Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Server TechCenter
Click to Rate and Give Feedback
Step 1: Enable Active Directory Recycle Bin

Updated: February 28, 2011

Applies To: Windows Server 2008 R2

This step provides instructions for the following tasks:

Raising the forest functional level

You can enable Active Directory Recycle Bin only if the forest functional level of your environment is set to Windows Server 2008 R2. You can raise the forest functional level by using the following methods:

  • Set-ADForestMode Active Directory module cmdlet

    noteNote
    The Active Directory module for Windows PowerShell in Windows Server 2008 R2 is a Windows PowerShell™ module (named Active Directory) that consolidates a group of cmdlets. You can use these cmdlets to manage your Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) configuration sets, and Active Directory Database Mounting Tool instances in a single, self-contained package. For more information, see What's New in AD DS: Active Directory Module for Windows PowerShell (http://go.microsoft.com/fwlink/?LinkID=140056).

  • Ldp.exe

Membership in Enterprise Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To raise the forest functional level to Windows Server 2008 R2 using the Set-ADForestMode cmdlet

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

  2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:

    Set-ADForestMode [-Identity] <ADForest> [-ForestMode] <ADForestMode>

    To set the forest functional level to Windows Server 2008 R2, type Windows2008R2Forest for <ADForestMode>.

    For example, to set the forest functional level of contoso.com to Windows Server 2008 R2, type the following command, and then press ENTER:

    Set-ADForestMode –Identity contoso.com -ForestMode Windows2008R2Forest

For more information about the Set-ADForestMode cmdlet, at the Active Directory module for Windows PowerShell command prompt, type Get-Help Set-ADForestMode, and then press ENTER.

noteNote
You can use the Set-ADObject cmdlet to raise the functional level of an AD LDS configuration set. For example, to raise the functional level of an AD LDS configuration set on a local AD LDS server, where the distinguished name of the AD LDS configuration directory partition is CN=Configuration,CN={32E430E4-42D3-4663-BCA7-5F5DFDC898}, use the following cmdlet:

Set-ADObject -Identity 'CN=Partitions,CN=Configuration,CN={32E430E4-42D3-4663-BCA7-5F5DFDC898}’ -Replace @{'msds-Behavior-Version'=4} -Server localhost:50000 

To raise the forest functional level to Windows Server 2008 R2 using Ldp.exe

  1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.

  2. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connection, click Connect, and then click Bind.

  3. Click View, and then click Tree. In BaseDN, select the configuration directory partition, and then click OK.

  4. In the console tree, double-click the distinguished name (also known as DN) of the configuration directory partition, and then navigate to the CN=Partitions container.

  5. Right-click the CN=Partitions container’s distinguished name, and then click Modify.

  6. In the Modify dialog box, in Edit Entry Attribute, type msDS-Behavior-Version.

  7. In the Modify dialog box, in Values, type 4 (the value of the Windows Server 2008 R2 forest functional level).

  8. In the Modify dialog box, under Operation click Replace, click Enter, and then click Run.

Enabling Active Directory Recycle Bin

After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods:

noteNote
In this release of Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, it cannot be disabled.

Membership in Enterprise Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

    WarningWarning
    If you do not use the Active Directory Module for Windows PowerShell to run the following commands, you will see errors. If you would prefer to run the following commands from Windows PowerShell directly, then first import the Active Directory cmdlet by running the following command import-module activedirectory

  2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:

    Enable-ADOptionalFeature -Identity <ADOptionalFeature> -Scope <ADOptionalFeatureScope> -Target <ADEntity>

    noteNote
    The distinguished name (also known as DN) of Active Directory Recycle Bin is CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<mydomain>,DC=<com>, where <mydomain> and <com> represent the appropriate forest root domain name of your Active Directory Domain Services (AD DS) environment.

    For example, to enable Active Directory Recycle Bin for contoso.com, type the following command, and then press ENTER:

    Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’

noteNote
You can also use the Enable-ADOptionalFeature cmdlet to enable Active Directory Recycle Bin in an AD LDS environment. For example, to enable Active Directory Recycle Bin on a local AD LDS server, where the distinguished name of the AD LDS configuration directory partition is CN=Configuration,CN={372A5A3F-6ABE-4AFD-82DE-4A84D2A10E81}, use the following cmdlet:

Enable-ADOptionalFeature 'recycle bin feature' -Scope ForestOrConfigurationSet -Server localhost:50000 -Target 'CN=Configuration,CN={372A5A3F-6ABE-4AFD-82DE-4A84D2A10E81}'

For more information about the Enable-ADOptionalFeature cmdlet, at the Active Directory module for Windows PowerShell command prompt, type Get-Help Enable-ADOptionalFeature, and then press ENTER.

To enable Active Directory Recycle Bin using Ldp.exe

  1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.

  2. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connection, click Connect, and then click Bind.

  3. Click View, click Tree, in BaseDN, select the configuration directory partition, and then click OK.

  4. In the console tree, double-click the distinguished name of the configuration directory partition, and then navigate to the CN=Partitions container.

  5. Right-click the CN=Partitions container’s distinguished name, and then click Modify.

  6. In the Modify dialog box, make sure that the DN box is empty.

  7. In the Modify dialog box, in Edit Entry Attribute, type enableOptionalFeature.

  8. In the Modify dialog box, in Values, type CN=Partitions,CN=Configuration,DC=mydomain,DC=com:766ddcd8-acd0-445e-f3b9-a7f9b6744f2a. Replace mydomain and com with the appropriate forest root domain name of your AD DS environment.

    noteNote
    766ddcd8-acd0-445e-f3b9-a7f9b6744f2a is the Active Directory Recycle Bin globally unique identifier (GUID).

    To verify the Active Directory Recycle Bin GUID, navigate to the CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=mydomain,DC=com container (replace mydomain and com with the appropriate forest root domain name of your AD DS environment), and in the details pane, locate the value of the msDS-OptionalFeatureGUID attribute.

  9. In the Modify dialog box, under Operation click Add, click Enter, and then click Run.

  10. To verify that Active Directory Recycle Bin is enabled, navigate to the CN=Partitions container. In the details pane, locate the msDS-EnabledFeature attribute, and confirm that its value is set to CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=mydomain,DC=com, where mydomain and com represent the appropriate forest root domain name of your AD DS environment.

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
do it on the Schema Master or with -server { DC that has Schema Master}      Zaid Takieddine   |   Edit   |   Show History
do it on the Schema Master or with -server { your server name DC that has Schema Master} or you will get this error
Tags What's this?: Add a tag
Flag as ContentBug
Error      Moyenda ... Stanley Roark   |   Edit   |   Show History

My errror comes up saying:

The term 'Enable-ADOptionalFeatures' is not recognized as a cmdlet, function, o
perable program, or script file. Verify the term and try again.
At line:1 char:26
+ Enable-ADOptionalFeatures &;;lt;&;;lt;&;;lt;&;;lt; -Identity `CN=Recycle Bin Feature,CN=Optional
Feature,CN=Directory Service,CN=Windows NT,CN-Services,CN=Configuration, DC=bl
akesel,DC=com' -scope ForestOrConfiguration -Target 'blakesel.com
+ CategoryInfo : ObjectNotFound: (Enable-ADOptionalFeatures:Strin
g) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

I wonder if anyone experiences the same,

Edit: Kristofer Ohman
Change your -scope record to Forest

Tags What's this?: Add a tag
Flag as ContentBug
Error      Marc Medina ... Stanley Roark   |   Edit   |   Show History
Trying tp use ldp.exe as described, I get this response:


***Call Modify...
ldap_modify_s(ld, '(null)',[1] attrs);
Error: Modify: Unwilling To Perform. &;;amp;amp;lt;53&;;amp;amp;gt;
Server error: 00000057: LdapErr: DSID-0C0420F1, comment: Error in attribute conversion operation, data 0, v1db0
Error 0x57 The parameter is incorrect.

The value I used was: CN=Partitions,CN=Configuration,DC=earth,DC=biz:766ddcd8-acd0-445e-f3b9-a7f9b6744f2a

Mark, I got the same error - until I cleared the DN.
Hope that helps.
Tags What's this?: Add a tag
Flag as ContentBug
enable recycle bin for sub-domain      Eyal Saadon ... Stanley Roark   |   Edit   |   Show History

I have a root domain and a sub domain

I enable the Recycle Bin in the root domain, but I don't know how to enable it in the sub domain

It's seems the the "–Scope ForestOrConfigurationSet" paramater isn't suitable here

Any idea?

Tags What's this?: Add a tag
Flag as ContentBug
FullyQualifiedErrorID : The functional level of the domain or forest-      helstar ... Stanley Roark   |   Edit   |   Show History
FullyQualifiedErrorID : The functional level of the domain or forest- cannot be raised to the requested value, because there exist one or more do main controllers in the domain or forest that are at a lower incompatible functional level, Microsoft.ActiveDirectory.Management.Commands.SetADForestMode.

Above is the error I received- My quere is - Can I Functionally Raise the domain or forest within the one controller. I have 4 domain controller but only one of which is fully HW capable of Windows R2. All other controllers are Windows 2008 servers = (3) W2K8 + (1) W2K8-R2 --- Any help on this issue is greatly appreciated. Thank you.
Tags What's this?: Add a tag
Flag as ContentBug
Referral Error      master5hake   |   Edit   |   Show History
I had the schema master and domain naming master roles in different domains. After transferring the schema master role back to the same DC as the Domain Naming Master the command completed successfully. I am not sure if it was because they were on different DC's or different domains. If you are getting this error you may want to try putting all of the roles on the same DC.
Tags What's this?: Add a tag
Flag as ContentBug
Give some error      sudhera   |   Edit   |   Show History
Enable-ADOptionalFeature : The specified method is not supported
At line:1 char:25
+ Enable-ADOptionalFeature <<<<  -Identity `CN=Recycle Bin Feature,CN=Optional
Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=cel
lad,DC=int' -Scope ForestOrConfigurationSet -Target `cellad.int'
    + CategoryInfo          : NotSpecified: (CN=Recycle Bin ...C=cellad,DC=int
   :ADOptionalFeature) [Enable-ADOptionalFeature], ADException
    + FullyQualifiedErrorId : The specified method is not supported,Microsoft.
   ActiveDirectory.Management.Commands.EnableADOptionalFeature





i run in to domain admin
Tags What's this?: Add a tag
Flag as ContentBug
Response to error      test person   |   Edit   |   Show History
Make sure your running the ad powershell module on the DC holding the FSMO roles otherwise you get a referral error.
Tags What's this?: Add a tag
Flag as ContentBug
Response to error      test person   |   Edit   |   Show History

If your getting the referral error make sure you are running the powershell module using (or on) the DC that holds the FSMO roles (I am not sure which role it requires).




Tags What's this?: Add a tag
Flag as ContentBug
@MySouthernAccent      btenney   |   Edit   |   Show History
Ran into same problem as you. Ran the command on the domain naming master and it fixed the problem.
Tags What's this?: Add a tag
Flag as ContentBug
Solution to access Denied error      bohlenb   |   Edit   |   Show History

Got the same error as others:

Enable-ADOptionalFeature : Insufficient access rights to perform the operation
At line:1 char:25
+ Enable-ADOptionalFeature <<<< -Identity 'CN=Recycle Bin Feature,CN=Optional
Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=in
tranet,DC=mydomain,DC=ru' -Scope ForestOrConfigurationSet -Target 'intranet.mydomain.ru
'
+ CategoryInfo : NotSpecified: (CN=Recycle Bin ...t,DC=mydomain,DC=ru
:ADOptionalFeature) [Enable-ADOptionalFeature], ADException
+ FullyQualifiedErrorId : Insufficient access rights to perform the operat
ion,Microsoft.ActiveDirectory.Management.Commands.EnableADOptionalFeature


Confirmed that you need to run AD Powershell Module as Administrator, you also need to make sure you are in Enterprise Admins and Schema Admins. Use double-quotes " instead of single quotes '.


Tags What's this?: Add a tag
Flag as ContentBug
AD Recycle Bin Enable....Help needed pls.      mywindows   |   Edit   |   Show History
Hi there,
I am trying to enable AD RB through Powershell (by running as Admin). I was trying to run the commands

PS C:\> Set-ADForestMode -Identity MyDomain.com -ForestMode Windows2008R2Forest
The term 'Set-ADForestMode' is not recognized as a cmdlet, function, operable program, or script file. Verify the term
and try again.
At line:1 char:17
+ Set-ADForestMode <<<< -Identity MyDomain.com -ForestMode Windows2008R2Forest

PS C:\> Import-Module ActiveDirectory
The term 'Import-Module' is not recognized as a cmdlet, function, operable program, or script file. Verify the term and
try again.
At line:1 char:14
+ Import-Module <<<< ActiveDirectory

It just throws error. I tried to uninstall &;; reinstall. Please advice me if I need to install any scripts before running this commands. Hoping to see your messages.
VT.
Tags What's this?: Add a tag
Flag as ContentBug
RE: Error: Insufficient access rights to perform the operation      Mark_Allen_   |   Edit   |   Show History
When you launch the AD Powershell module, you need to right-click and select 'Run as administrator'.
Tags What's this?: Add a tag
Flag as ContentBug
Must be run on the Domain Naming Master Role.      deckard2   |   Edit   |   Show History
Must be run on the Domain Naming Master Role.

Check this from a cmd
netdom query fsmo

Tags What's this?: Add a tag
Flag as ContentBug
Re: Problem adding Recycle Bin Feature      libi_at   |   Edit   |   Show History
Run it on the schema master, then it should work.
Tags What's this?: Add a tag
Flag as ContentBug
Problem adding Recycle Bin Feature      MySouthernAccent   |   Edit   |   Show History
Greetings,

When I run the powershell script to enable the Recycle Bin Feature, I get the following error message.

Enable-ADOptionalFeature : A referral was returned from the server
At line:1 char:25
+ Enable-ADOptionalFeature <<<< -Identity `CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration, DC=cec,DC=test,DC=edu' -Scope ForestOrConfigurationSet -Target `cec.test.edu'
+ CategoryInfo : NotSpecified: (CN=Recycle Bin ...DC=test,DC=edu:ADOptionalFeature) [Enable-ADOptionalFe
ature], ADException
+ FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.En
ableADOptionalFeature

Anyone have any ideas?

Thanks,
Brian

Tags What's this?: Add a tag
Flag as ContentBug
Error      guardian2000   |   Edit   |   Show History
When running the powershell command I get this error:

Enable-ADOptionalFeature : The specified method is not supported
At line:1 char:25
+ Enable-ADOptionalFeature <<<< -Identity 'CN=Recycle Bin Feature,CN=Optional
Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain
,DC=local' -Scope ForestOrConfigurationSet -Target 'domain.local'
+ CategoryInfo : NotSpecified: (CN=Recycle Bin ..,DC=domain,DC=local
:ADOptionalFeature) [Enable-ADOptionalFeature], ADException
+ FullyQualifiedErrorId : The specified method is not supported,Microsoft.
ActiveDirectory.Management.Commands.EnableADOptionalFeature


When I try the ldap option I get this error:

***Call Modify...
ldap_modify_s(ld, '(null)',[1] attrs);
Error: Modify: Unwilling To Perform. <53>
Server error: 00002040: SvcErr: DSID-032109B9, problem 5003 (WILL_NOT_PERFORM), data 0

Error 0x2040 The specified method is not supported.


I am running at 2008 R2 functional level and I am running these steps as administrator. Any suggestions?


Update:
I did not run this command since I assumed it was already done via the GUI. I guess it is more than just raising the functional level?: Set-ADForestMode -Identity r2test.local -ForestMode Windows2008R2Forest
Tags What's this?: Add a tag
Flag as ContentBug
Active Directory Domains and Trusts      Ivan Osipov   |   Edit   |   Show History
For raising functional level of your forest you can use Active Directory Domains and Trusts console. You should click on the right button of your mouse, find Raise Forest Functional Level and click OK.
Thanks for understanding.
Tags What's this?: Add a tag
Flag as ContentBug
Response to Errors      BJax   |   Edit   |   Show History
I was getting a rather nebulous error myself (apologies, did not copy it before fixing it). I then realized that I hadn't activated my 2008 R2 OS yet. After successful Activation and a reboot, I was able to enable the Recycle Bin Feature using the cmdlet above without issue.

Hope that helps...
--BJ
Tags What's this?: Add a tag
Flag as ContentBug
Error: Insufficient access rights to perform the operation      Khrebin Dmitry   |   Edit   |   Show History
Run from "Active Directory Module for Windows PowerShell" with Admin rights.
User is a member of Domain admins, Scheme admin, Enterprise Admin.
intranet.mydomain.ru is the root domain (one domain forest)

After confirmation, that i'm sure to perform this action, i get next error:

Enable-ADOptionalFeature : Insufficient access rights to perform the operation
At line:1 char:25
+ Enable-ADOptionalFeature <<<< -Identity 'CN=Recycle Bin Feature,CN=Optional
Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=in
tranet,DC=mydomain,DC=ru' -Scope ForestOrConfigurationSet -Target 'intranet.mydomain.ru
'
+ CategoryInfo : NotSpecified: (CN=Recycle Bin ...t,DC=mydomain,DC=ru
:ADOptionalFeature) [Enable-ADOptionalFeature], ADException
+ FullyQualifiedErrorId : Insufficient access rights to perform the operat
ion,Microsoft.ActiveDirectory.Management.Commands.EnableADOptionalFeature



Gm...
Use " not '
All shall work Ok
Tags What's this?: Add a tag
Flag as ContentBug
or...      Weestro ... Thomas Lee   |   Edit   |   Show History
Just import the AD cmdlets into powershell first:
import-module activedirectory

Now run the cmd again.

Cheers,

Peter
weestro.blogspot.com
Tags What's this?: Add a tag
Flag as ContentBug
Response to error      RandyTu   |   Edit   |   Show History

You need to open the AD Powershell, not the PowerShell Icon on the Shortcut bar at the bottom:

To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

Tags What's this?: Add a tag
Flag as ContentBug
© 2012 Microsoft. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker