Solved

What is a tombstone in Active Directory

Posted on 2014-03-23
3
11,574 Views
Last Modified: 2014-03-27
Not really sure what the tombstone is and when it is important to know / set its value.
0
Comment
Question by:elchermans
  • 2
3 Comments
 
LVL 17

Assisted Solution

by:WORKS2011
WORKS2011 earned 150 total points
Comment Utility
What Is a Tombstone?
When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object's isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object's naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations. It does not show up in any Microsoft® Management Console (MMC) snap-ins, and most Lightweight Directory Access Protocol (LDAP) utilities are blissfully unaware of the tombstone's existence. The tombstone is, for all intents and purposes, gone. The data, however, is still there—it's just invisible. So why does Active Directory keep tombstones, otherwise deleted objects, in the database?
While invisible to other processes, a tombstone is visible to the Active Directory replication process. In order to make sure the deletion is performed on all the DCs that host the object being deleted, Active Directory replicates the tombstone to the other DCs. Thus the tombstone is used to replicate the deletion throughout the Active Directory environment.

For more info click here.
0
 
LVL 17

Expert Comment

by:WORKS2011
Comment Utility
...and when it is important to know / set its value
if you're not looking for a deleted object from Active Directory I wouldn't worry about it.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 350 total points
Comment Utility
This tombstone lifetime value states that how many days deleted objects will remains in deleted object containers
The basic purpose of tombstone is to keep all domain controllers in sync
For Ex:
you have crashed one location DC today
Now tomorrow you have deleted 10 user objects from AD
The object deletion is replicated to all domain controllers and objects are deleted from all location DCs
Now you have non authoritatively restored old system state backup of last week on failed DC of location which contains those 10 objects
Now when after restoration you reboot the Dc and take it online, it will try to communicate to other DCs then other DC's will come to notice that 10 user objects are present on one DC which are not in AD database but they are tomb stoned, hence they will replicate those tomb stoned objects to location DC which tells that those 10 user objects are already deleted and hence he will delete those objects

Now you will wonder how other DCs will identify that objects are already deleted, well it can be discovered with USN (Update sequence number)
When AD object is created 1st time it is assigned one USN and upon any modification this number is gradually increased
When you backup AD system state where objects are not deleted has got one USN value for each object
When you delete those objects from AD, it's USN got updated and same is replicated to all DCs except DC that got crashed
After restoring DC from backup, it has got objects with old USN and there another DCs will come to know that tomb stoned objects they have got more updated USN than live objects presented on restored DC and then they tell to that DC that we have got more updated information than you, so update your self
Now in order to update itself it will delete those objects from its AD database and match USN

In contrast some time in order to recover deleted objects you need to do non authoritative restore of system state backup followed by authoritative restore of deleted objects only which increases USN of restored objects so that other DCs will notice the updated USN on restored DC and undone objects deletion (In short restore objects from tombstone to live database)

By default windows 2000 and 2003 domain controllers have tombstone value set to 60 days
If you upgraded 2003 server to sp1 still this limit remains same
When you install new active directory forest with 2003 SP1 integrated, this tombstone period will be 180 Days by default
This value is remains same for later OS as well straight away up to 2012 R2
You can change Tombstone life time of all objects by changing value to below attribute
After expiring tombstone period for object in deleted object container, those tombstone objects are permanently deleted from AD on all domain controllers during garbage collection period

To determine the tombstone lifetime for the forest using ADSIEdit
Note that tombstone life time is enforced on all domains in forest and can be set on configuration container
Click Start, point to Administrative Tools, and then click ADSI Edit.
In ADSI Edit, right-click ADSI Edit, and then click Connect to.
For Connection Point, click Select a well known Naming Context, and then click Configuration.
If you want to connect to a different domain controller, for Computer, click Select or type a domain or server: (Server | Domain [:port]). Provide the server name or the domain name and Lightweight Directory Access Protocol (LDAP) port (389), and then click OK.
Double-click Configuration, CN=Configuration,DC=ForestRootDomainName, CN=Services, and CN=Windows NT.
Right-click CN=Directory Service, and then click Properties.
In the Attribute column, click tombstoneLifetime.
Note the value in the Value column. If the value is <not set>, the value is 60 days.
Normally its equal to 180 days for 2003 SP1 and above and you can toggle that value
Minimum value is 2 days, even if you set it to 0, it will trigger event in event viewer that it can be set to 2 days at a minimum level.
There is no importance that how much this value should be, it depends upon your organization policy how many days you want to retain old AD system state backup
Most of the time default 180 days is enough
You need to deside this value based on your backup strategy
Because you can't use AD system state backup for restoration older than tombstone life time
Means if you have Tombstone lifetime period set to 180 days and if today you want to restore AD, your backup must not be older than 180 days from today, other wise it will create lingering objects
Lingering objects are those objects for which tombstone objects are not present in AD to track them
For Ex:
You have one server DC offline more than 6 months
Some body has mistakenly started it today
Now guess what will happens, on other DCs some objects are already deleted long back ago for which tombstone objects also get garbage collected from AD
Now if your old DC came online it will start replicating restored objects (lingering objects) in his database for which tombstone objects are already deleted from other DCs and hence they can't track those object status and hence simply assume that these are new objects and start creating those objects as normal replication process
Microsoft has found this behavior and they have developed mechanism to stop replication with DC containing lingering objects
read more on lingering objects
http://utools.com/help/LingeringObjects.asp
http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

The same thing is true incase you restored old system state backup beyond tombstone life time
In other cases where lingering objects are generated if any online DC did not get Ad replication beyond tombstone life period due to DNS lookup failures, GC latency etc, replication port issues and hence replication failure etc

Mahesh.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now