RE: [ActiveDir] Tombstone Interval

[Almeida Pinto, Jorge de]

Title: Tombstone Interval

Scavenging and Aging are processes that age and cleanup (delete) unused DNS resource records. After a record is deleted it is tombstoned and kept in AD for the same time as the AD tombstone lifetime (60 days or 180 days in fresh AD SP1 installs). However there is something else "in between" for DNS records.

 

I got the second from the Windows 2003 Branch Office Guide.

Extending the DNS Tombstone Lifetime

You must extend the tombstone lifetime for DNS resource records stored in the directory. This prevents resource records from being removed from the directory while a new branch office domain controller is offline and being shipped to its new location.

 

First I did not understand it, but after testing it on a DC I found the following and it is clear now what it does

OK, here goes....

 

A DNS object is just like any other AD object... There is a slight difference though

When a DNS object is deleted it is NOT AD tombstoned right away like other objects and it is also not "moved" to the Deleted Objects container of the naming context it resides it. Unlike any other objects it is invisible in the DNS GUI and it remains in the location for the DNS Tombstone Lifetime (don't know what the default is). When it is DNS tombstoned the attribute dNSTombstoned is set to TRUE. After the DNS Tombstone Lifetime it is AD tombstoned and "moved" to the Deleted Objects container of the naming context it resides it.

If the DNS object is "recreated" within the DNS Tombstone Lifetime the old DNS tombstoned object is revived (same GUID) as the attribute dNSTombstoned is set to FALSE .

 

If someone knows the default, please let me know.

 

Cheers,

Jorge

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, September 14, 2005 12:08
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Tombstone Interval

Would the latter refer to scavenged objects?

 

neil

 

---------------------------------------
Neil Ruston
Nomura International Plc
Tel: 020 7521 3481
[EMAIL PROTECTED]

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Almeida Pinto, Jorge de
Sent: 14 September 2005 10:58
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Tombstone Interval

Hi,

The first I understand but I do not understand the second. Does anyone know what the second does?

Thanks

Jorge

(1) configured per forest in AD
The tombstone lifetime value in an Active Directory forest defines the default number of days that a domain controller preserves knowledge of deleted objects. This value also defines the useful life of a system state backup that is used for disaster recovery or installation from backup media. Active Directory protects itself from restoring data that is older than the tombstone lifetime by disallowing the restore.

(2) configured per DNS server in the registry manually or through DNSCMD
/dstombstoneinterval[ 1-30]
Amount of time in seconds to keep tombstoned records in Active Directory alive.

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto
Infrastructure Consultant
__________________________________________

LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T)
Kennedyplein 248, 5611 ZT, Eindhoven
.       Postbus 7089
        5605 JB Eindhoven
(       Tel             : +31-(0)40-29.57.777
2       Fax     : +31-(0)40-29.57.709
(       Mobile  : +31-(0)6-26.26.62.80

*       E-mail  : [EMAIL PROTECTED]

"       <http://www.logicacmg.com/> - Solutions that matter -

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments. NIplc

does not provide investment services to private customers. Authorised and

regulated by the Financial Services Authority. Registered in England

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP. A member of the Nomura group of companies.