More Grace Period for Restoring Active Directory

by Mitch Tulloch [Published on 14 Dec. 2005 / Last Updated on 14 Dec. 2005]

Watch those tombstones when restoring Active Directory from backup--but there's less worry if you have Service Pack 1 installed.

It's well-known that you should never restore a backup copy of Active Directory older than the tombstone lifetime, which by default is 60 days. That's because after 60 days objects that have been deleted from AD are scavanged and permantently deleted. You see, when you delete something from AD it doesn't really get deleted, it just gets tombstoned i.e. marked as deleted. Such tombstones have a lifetime of 60 days and after that they're cleaned out of the directory and gone forever.

Unless you try and restore a backup of AD that's more than 60 days old. The problem with doing this however is that you're likely to end up with objects that have been permanently deleted suddenly coming alive again, sort of like zombies in that Eddie Murphy movie. In fact, if you do have to restore AD you should use as recent a backup copy as you possibly have i.e. a day old at most. And even that can cause a few hiccups on a large network since computer accounts have their passwords randomly changed every 30 days for security reasons, so if you have a lot of computers on your network then it's very likely that even in a span of one day a few computer accounts will change, and these machines will need to have their computer accounts reset. The same goes for trust relationships, which also have their passwords changed every 30 days, so you may need to delete and re-create a trust or two in a multi-domain environment, though that's less likely.

What most admins don't know however is that this grace period for restores of 60 days (the tombstone lifetime) has been lengthed in W2K3 SP1 to 180 days--but only for domains where the first DC has been dcpromo-ed on a standalone W2K3 SP1 machine. In other words, if you already have a domain and you upgrade your DC with SP1, the grace period is still 60 days.

Mitch Tulloch (MVP Windows Server) is a well-known industry expert in Windows administration and security and author of fourteen books including the Microsoft Encyclopedia of Networking, the Microsoft Encyclopedia of Security, Windows Server Hacks and IIS6 Administration. Mitch is based in Winnipeg, Canada and is President of MTIT Enterprises, an IT content development company. You can find more information about him on his website www.mtit.com

See Also

Featured Links