Keeping some form of a deleted object is necessary in multimaster systems such as Active Directory (AD), which must replicate deletions among domain controllers (DCs). When you delete an object in AD, that object doesn't disappear completely. Instead, the object becomes a deleted object, aka a tombstone. Before the release of Windows Server 2003, no method existed for bringing tombstones back to life. With Windows 2003, however, this type of resurrection is possible—though the process isn't necessarily simple. Still, the ability can be beneficial in certain situations, such as when someone accidentally deletes a user object. Let me show you the basics of AD's deletion and tombstone cleanup processes as well as how to search for, recover, and restore deleted objects.
Death of an Object
When an object is deleted, AD performs a variety of housekeeping tasks behind the scenes to turn the object into a tombstone. AD sets the object's isDeleted attribute to TRUE, which simplifies the distinction between tombstone objects and normal objects during a search. AD also moves the deleted object to the Deleted Objects container in the partition that contained the object before the deletion. (Each directory partition, including Windows 2003's new application partitions, holds a Deleted Objects container. The only exception is the Schema partition, which doesn't contain a Deleted Objects container because you can't delete objects from the schema.) AD hides these Deleted Objects containers by default, so to view them you must enable the Return Deleted Objects Lightweight Directory Access Protocol (LDAP) control as part of a search operation. (For more information about such operations, see the sidebar "Searching for Tombstones.") . . .
Register
