Things to consider when enabling the AD Recycle Bin

Recycle Bin

#1 check if you have any applications that use the DirSync control and make sure you have applied the NTDS hotfix from KB979214 to Domain Controllers (if you are running Windows 2008 R2 DC’s) as this changes the default behaviour of the relevant LDAP search control when returning values for objects that reference recycled (soft deleted) objects.

#2 read the ASKDS article on best practices for implementing the AD Recycle Bin.

#3 figure out if you have any critical applications using the DirSync control that can’t handle the isRecycled attribute state for objects that have been soft deleted.

 

ILM 2007 will unfortunately not be able to handle the AD Recycle Bin but FIM 2010 with Update 1 will (ILM 2007 being out of support for more than a few years now should also really be reason enough to upgrade to at least FIM 2010 R2 or MIM 2016).

Applications that have the potential to be impacted negatively by enabling the AD Recycle Bin are most likely going to be older product versions that focus on directory synchronization or monitoring using the Dirsync control.  Those will either need to be retired or updated to a newer version (older GALSync and MIIS instances probably fall under the same unsupportable hat as ILM 2007).

 

Additional links:

Polling for AD Changes using the DirSync control
https://msdn.microsoft.com/en-us/library/windows/desktop/ms677626(v=vs.85).aspx

FIM 2010 Update 1
https://support.microsoft.com/en-us/kb/978864

The DirSync control search does not return the deactivated linked attributes from a modified object in a Windows Server 2008 R2-based domain
https://support.microsoft.com/en-us/kb/979214

Using the DirSync Control
http://blogs.technet.com/b/isrpfeplat/archive/2010/09/20/using-the-dirsync-control.aspx

PowerShell DirSync Sample
http://dloder.blogspot.is/2012/01/powershell-dirsync-sample.html

Leave a Reply

Your email address will not be published.