Active Directory Recycle Bin can save a Windows Server

The Recycle Bin feature allows objects to be restored via the Active Directory PowerShell environment. For the beta release, this functionality is turned off by default, so the first step is to enable the feature. Figure A shows this step.



Once this is complete, you can view the contents of the Active Directory Recycle Bin. This special location exists as a container that holds the objects as they are deleted.

In my first looks at Windows Server 2008 R2 beta, I set up a test domain running at that function level. The domain, dev.tld, had nothing in the Recycle Bin after it was created. I deleted two objects: one user and one group. Figure B shows the query of what is in the Recycle Bin before the two objects were deleted, then another query after they were deleted.



Notice that some fields were cut off in the display, notably the full GUID (which is needed for the restore). To display the entire GUID and object name, you would run this query:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=dev,DC=tld" -ldapFilter "(objectClass=*)" -includeDeletedObjects | FT ObjectGUID,Name -A

Then, the full GUID is displayed, so a copy and paste operation will allow an easy restore. From the list above, to restore the single user named test, the following command will perform the restore:

Restore-ADObject -Identity 6ff46162-15c2-4d42-8e15-2fcac5c8422e

The object is instantly returned to full existence in Active Directory.

Source: http://blogs.techrepublic.com.com/datacenter/?p=675

Recovering Bitlocker Keys from Active Directory

BitLocker is a great tool for ensuring that the data on your organization’s computers is protected when laptop computers are misplaced or hard disk drives are stolen. Volumes encrypted using bitlocker can be recovered using the bitlocker recovery tool if you have the appropriate recovery key. As each BitLocker key is individual , the big problem with BitLocker recovery has been keeping track of every computer’s BitLocker keys.

The easiest way to keep track of all keys is to archive them to Active Directory. It saves a lot of effort with setting up an Excel spreadsheet! The Computer Configuration\Administrative Templates\Windows components\BitLocker Drive Encryption node of a Windows Server 2008 GPO contains a policy named Turn on BitLocker Backup To Active Directory Domain Services.

You can configure this policy so that BitLocker cannot be first enabled unless the computer is connected to the domain and the backup of the BitLocker keys to AD succeeds (BitLocker remains on after that). To ensure BitLocker keys are backed up, enable the policy and select the Require BitLocker Backup to AD DS option before deploying BitLocker. You can choose to back up recovery passwords and key packages or just recovery passwords. You should back up both items as this will give you more flexibility when attempting to recover encrypted volumes that might be damaged.

Retrieving a BitLocker key from Active Directory involves using the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. This tool allows you to locate and view BitLocker recovery passwords, assuming that you have Domain Administrator privileges in the domain in which the password is stored and the passwords are archived in AD. You can obtain this tool from Microsoft’s website here: http://support.microsoft.com/kb/928202.

You should note that the tool is not included with Windows Server 2008 or Windows Vista by default. So although you can archive BitLocker keys to AD, there isn’t any way to retrieve them unless you download this extra tool. Before you run the tool on a DC for the first time, but after you have installed it, it is necessary to run the command regsvr32.exe bdeaducext.dll. The tool itself modifies Active Directory Users and Computers so that when you view a computer account’s properties, there will be a BitLocker Recovery Tab that lists BitLocker recovery passwords associated with the computer account. You can remove the tool using Add or Remove Programs in the Control Panel. Once you’ve recovered the appropriate passwords, you can get on with recovering encrypted data!

Source: http://windowsitpro.com/article/articleid/101582/recovering-bitlocker-keys-from-active-directory.html