1
00:00:01,140 --> 00:00:04,610
In this demonstration, we'll start with the Active Directory Recycle Bin,

2
00:00:04,610 --> 00:00:08,200
and then we'll take a look at Directory Services Restore Mode,

3
00:00:08,200 --> 00:00:11,940
Restartable AD DS, and troubleshooting replication.

4
00:00:11,940 --> 00:00:15,060
To begin with, let me open up dsa.msc.

5
00:00:15,060 --> 00:00:19,540
That's a shortcut to Active Directory users and computers.

6
00:00:19,540 --> 00:00:19,980
Why?

7
00:00:19,980 --> 00:00:23,980
Because I wanted to verify that we do indeed have 2

8
00:00:23,980 --> 00:00:27,180
domain controllers in my domain timw.info,

9
00:00:27,180 --> 00:00:29,120
DC1 and MEM.

10
00:00:29,120 --> 00:00:31,680
Now, notice, they're in the same Active Directory site,

11
00:00:31,680 --> 00:00:36,650
so this assumes that our TCP/IP topology is such that these machines

12
00:00:36,650 --> 00:00:40,140
have persistent high speed inter connectivity.

13
00:00:40,140 --> 00:00:42,240
Now that's another whole architectural question,

14
00:00:42,240 --> 00:00:44,970
but it overlaps with replication troubleshooting,

15
00:00:44,970 --> 00:00:45,940
doesn't it?

16
00:00:45,940 --> 00:00:48,240
Because when you're within a single domain,

17
00:00:48,240 --> 00:00:50,490
those domain controllers assume that they can

18
00:00:50,490 --> 00:00:52,410
communicate with each other at will,

19
00:00:52,410 --> 00:00:57,540
and the way that you can put controls on that is to align the physical TCP/IP

20
00:00:57,540 --> 00:01:00,940
topology of your environment to these Active Directory sites.

21
00:01:00,940 --> 00:01:02,920
And then if you have more than one site,

22
00:01:02,920 --> 00:01:07,040
you can configure bridgehead servers and schedule replication

23
00:01:07,040 --> 00:01:09,730
rather than just let it happen when it needs to.

24
00:01:09,730 --> 00:01:13,090
Again, that's less of a problem nowadays given the ubiquity,

25
00:01:13,090 --> 00:01:16,920
or near ubiquity, of high speed LAN connectivity.

26
00:01:16,920 --> 00:01:18,640
Now, as I promised,

27
00:01:18,640 --> 00:01:22,310
I'm going to demo the Active Directory Recycle Bin using the

28
00:01:22,310 --> 00:01:24,780
Active Directory Administrative Center console.

29
00:01:24,780 --> 00:01:26,640
And what I've done, simply opened the tool,

30
00:01:26,640 --> 00:01:29,730
navigated to my Domain node, and then over here,

31
00:01:29,730 --> 00:01:33,180
we've got the one‑time operation to enable the Recycle Bin,

32
00:01:33,180 --> 00:01:34,580
so let me click that.

33
00:01:34,580 --> 00:01:36,420
We sure we want to do that?

34
00:01:36,420 --> 00:01:37,240
Yes.

35
00:01:37,240 --> 00:01:39,740
Please refresh AD Administrative Center.

36
00:01:39,740 --> 00:01:44,940
Now, AD DS has begun enabling Recycle Bin for the forest.

37
00:01:44,940 --> 00:01:48,000
It's not going to function reliably until all of our

38
00:01:48,000 --> 00:01:50,450
DCs have successfully replicated.

39
00:01:50,450 --> 00:01:51,950
That's a good point to consider.

40
00:01:51,950 --> 00:01:53,940
So let's refresh our view.

41
00:01:53,940 --> 00:01:55,600
And I don't know if you saw that happen,

42
00:01:55,600 --> 00:01:58,910
but we now have a new container in ADAC.

43
00:01:58,910 --> 00:02:00,080
Now, the reason,

44
00:02:00,080 --> 00:02:04,210
another reason, actually, why I opened Active Directory Users and Computers

45
00:02:04,210 --> 00:02:07,840
is that even when you're in the Advanced Features view,

46
00:02:07,840 --> 00:02:11,240
you don't see that Deleted Items container. So it's really

47
00:02:11,240 --> 00:02:15,440
important, not only for your AZ‑801 exam success,

48
00:02:15,440 --> 00:02:18,640
but just in life and industry to know that this is one of those

49
00:02:18,640 --> 00:02:21,940
cases where there is a specific tool for the job.

50
00:02:21,940 --> 00:02:24,430
Now, at this point, there should be nothing in Deleted

51
00:02:24,430 --> 00:02:27,250
Objects because I haven't deleted anything yet.

52
00:02:27,250 --> 00:02:29,440
But I'm going to change that right now.

53
00:02:29,440 --> 00:02:32,860
Let's take a look here at my Users list and see if I can find one.

54
00:02:32,860 --> 00:02:34,900
I've got this Taylor Admin person.

55
00:02:34,900 --> 00:02:37,830
I'm going to right‑click. I'm going to delete that user.

56
00:02:37,830 --> 00:02:40,670
Boom. Potentially catastrophic, right? Well,

57
00:02:40,670 --> 00:02:41,780
not so fast.

58
00:02:41,780 --> 00:02:45,300
We can, as long as we're within our tombstone lifetime,

59
00:02:45,300 --> 00:02:49,300
we can see that account show up under Deleted Objects, and we

60
00:02:49,300 --> 00:02:53,860
can restore to the object's original location, or we can restore

61
00:02:53,860 --> 00:02:56,540
to a custom location here instead.

62
00:02:56,540 --> 00:03:00,350
Maybe I want to restore Taylor to the Staff organizational

63
00:03:00,350 --> 00:03:03,250
unit rather than the Users container.

64
00:03:03,250 --> 00:03:06,820
Now that may very well have implications with Group Policy.

65
00:03:06,820 --> 00:03:08,880
We want to consider that as well.

66
00:03:08,880 --> 00:03:10,830
Nice. Pretty easy, huh?

67
00:03:10,830 --> 00:03:15,860
Now, let's take a look at things like Restartable AD DS and

68
00:03:15,860 --> 00:03:17,660
the question of authoritative restore.

69
00:03:17,660 --> 00:03:20,790
I'm not actually going to demo an authoritative restore because it's

70
00:03:20,790 --> 00:03:25,320
not necessary now that we have the Recycle Bin, and even offline

71
00:03:25,320 --> 00:03:29,750
compaction of the AD database isn't particularly relevant anymore

72
00:03:29,750 --> 00:03:35,170
given that we have restartable AD DS. So let me open up MSConfig.

73
00:03:35,170 --> 00:03:39,360
Actually, let's do the restartable first. I want to do things in

74
00:03:39,360 --> 00:03:41,110
ascending order of impact.

75
00:03:41,110 --> 00:03:44,650
I'm hoping not to have to reboot this DC, but you know I'm going to

76
00:03:44,650 --> 00:03:49,320
have to. Let me open up an elevated PowerShell console, and let me

77
00:03:49,320 --> 00:03:52,840
quickly go into properties and adjust to the font so we can see what

78
00:03:52,840 --> 00:03:55,040
we're doing a little bit better here.

79
00:03:55,040 --> 00:04:00,030
Now, as I showed you, you can use the old net command to stop,

80
00:04:00,030 --> 00:04:02,750
not only Active Directory Domain Services,

81
00:04:02,750 --> 00:04:07,850
but those other dependent services that I mentioned before. Now notice

82
00:04:07,850 --> 00:04:14,000
that the default answer to the confirmation prompt is No, but I'm going to override that with Yes.