Few of the articles are posted as Images, Please use Laptop / Computers to go through the articles for best experience. For phone users, switch to Web Version

Please Share with your colleagues if you found these blogs informative. Happy Learning :-)

Lingering Objects in Active Directory

 What are Lingering Objects ?

First we need to know What Tombstone Object & Tombstone Lifetime are, before we understand Lingering Objects.


Tombstone Object 

Whenever an object in AD is deleted, it is not permanently removed from AD, An Object first becomes / converted to a special object called "Tombstone Object" & they reside in AD in a special container called Deleted Objects.

Like all the objects in AD replicates, Tombstone Objects also replicates & this is to make sure other Domain Controllers in the environment also mark that object as Deleted in their database copy.
















Tombstone Lifetime 

Now the questions is how long these Tombstone objects resides in AD ? 

Tombstone object will be preserved in AD for a certain time & that time period is called "Tombstone lifetime". Once the tombstone lifetime expires, the tombstone object will be discarded / deleted permanently from AD.


To check Tombstone Lifetime - 

Login to any Domain Controller in the domain --> Run --> ADSIEDIT.MSC --> Connect --> Select  Configuration Naming Context --> Navigate to CN = Services --> CN = Windows NT --> CN = Directory Service ( Right Click ) --> Properties to see the Tombstone Lifetime.












From above snap, it's clear that Tombstone lifetime is 180 days. If required, we can edit it also. The value will then be replicated to all the DC's in the domain.

So if we delete an object today, then it will be there in AD for next 180 days before it is permanently purged from Active Directory Database.


Lingering Object

Now to understand Lingering Object, consider below example - 

Consider you have total 5 Domain Controllers [ DC1 , DC2 .... DC5 ] in your environment, today is 1st Jan . Tombstone lifetime is set to 10 Days in the domain.

Now further assume, DC1 goes down due to some Operating System issue on 2nd Jan. Other 4 Dc's are working fine. You do normal operation stuff on them ( Can be creating an object  ,deleting ,renaming etc). Suppose you have deleted 4 AD groups & 2 user account on 3rd Jan. Your DC1 is still down & as we know AD is multi meter database model, so all these deletion changes will also be replicated to other working DC.

Since the Tombstone lifetime is set to 10 days, so the objects deleted on 3rd Jan will be preserved in AD till 13th Jan ( Total 10 days ), now further assume you mange to bring back DC1 after 13th Jan. Now all 5 Dc's are operational but since the tombstone lifetime for objects deleted on 3rd Jan is already expired,, so DC2,DC3,DC4 and DC5 don't have that object in their database copy whereas DC1 will have those deleted object in it's database copy ( Simply because those objects were present before DC1 went down).

These unwanted objects will linger in the environment & hence these objects are known as "Lingering Objects".


No comments:

Post a Comment

Subscribe to: Post Comments (Atom)