-
8/6/2019 How to Kill Innovation in 5 Easy Steps
1/6
How to kill innovation in 5 easy steps
Nine tips for getting hired
I discovered a third use for the iPad
Restore deleted objects in Active Directory
By Scott Lowe MCSEMarch 7, 2005, 8:00am PST
Recommend0 Votes
8 CommentsShare
more +
yyyyyyyyy
-
8/6/2019 How to Kill Innovation in 5 Easy Steps
2/6
yyyy
Stay on top of the latest WS2K3 tips and tricks with our free
Windows Server 2003 newsletter,delivered each
Wednesday.Automatically sign up today!
In Active Directory, when someone flags anobject for deletion,
Windows marks it with anindicator called atombstone. The process
doesn't actually delete the object from theAD database;
the object just lives on in this tombstoned state.
But let's say someone accidentally deleted thewrong object. What
do you do then? You can still
restore thedeleted object. Download Sysinternals' free AdRestore
utility from its Web site.
To view a list of objects available forrestoration, execute
AdRestore without any parameters.
Here's anexample:
C:\>adrestore
AdRestore v1.1
by Mark Russinovich
Sysinternals - www.sysinternals.com
Enumerating domain deleted objects:
cn: Chicken Little
DEL:9c0bce9a-03e5-4037-966f-3d4735866371distinguishedName:
CN=ChickenLittle\0ADEL:9c0bce9a-03e5-4037-966f-3d4735866371,
CN=Deleted Objects,DC=example,DC=locallastKnownParent:
CN=Users,DC=example,DC=local
Found 1 item matching search criteria.
To prompt to restore a found object, executeAdRestore with the
-r parameter. Here's an example:
C:\>adrestore -r
AdRestore v1.1
by Mark Russinovich
Sysinternals - www.sysinternals.com
Enumerating domain deleted objects:
cn: Chicken Little
DEL:9c0bce9a-03e5-4037-966f-3d4735866371
distinguishedName:
CN=ChickenLittle\0ADEL:9c0bce9a-03e5-4037-966f-3d4735866371,
CN=Deleted Objects,DC=example,DC=local
lastKnownParent: CN=Users,DC=example,DC=local
-
8/6/2019 How to Kill Innovation in 5 Easy Steps
3/6
Do you want to restore this object (y/n)? y
Restore succeeded.
Found 1 item matching search criteria.
Afterward, you may need to start ActiveDirectory Users And
Computers and enable the useraccount that yourestored.
What is tombstone lifetime? How to reconfigure it?
Sponsored Links
6Share
The tombstone lifetime in an Active Directory forest determines
how long a deletedobject - aka a tombstone - is retained in Active
Directory. The tombstone lifetime is
determined by the value of the tombstoneLifetime attribute on
the Directory Service
object in the configuration directory partition.
Tombstone Lifetime assists in removing objects from replicated
servers and preventing
restores from reintroducing a deleted object. Actually when an
object is deleted from Active
Directory, it is not physically removed from the Active
Directory for some days. Instead, the
Active Directory sets the isDeleted attribute of the deleted
object to TRUE and move it
to a special container called Tombstone.
y y The default Tombstone Life time period is 60 days in Windows
Server 2003y y But the default Tombstone Lifetime period has been
changed in Windows Server
2003 SP1 and later to 180 days.
The tombstone lifetime attribute remains same on all the domain
controllers and it is
deleted from all the servers at the same time. This is because
the expiration of a tombstone
lifetime is based on the time when an object was deleted
logically from the Active Directory,
rather than the time when it is received as a tombstone on a
server through replication.
Reconfiguring Tombstone Lifetime:
Sponsored Links
-
8/6/2019 How to Kill Innovation in 5 Easy Steps
4/6
As I mentioned earlier, Default period of Tombstone Life time is
180 days in
Windows Server 2003 SP2 or later. This is because the value of
tombstoneLiftetime object
is
The default Tombstone Lifetime can be modified through ADSIEDIT
console, if
necessary.But I would like to remind you that, the longer
tombstone lifetime decreases thechance that a deleted object
remains in the local directory of a disconnected DC beyond the
time when the object is permanently deleted from online DCs.
This attribute is located in the below path:
cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration,dc=
To Change the Value, go to:
Run ADSIEDIT.msc
Expand: ConfigurationCN= Configuration > CN=Services
CN=Windows NT and
right click on CN= Directory Service
You will get an attribute window, Drill down to
tombstoneLiftime, and double click
it. You will get a field to type down the value, type the value
you intended and click OK.
The below picture will help you out to reach the correct
object.
-
8/6/2019 How to Kill Innovation in 5 Easy Steps
5/6
For further reading on Tombstone Lifetime, I recommend you below
Microsoft links:
http://technet.microsoft.com/en-us/library/cc784932(WS.10).aspx
http://support.microsoft.com/kb/924890
When any object is deleted from Active Directory, the object is
not actually removed from Active Directory.
Instead, the object is marked as deleted, most of its attributes
are removed, the object is renamed, and the
deleted object is moved to the Deleted Objects container. This
object is now referred to as a tombstone and is
kept till tombstone lifetime time expires. Information of this
tombstone object is replicated to all other domain
controllers.
-
8/6/2019 How to Kill Innovation in 5 Easy Steps
6/6
Default Tombstone Lifetime for New Active Directory Forests
Operating System Default Tombstone Lifetime
Windows 2000 Server 60 days
Windows Server 2003 no service
pack60 days
Windows Server 2003 SP1 180 daysWindows Server 2003 R2 60
days
Windows Server 2003 SP2 180 days
Windows Server 2008 180 days
You can modify the default value for tombstone lifetime by using
ADSIEdit.msc.
