Monday, October 6, 2008

What are lingered objects?

LingeringObjects are introduced by DCs/GCs that have been offline or failed to replicate for the tombstone lifetime.

Tombstone, when object is deleted in active directory it becomes tombstone, the tombstone is used to replicate the deletion throughout the Active Directory environment

Let's say we have DC1 and DC1 and they are replication partners. Because AD is multimaster replication model when any objects gets created in DC1 has to replicate DC2 and .DIT database on both DC become consistent (KCC is the process makes the replication among domain controllers)

On DC1 I created user account and KCC-----à replicated this information to the DC2. I have taken DC2 offline, let's say about 2 weeks and there were 50 users got deleted on DC1. The DC1 will mark these users as deleted users. The object attribute is "IsDeleted" set to "true". This indicated object has been marked for deletion and will be removed from Active directory database.

The DC2 is offline more than 180 Days; the server must not brought back to production network. At this point the server needs to be re-baseline and active directory needs to be uninstalled from the Domain controller.

The DC promo must be run with /forceRemoval switch and after uninstalling AD from the domain controllers, the NTFSUTIL must be used to clean up (meta data cleanup)the production domain and allow replication to occur the changes and DCPromo in the DC2 if you still need it, would be the process.

Why wouldn't AD delete them right away? Because if there is no information about deletion of the object how would the other domain controllers would know what to do with same object? How about recovery, be possible if there was a need for this object to be recovered and it is not there.


  • Object got deleted
  • The directory service moves tombstoned objects to the Deleted Objects container
  •  they remain until the garbage collection process removes the objects
  • The garbage collection process by default runs every 12 hours on a DC
  • Tombstone life time is set to 60 days windows 2000/2003
  • 180 days windows 2003 SP1
  • The tombstone lifetime must be significantly longer than the garbage collection frequency to ensure that deletion of objects is replicated to other DCs.

One of the nice futures with windows 2008 is to ability to turn the future on "Protect object from accidental deletion", you need to click on View and turn on the advance futures to see the option.

This is a great and smart option in my opinion, and will prevent mistakes if this attribute is turned on. If administrator is still deleting an object while this attribute is turned on (unselecting this prevention) this will be no more mistake and will be intentional afford in my opinion

Before this if we have to achieve same results we needs to go to top of the domain and add everyone into security permissions for this object and all child objects and deny delete and delete subtree as it is explained in the article below.



--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +


No comments: