Sunday, May 11, 2008

WHAT IS THOMBSTONE PROCESS



What is Tombstone process and what happens to these objects is going to be the content of this little article. If you ever wonder what happens when an object gets , deleted in active directory, keep reading this article.

Tombstone Process in a basic way

  • Object got deleted
  • AD marks is as deleted object by setting the objects attribute called "isDeleted" to TRUE ,
  • At the same time, the AD strips most of the attributes from the object
  • Renames the object
  • Moves it to the object, to the special container in the object naming context
  • (NC) named CN= Deleted Objects
  • The object, now called a tombstone
  • Object is no longer visible from ADUC. ( administrators)

Here is the tricky part the Tombstone is visible to the Active Directory replication process. Why is that so? Remember multi-master replication model. In order to make sure the deletion is performed on all the DCs that host the object being deleted, Active Directory replicates the tombstone to the other DCs. Thus the tombstone is used to replicate the deletion throughout the Active Directory environment

I never did understand why it is so painful try to bring deleted object in AD, with build in tools. What I mean is, if we look at third party tools, Quest, Hyena etc, it is couple clicks to bring the deleted object from AD. Anyway, I would love to see the build in capabilities in AD as good as these third part tools or at least some close, but I know it won't happen for some reason (-:

The tombstone lifetime is determined by the value of the TombstoneLifetime attribute on the Directory Service object in the configuration directory partition.

  • Adsiedit
  • Configuration
  • DC name
  • CD=Configuration
  • DC=Forest domain
  • CN=Services
  • CN=Windows NT
  • Right click CN=Directory Service properties
  • The attribute name is TombstoneLifetime

On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days.

On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days.

Best Regards,

Oz Ozugurlu

Systems Engineer

MCITP (EMA), MCITP (SA)

MCSE 2003 (M+,S+) MCDST

Security+,Project+,Server+

http://smtp25.blogspot.com


1 comment:

Anonymous said...

its works fine thanks