restore Server 2008 Active Directory if Someone Accidentally Deletes an Object. (Authoritative restore)

1.Restore Server 2008 Active Directory (non-authoritative), do not reboot the server

2. Open command prompt, run following commands, where CN=Sumit,OU=IT,DC=SYSGHOST,DC=LOCAL is the object you wish to restore.

ntdsutil: activate instance ntds

Active instance set to “ntds”.

ntdsutil: authoritative restore

authoritative restore: restore object CN=Sumit,OU=IT,DC=SYSGHOST,DC=LOCAL

3. Once it’s completed. Type quit

4. After the restore process is completed, run following commands to reboot.

     Bcedit /deletevalue safeboot
Shutdown –t 0 -r