More Grace Period for Restoring Active Directory

Written by on Wednesday, February 27, 2008 5:38 - 0 Comments

Watch those tombstones when restoring Active Directory from backup–but there’s less worry if you have Service Pack 1 installed.

It’s well-known that you should never restore a backup copy of Active Directory older than the tombstone lifetime, which by default is 60 days. That’s because after 60 days objects that have been deleted from AD are scavanged and permantently deleted. You see, when you delete something from AD it doesn’t really get deleted, it just gets tombstoned i.e. marked as deleted. Such tombstones have a lifetime of 60 days and after that they’re cleaned out of the directory and gone forever.

Unless you try and restore a backup of AD that’s more than 60 days old. The problem with doing this however is that you’re likely to end up with objects that have been permanently deleted suddenly coming alive again, sort of like zombies in that Eddie Murphy movie. In fact, if you do have to restore AD you should use as recent a backup copy as you possibly have i.e. a day old at most. And even that can cause a few hiccups on a large network since computer accounts have their passwords randomly changed every 30 days for security reasons, so if you have a lot of computers on your network then it’s very likely that even in a span of one day a few computer accounts will change, and these machines will need to have their computer accounts reset. The same goes for trust relationships, which also have their passwords changed every 30 days, so you may need to delete and re-create a trust or two in a multi-domain environment, though that’s less likely.

What most admins don’t know however is that this grace period for restores of 60 days (the tombstone lifetime) has been lengthed in W2K3 SP1 to 180 days–but only for domains where the first DC has been dcpromo-ed on a standalone W2K3 SP1 machine. In other words, if you already have a domain and you upgrade your DC with SP1, the grace period is still 60 days. ')}

Article written by

Leave a Reply

You must be logged in to post a comment.

2003 server - Sep 30, 2008 22:34 - 0 Comments

instant messaging srv records

More In Computers & PC

Microsoft Outlook - Mar 22, 2009 11:22 - 0 Comments

Outlook: Duplicates in Mailbox

More In Computers & PC