Skip to content

Directory Object Deletion and the restore “domino effect + little bit about the concept of the Active Directory Recycle bin | Part 2#23

In the current article, we continue to review different concepts and components that relate and involved throughout the process of restoring Exchange Online mailbox.
We will start by describing a concept which I define as “Falling domino effect,” that relates to the chain of an event in an Office 365 based environment when a “deletion action” is executed, and when a “restore operation” is executed.

In the second part of the article, I would like to briefly review the concept of – “recycle bin” in On-Premises environment and Office 365 based environment.

“Falling domino effect” and the relationship between user account and Exchange mailbox

When we say that – a user has an Exchange mailbox (consider as the owner of the Exchange mailbox), we can say that there is a “binding” or “link” that connects the user to his Exchange mailbox and vice versa.

  • When the connection between a user and his Exchange mailbox is disconnected, the “detachment” is causing a chain or reactions.
  • In case that the connection between user and his Exchange mailbox reconnected (restore event) the “re-attachment,” is causing a chain or reactions.

I describe this phenomenon as – “Falling domino effect” because, when a specific action realized, the action will start a chain of events such as event A that lead to event B that lead to event C and so on.

Q1: What happened in the case that we “break” the connection which exists between a user and his Exchange Online mailbox by deleting the mailbox owner user account?

A1: in this case, the concept of the “Falling domino effect” will be realized in the following way:

  • A deletion of a user account that considers as the owner of an Exchange Online mailbox will lead to a deletion of the Exchange Online mailbox that was “owned” by the user.
  • A deletion of an Exchange Online mailbox that has an “owner,” will lead to a scenario in which the “owner” (the user account) will also be deleted.

Q2: What happened in a restore scenario in which we restore one spouse deleted?

A2: The concept of the “Falling domino effect” will also be realized in the event of “restoration.”

For example, when we restore the user account that was the owner of a particular Exchange Online mailbox, the Soft Deleted Exchange Online mailbox will be restored “together” with the user account and automatically “linked” back to a user account.

The reverse process in which we restore Exchange Online mailbox is more complicated. In most of the “Exchange Online mailbox restore” scenarios, the initialization of the restores processes will start by restoring the associated user account.

How does a “deletion event” is affecting user object and mailbox object

The term “deletion event”, relate to two optional object deletion scenarios:

  1. Active Directory user account deletion
  2. Exchange mailbox deletion

The relationship which exists between user object and mailbox object in a “deletion event,” are similar to the Shakespeare’s play – Romeo and Juliet, in which when one of the lovers dies, the other spouses committed suicide.

When one spouse dies (deleted), the death of the “spouse”, causing the death (deletion) of the other spouse

Scenario 1 – user account is deleted

In case that the Active Directory user account, consider as the owner of a particular Exchange mailbox, and the user account deleted, the consequence will be – a deletion of the Exchange mailbox.

I’m not sure regarding the exact logic of this “projection, ” but I assume that the logic was that – if we delete an Active Directory user account, we probably want to delete or remove, all the data that were related to this user such as – Exchange mailbox.

The relationship which exists between user object and mailbox object - Active Directory User account Deletion event -01

Scenario 2 – Exchange mailbox is deleted

In this case, an Exchange mailbox deleted, the consequence will be – a deletion of the Active Directory user account that considers as the mailbox owner.

Note: As mentioned, in Exchange on-Premises we can use the option of – “Disable mailbox” if we don’t want to delete the Active Directory user account that is associated with the Exchange mailbox.

And again, I’m not sure that I fully understand the logic of the “chain of events.”
My opinion is that – technically, there is no logic reason for the process of – deleting a user account when his Exchange Online mailbox is deleted.

Despite this strange behavior, it’s important to emphasize that this is “the way things happen” in Exchange Online and Active Directory environment.

The relationship which exists between user object and mailbox object - Exchange mailbox Deletion event -02

How does a “Restore event” is affecting user object and mailbox object

The exciting news is that – the phenomenon which I describe as – “Falling domino effect,” will be realized also in a “restore scenario.”

Scenario 1 – user account is restored

In case that the user account that considers as the owner of a particular Exchange mailbox restored, the consequence is that the Deleted Exchange Online that associated with the user account will also restore.

Directory User account restore event

Scenario 2 – Exchange mailbox is restored

I will not go into a detailed description of this scenario in which we restore Exchange Online mailbox. Generally speaking, in Office 365 and Exchange Online based environment in a scenario in which we start the restore process by restoring the deleted Exchange mailbox, the restore process implemented in one of the following methods

  1. Restore Exchange Online + create a new user account

In this method, the restored Exchange Online mailbox will be “attached” to a NEW user Office 365 user account that will be created as the result of the Exchange Online mailbox restore process.

  1. Restore the content of the Exchange Online deleted mailbox

In this method, we don’t restore the deleted Exchange Online mailbox, but instead, “fetch” the content of the deleted Exchange Online (the mail items) and copy the data to another “active Exchange Online mailbox.

The concept of Recycle bin in the Microsoft-based environment

Along the current article series, we will mention the term recycle bin dozens of times. So, I think it’s worth elaborating on this concept.

In the older days, when we say that we need to “restore” user account or restore an Exchange mailbox, the meaning was – restore information from a backup tape.

For those of us, who had the pleasure to experience restore data from backup tapes, and especially restore an Exchange mailbox, then we can say that the experience was not very pleasant!

To be able to provide a quick and efficient solution for the need for restoring data, the concept of “Recycle bin” was invented.

The “Recycle bin” can provide salvation for the scenario of – “Oops; I have a feeling I accidentally deleted something that I didn’t want to delete.”

For example, Office 365 environment and Directory synchronization environment are putting up a very complicated relationship between On-Premises Active Directory user objects, and Office 365 directory and Exchange Online infrastructure.

An innocent action of – deleting On-Premise Active Directory user account, can cause a chain of events, which will lead to the deletion of Office 365 user account and Exchange Online mailbox.

In this case, the “Recycle bin,” can enable us to “fix” the mistake that executed very easily.

The main concept of the “recycle bin mechanism” is, to provide a temporary store, for deleted objects.

In case that we need to restore one of this object, we can access this unique store, instead of dealing with a complex operation of restoring data from backup infrastructure.

What is the real meaning of deleted

When we use the term such as “deleted user account” or, “deleted Exchange mailbox,” in the first phase the object (mailbox, user account and so on) is not really “distorted” (deleted) and lost forever!

Instead, the “deleted object” sent to a temporary store that provides the administrator a “grace period,” period,” in which the object can retrieve (restored), and turn into “active object.”

Generally speaking, the concept of – “Recycle bin” is not unique only to Active Directory and Exchange infrastructure. For example, SharePoint infrastructure uses the concept of the recycle bin for storing files that were deleted by the users.

The concept of – “limited lifetime” of the deleted objects stored in the recycle bin

As mentioned, the “Recycle bin store,” serve as a temporary store for deleted objects.

We use the term “temporary storage” because by default, each object that is “sent” to the recycle bin, have limited “lifetime.”

The reason for the limited lifetime is – to prevent a scenario in which the recycle bin store will grow excessively.

In case that the “grace period” for a deleted object that’s stored in the recycle bin is expired, the object will be permanently deleted or in other words, will be removed from the store of the recycle bin.

The concept of tombstone

When Active Directory or Exchange object deleted, the formal definition for this
the object is – a tombstone object.

We can relate to the term “Tombstone”, as a method that Active Directory or Exchange uses for “stamping” an object that declares publicly as a “deleted object.”

The term “tombstone,” define the “lifetimes of the object.”
In other words, define the period in which the object will be kept in the recycle bin.

The deleted items “lifetime” policy

The time in which the deleted objects will keep in the recycle bin defined by a policy.
For example,

Active Directory recycle bin, uses the following value – tombstoneLifetime or msDS-deletedObjectLifetime in Windows Server 2008 R2 for defining the maximum age in which deleted objects will be stored in the recycle bin.

In Exchange based environment, the policy defends as – mailbox retention period.

The concept of Garbage collection

As mentioned in the previous section, by default, each object that sent to the recycle bin store, is stamped as a “tombstone object,” and have a limited lifetime.

The Recycle Bin includes a built-in mechanism that “scan” all the object stored in the recycle bin, looking upon an object that the lifetime period end.

The mechanism which implements this policy defined as – Garbage collection.

The Garbage collection process, “scan” the “Recycle bin store.” In case that it “notice” that a tombstone object reaches the age of his “grace time,” the Tombstone object will be permanently deleted.

Exchange recycle bin

Each Exchange server is configured to use the recycle bin store automatically.

Each time that we deleted Exchange mailbox, the mailbox is sent to the Exchange recycle bin.
We will be able to restore the deleted Exchange mailbox, as long as the deleted mailbox age didn’t reach the “grace period.”

  • In Exchange on-Premises environment, the Exchange administrator can set the length of time in which the mailbox will be saved in the Recycle Bin.
  • In Exchange Online environment, the period, which the mailbox kept in the Exchange Recycle bin, is the predefined value that cannot be “change.”
    In Exchange Online environment, a deleted mailbox will stay in the “Recycle bin store” for a period of 30 days.

Exchange Online and inactive mailbox

Exchange Online based environment, provide us a “detour” to the limitation of “30-day days retention policy” that applied on – deleted Exchange mailboxes, by using a feature named – inactive mailbox.

Inactive mailbox, provide us a detour to the limitation of 30 days retention policy

An inactive mailbox is a term that defines a particular Exchange Online mailbox; that was “stamped” or “flagged” as a mailbox that will not be deleted by a garbage collection process when the mailbox reaches the age of “30 days.”

The inactive mailbox considers as a “protected mailbox” because, before the mailbox deleted, the Exchange Online Administrator assign to the mailbox the option of –Litigation hold or In-Place hold.

In this case, the inactive mailbox will “live” for the period that defined by the Litigation hold or In-Place hold policy.

The term Soft deleted vs. Hard deleted

In the previous section, we describe the mechanism in which some deleted objects are not deleted immediately, but instead, sent to the temporary store which described as – Recycle bin.

Soft deleted

The technical term that we use for describing the operation in which an object sent to the Recycle bin is – Soft deletion.

We can describe the objects that resides in the recycle bin as “Soft deleted.”
The reason for using the term “Soft” is because, the object is not deleted and instead, just stored in a different location (Recycle bin) which enables us to restore the deleted object to his original location.

Hard deleted

The technical term that we use for describing an object that reaches the “time limitation” in which objects kept in the recycle bin + deleted from the recycle bin described as – Hard deleted.

The reason for using the term “Hard” is because, the object that removed from the recycle bin permanently deleted, and cannot be restored!

Soft deleted and Hard deleted in Office 365 and Exchange Online environment

In the following section, I would like to review the characters of Soft deleted briefly, and Hard deleted events, in Office 365 and Exchange Online environment.

Soft deleted Exchange Online mailbox

In case that Exchange Online mailbox deleted, the mailbox will be stored in the Exchange Online Recycle bin.

Exchange Online, enable us to view the content of the Exchange Online recycle bin, via Exchange Online admin center (by using a graphic interface). Other option is by using a PowerShell command, that displays a list of Soft deleted Exchange Online mailboxes (Get-Mailbox -SoftDeletedMailbox)

When the Exchange Online mailbox is “deleted” (Soft Deleted), the following mailbox properties are updated:

  • The value of the Exchange Online mailbox the propriety – IsSoftDeletedByRemove is set to True
  • The value of the Exchange mailbox propriety – WhenSoftDeleted is populated with the specific time, which the Exchange Online mailbox was deleted.

The Exchange Online Recycle bin retention policy is configured to store Soft deleted object over a period of 30 days.
Over the “30-day period,” day period,” the Soft Deleted mailbox, consider as “Fully recoverable” meaning – all the data stored in the Soft Deleted mailbox and all the Soft Deleted mailbox properties kept.

At the end of this period, the object (Exchange Online mailbox) will be permanently deleted.

An Exchange Online Soft deleted mailbox, considers as a mailbox without an owner.
When we restore the Soft deleted Exchange Online mailbox, we can associate the restored mailbox with the “original owner” or associated the restored mailbox with a new Windows Azure Active Directory user account.

The meaning of Soft Deleted Exchange mailbox -01

Soft deleted Windows Azure Active Directory user account

The concept of Soft Deleted Windows Azure Active Directory user account is similar to the concept of – Soft deleted Exchange Online mailbox.

When an Azure Active Directory user account deleted, the user account saved in the Azure Active Directory Recycle bin for a limited period of 30 days.

All the Soft Deleted Azure Active Directory user account properties saved, and in case that we restore the user account; the restored user will include all the user properties.

Azure Active Directory, enable us to view the content of the Azure Active Directory Recycle bin via the Azure Active Directory admin center (by using a graphic interface) or, by using a PowerShell command, that displays a list of Soft deleted Exchange Online mailboxes
(Get-MsolUser -ReturnDeletedUsers).

When the Active Directory user account is “deleted” (Soft Deleted), the following user account property is updated:

  • The value of the Exchange mailbox propriety – SoftDeletionTimestamp , is populated with the specific time, which the Windows Azure Active Directory user account was deleted.
The meaning of Soft Deleted Active Directory user account -02

Hard deleted Windows Azure Active Directory user account and Exchange Online mailbox

The term “Hard Deleted” define Azure Active Directory user account or an Exchange Online mailbox that was Soft deleted, and reaches the age of 30 days.

In this case, the Azure Active Directory user account or the Exchange Online mailbox considers as Hard deleted, the information about the user or the Exchange Online mailbox will be lost forever because the objects permanently deleted.

Note – at the current time, Office 365 and Exchange Online doesn’t offer any option for viewing the Hard-deleted object list.

The meaning of “Hard Deleted“ user account or Exchange mailbox -03

Life Cycle of a deleted mailbox | Exchange Online environment

In the following diagram, we can see a representation of the Exchange Online mailbox life cycle that end as – “Hard Deleted mailbox.”

Phase 1#3 – The Exchange Online mailbox begin as an “Active mailbox.”

Phase 2#3 – in case that the Exchange mailbox deleted, the activate Exchange Online mailbox status is considered as “Soft Deleted mailbox.” The “Soft Deleted mailbox” is sent to the Exchange Online Recycle bin, and stay there for 30 days.

Phase 3#3 – in case that after 30 days, nobody tries to recover the “Soft Deleted mailbox,” the status of the “Soft Deleted mailbox” changed to “Hard Deleted mailbox.”

Life Cycle of a deleted mailbox Exchange Online environment

The “visibility” of soft deleted and hard deleted objects

In this section, I would like to briefly review the subject of the “visibility” of Soft Deleted and Hard Deleted objects such as – Azure Active Directory user accounts and Exchange Online mailboxes.

When an active Exchange Online mailbox is Soft deleted, and the mailbox is sent to the Exchange Online Recycle bin, the Soft deleted is not accessible for standard Exchange Online user.

For example, a standard Exchange Online recipient cannot send E-mail to a recipient whom his mailbox was soft deleted or continue to have access to a mailbox that was Soft deleted.

The only “entity” that has access to the Exchange Online recycle bin is the Exchange Online administer. Exchange Online administrators can restore the Soft deleted Exchange Online mailbox or restore information from the Soft Deleted mailbox.

The visibility of Exchange mailbox

The multiple recycles bins in Directory synchronization environment

As we know, Active Directory uses the mechanism of “Recycle Bin,” Bin”, and Exchange also uses the mechanism of Recycle Bin.

In the next articles in our series of articles, we will review many aspects of the environment which described as “Directory synchronization environment.”
In a nutshell, a Directory synchronization environment describes a combination of Exchange on-Premises environment + Office 365 environment.

For example, Exchange Hybrid environment describes a scenario in which we use two separate environments – the On-Premise infrastructure + cloud infrastructure and combine these two separate environments, so they will operate as one logic unit.

In a scenario of Mixed + Directory synchronized environment, we have four different recycle bin infrastructures:

Exchange on-Premises environment

  1. On-Premise Active Directory recycle bin
  2. Exchange on-Premises recycle bin

Cloud environment

  1. Azure Active Directory recycle bin
  2. Exchange Online recycle bin

The reason for mentioning this “complicated recycle bin infrastructure” is because, later, when we review a “deletion scenario” in the Directory synchronized environment, it’s important that we will be aware of all the “components” that involved throughout the process.

For example, in case that an On-Premise Active Directory user account was configured to use an Exchange remote mailbox, and this user account deleted, the “deletion” of the On-Premise Active Directory user account, create a chain of events, in which the user account and the user Exchange mailbox will “appear” in four different Recycle bins.

In the following diagram, we can see the “recycle bin infrastructure” in the Mixed + Directory synchronized environment.

The relationship that exists between deleted objects - Hybrid and Synchronized environment

The next article in the current article series

What are the possible causes for an Exchange Online mailbox deletion? | Part 3#23

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *