This tip has been tested that it works for Windows Server 2003, Windows Server 2008, or later.
For Windows Server 2008 R2, it is recommended to use Active Directory Recycle Bin feature. It’s more efficient method and can do complete restore of the previous deleted objects.
What Is a Tombstone?
When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object’s isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object’s naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations.
Obviously, objects don’t remain in the CN=Deleted Objects container forever. The default tombstone lifetime is 60 days for forests initially built using Windows® 2000 and Windows Server 2003, and 180 days for forests that were initially built with Windows Server 2003 SP1. You can change the tombstone lifetime by setting the tombstoneLifetime attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC= object.
Every 12 hours, each domain controller starts a garbage collection process. (This can be changed by setting a new value for the garbageCollPeriod attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC= object.) This garbage collection scans all of the tombstones on the DC and physically deletes any that are older than the tombstone lifetime.
The Deleted Objects container is hidden and can not be viewed by using Active Directory Users and Computers and ADSIEDIT.MSC. But you can use LDP.EXE.
For example, in this documentation, I delete an account with distinguishedName: CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com.
That account will be stored in Deleted Objects container in the form:
CN=Jenny GatesADEL:c7f41f06-7f02-42c9-8701-d5ad5ee3a7d0,CN=Deleted Objects,DC=Microship,DC=com
and with the attribute isDeleted is set TRUE.
To restore the user account, you have to use LDP.EXE to modify the properties of the deleted objects.
Here the snapshots
The previous condition
Jenny Gates (username: JennyG) has the following attributes:
Jenny has permissions set to C:\Data\Marketing folder.
Delete the user account Jenny
As the Result of Deletion
The Jenny’s previous account will be shown in the folder as her old SID. If you create a new user, it actually create a new object with the new SID for the user. That’s why you have to use the Tombstone Reanimation method to restore the old object.
For preparation to restore the deleted object, you have to install Windows Server 2003 Support Tools. From the Windows Server 2003 Installation CD, it is located on \SUPPORT\TOOLS\SUPTOOLS.MSI
You do not need to follow this step, if using Windows Server 2008.
Process to Restore the Deleted Object
Run LDP.exe.
On LDP window, click Connection menu, click Connect, type the appropriate server name and port.
Click Connection menu, click Bind, and type the Administrator account and password.
Click Options menu, click Controls.
On Load Predefined, select Return deleted objects.
This option will show the Deleted Objects container that is hidden by default.
Click View menu, click Tree, and then select the distinguished name of the domain name.
On the left, select DC=Microship,DC=com.
Then expand the Deleted Objects container, and find Jenny Gates.
Right click on the Jenny account, then click Modify.
In the Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter.
In the Attribute box, type distinguishedName, in the Values box, type CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com. Under operation, click Replace, and then click Enter.
Select the Extended check box, and then click Run.
The result of restoring deleted objects using Tombstone Reanimation procedure is not perfect. You will restore a disabled account with all attributes has been stripped. You have to set the password and enable the account.
But as you can see from the following picture that the permissions for Jenny has been restored.
Now Jenny can access the shared folder.
The next pictures show that, although you can restore the object, but many attributes has gone including the membership of the user.
If you want to have a successful restore including all attributes of the user, you should consider to do Authoritative Restore that need you to restore from backup. and you can not restore the active directory database from backup without restarting to Active Directory Restore Mode.
Daniel Ramawidjaja Blog 
[…] Tombsone Reanimation Using AdRestore.exe and ADRestore.NET By using AdRestore.exe or ADRestore.NET, you can easily restore deleted objects from Active Directory database by using tombstone reanimation method. So it basically do the same as using LDP in my previous post, Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE) […]
Pingback by Tombsone Reanimation Using AdRestore.exe and ADRestore.NET « Daniel Ramawidjaja Blog — June 22, 2009 @ 5:39 pm |
Great Help !!! Thanks for the Information.
Comment by Pravin — March 26, 2010 @ 1:39 pm |
I have noticed the using Exchange Console and removing the mailbox, awill remove the AD object also. but it doesn’t show up in the garbage colection. why is that?
what can I do if I have a user that instead of desabling a user mailbox, removes it, and the NT account, I have an administrator look and it doesn’t show up in the Garbage can process to restore. anyone know what is the deal here?
Comment by Dave keffer — July 13, 2010 @ 4:43 pm |
It’s about Active Directory not Exchange. but it’s ok. 🙂
You didn’t say about the Exchange version you used. Assumed it’s Exchange 2010. You tried to do this.
On your Exchange Server where you disable the mailbox, open Exchange Management Shell. run cmdlet: Get-MailboxDatabase | Clean-MailboxDatabase. Then verify the result from Exchange Management Console, it should be visible on Disconnected Mailbox node.
Comment by Daniel Ramawidjaja — July 14, 2010 @ 12:31 am |
Good Article.. helpful in understanding the deleted objects life cycle in Active Directory
Comment by Naveen Kumar B — July 25, 2011 @ 7:47 am |
Great article, thanks!
Note – Note: As a search result of LDAP query, only 1000 objects are returned by default. For example, if more than 1000 objects exist in the Deleted Objects container, not all objects appear in this container. If your target object does not appear, use NTDSUTIL, and then set the maximum number by using maxpagesize to get the search results, as described in the following KB article: How to view and set LDAP policy in Active Directory by using Ntdsutil.exe – 315071 7. Double-click the object that you want to undelete or to reanimate.
Comment by Michael Chelsea — October 16, 2011 @ 4:04 pm |
Thank you!
Comment by Ondrej — June 2, 2012 @ 2:58 am |