Default tombstone lifetime

Discussion in 'Active Directory' started by David Chadwick, Jul 21, 2006.

  1. Hi,

    This is a question out of curiousity rather than a desperate need to know.
    :)

    The following Technet link explains what the default tombstone lifetime for
    a domain is:
    http://technet2.microsoft.com/Windo...81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true

    The default value for "tombstoneLifetime" is "<not set>".

    The thing I find strange is that "<not set>" could either be 60 days or 180
    days, depending on whether your forest root was initially created on Windows
    2000/2003 RTM or Windows 2003 SP1.

    My question is where does AD ultimately pull this information from? What I
    am trying to ask is - imagine you create your forest root with Windows 2003
    RTM. It is now years later and all your DCs are Windows 2003 SP1. Your
    tombstoneLifetime is still "<not set>", and in this particular instance
    "<not set>" means 60 days.

    How does AD "know" that "<not set>" means 60 days rather than 180 days?
    There must be another attribute somewhere which defines this default,
    surely? How does AD determine whether it was "initially 2003 RTM" and
    therefore decide that the tombstone lifetime is 60 rather than 180 days.

    I'm really curious about this. :)

    Cheers,
    David
     
    David Chadwick, Jul 21, 2006
    #1
    1. Advertisements

  2. David Chadwick

    Joe Heaton Guest

    I don't know the answer to your question, but I'd like to know myself. We
    have tombstoned records from about a year and a half ago, that are still
    hanging around. Anyone have any idea how I can make them go away?
     
    Joe Heaton, Jul 21, 2006
    #2
    1. Advertisements

  3. Nope, "not set" should not occur if the forest was built initially with
    K3 SP1, it actually sets the value in the Directory Service object to
    180 during the forest build process. Ditto for SP1 and R2 ADAM. So any
    time you see "not set", the value being used is 60 days.

    I will contact Microsoft to see about getting the documentation corrected.

    joe


    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 21, 2006
    #3
  4. How do you know you have tombstoned records... How are you looking at
    them? We may be talking about something different. Tombstones for
    deleted AD objects are not normally visible, you need to enable a
    special LDAP control to see them.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 21, 2006
    #4
  5. Hi Joe,

    This isn't what I am seeing.

    I have built many Windows 2003 with SP1 integrated forests (from scratch)
    and the value is always "<not set>". I just built one 10 minutes ago using
    the VLK Windows 2003 R2 media and created a new forest, and the value is
    "<not set>".

    I have 6 or 7 other test forests (in virtual machines and test lab
    scenarious) and every single one of them says "<not set>", yet all of them
    were built from genuine SP1 integrated media.

    Cheers,
    David
     
    David Chadwick, Jul 22, 2006
    #5
  6. David Chadwick

    Jorge Silva Guest

    Hi

    In an Forest were you installed the 1st DC a Windows Server 2003 SP1he new
    default tombstone-lifetime is tripled to 180 days. If you don't dcpromo the
    forests first DC with SP1 already installed you'll still have the default
    tombstone-lifetime of 60 days.


    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jul 22, 2006
    #6
  7. That is extremely odd because this is done via the schema.ini file that
    is used when building a new forest and it isn't like that is buggy. I
    have built I don't know how many AD SP1/R2 instances and ADAM SP1/R2
    instances and the TLS is always set.

    I would recommend dumping your schema.ini file and look for the line

    tombstoneLifetime=180

    If that is there and it still doesn't look like the forest has a TSL of
    180 days triplecheck the object you are looking at for the value and
    make sure you don't have any word ACLs set.


    joe


    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 22, 2006
    #7
  8. Hi Jorge,

    Thanks for your reply.

    I realise that this is how it works. My question was actually about how AD
    determines whether the tombstone lifetime is 60 days or 180 days at a
    technical level. If you read the technet link that I have in my first post,
    you will see that it states that in BOTH situations (with or without SP1)
    the tombstoneLifetime attribute is set to "<not set>".

    My question or observation was that it must then mean that AD falls back to
    some other method of determining whether it is 60 or 180 days and I wanted
    to know what that method was.

    Joe says that the documentation is wrong and that it actually does set that
    particular attribute to 180 days (rather than "<not set>") if you create a
    forest on a SP1 machine, but that is not what I am seeing. I've tried it
    several times, all from clean genuine VLK media and that attribute is NEVER
    set for me.

    Cheers,
    David
     
    David Chadwick, Jul 23, 2006
    #8
  9. Hi Joe,

    I have looked into this further. Thanks for your help so far.

    What I have found is that the schema.ini file on the Windows 2003 SP1 disc
    has the tombstoneLifetime=180 line set.

    However, on the R2 disc (disc 2) there is also a schema.ini file with a
    LATER date. This file does NOT have the tombstoneLifetime=180 line in it.

    When installing R2, the schema.ini file that ends up in the
    C:\WINDOWS\System32 directory is the one from the R2 disc, which does not
    specify 180 days.

    This is the case with my genuine VLK R2 discs (x86 Standard and Enterprise,
    I checked them both).

    I believe all the forests I have tested this on were begun from an R2
    machine. I suspect if I didn't have R2 on there, but only had SP1 then the
    older schema.ini file would be present and this would set the TLS to 180
    days.

    Can you confirm this on your R2 discs?

    Cheers,
    David
     
    David Chadwick, Jul 23, 2006
    #9
  10. joe is correct on this... <not set> means 60 days and nothing else

    180 days is configured when the first DC in the forest is W2K3 SP1.
    everything lower than that or upgraded to SP1 is 60 days.

    ARE you sure the install media is sliptstreamed WITH SP1 and it is not just
    W2K3 RTM?

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP], Jul 23, 2006
    #10
  11. David Chadwick

    Jorge Silva Guest

    InLine

    Joe is correct!! I'm wrong???

    Funny, because I did some testing, and as David mentioned, even if you
    install W2k3 SP1 the tombstoneLifetime attribute is set to "<not set>".

    I also have the Idea that when tombstoneLifetime attribute is set to "<not
    set>" this means 60 days. But I never notice that if we installed W2K3 SP1
    that the tombstoneLifetime attribute is set to "<not set>", I'm still
    looking for some explanation/article for this.




    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator

    "Jorge de Almeida Pinto [MVP]"
     
    Jorge Silva, Jul 23, 2006
    #11
  12. Absolutely certain Jorge. I'm using genuine VLK media, straight from
    Microsoft.

    I've since looked into this further, and I'm actually installing R2 (which
    is based off Windows 2003 SP1 obviously). I believe that R2 has regressed
    to the old 60 day behaviour even for a new forest.

    I haven't tested it with just SP1 and NOT R2 yet, but I suspect that will
    set it to 180 days. So, my theory is:

    Windows 2000 - <not set>
    Windows 2003 RTM - <not set>
    Windows 2003 SP1 - 180
    Windows 2003 R2 - <not set>

    I believe when Microsoft modified the schema.ini file for R2 (which replaces
    the one from SP1) they have forgotten to set the tombstone lifetime to 180
    days.

    Regards,
    David

    "Jorge de Almeida Pinto [MVP]"
     
    David Chadwick, Jul 23, 2006
    #12
  13. if you were wrong I would have said it...

    how did you install the first DC in the forest.....

    (1) install server with w2k3 and SP1 slipstreamed and promote to DC
    (2) install server with w2k3, apply SP1 and promote to DC
    (3) install server with w2k3, promote to DC and apply SP1

    as soon as you install the server or apply the SP open a command line and
    execute: WINVER
    that should tell you the version

    when talking about R2......

    CD1 = W2K3 with SP1 slipstreamed (which is the same when nog having the R2
    distribution set)
    CD2 = R2 binaries

    the reason I still ask ARE YOU SURE is that it is not the first time someone
    says: yes I'm sure! and in the end: oops I made a poo poo. (and no I'm not
    trying to offend someone here!)

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP], Jul 23, 2006
    #13
  14. Hi Jorge,
    thats right !
    I installed a new Server from a Volume License
    Windows Server 2003 R2 Media and the "tombstonelifetime" attribute is
    <not set>.
     
    Yusuf Dikmenoglu, Jul 23, 2006
    #14
  15. David Chadwick

    Jorge Silva Guest

    Ok, here's last


    - I did more testing and here are the results for your eyes only:

    - Srv01 - Windows 2003 R2

    - After run Dcpromo on it (New Forest and Domain of course), the
    TombstoneLifetime attribute = <Not Set>



    - Srv02- Windows 2003 SP1

    - After run Dcpromo on it (New Forest and Domain of course), the
    TombstoneLifetime attribute = 180



    - And it gets better:

    Then I upgraded Srv02 to R2 and guess what...

    After the upgrade the TombstoneLifetime attribute on this server stayed= 180



    In conclusion we can assume that R2 doesn't "touch" in TombstoneLifetime
    attribute, and that is why if we Dcpromo for the 1st time already has WR2
    the TombstoneLifetime attribute = <Not Set>, and if we upgrade from W2k3 SP1
    to R2 the TombstoneLifetime attribute on this server stays= 180



    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jul 23, 2006
    #15
  16. David Chadwick

    Jorge Silva Guest

    I forgot to mention that the new thing here (at least for me) is that if we
    dcpromo on the first server for a forest that is already R2 the
    tombstonelifetime is =<Not Set> which by default is= 60

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jul 23, 2006
    #16
  17. Yuck.

    You are absolutely correct. I just built some brand new R2 media and did
    the full install and prior to installing CD2 schema.ini is correct and
    then after installing CD2 schema.ini is regressed, I will bug this with
    Microsoft.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 23, 2006
    #17
  18. At a technical level there is a constant value (appropriately named
    DEFAULT_TOMBSTONE_LIFETIME) defined in a header file and if the
    directory entry doesn't exist, the constant value is used in its stead.

    This is standard way of handling any config values (directory or
    registry) that have default values with no required directory or
    registry entry. It saves them from the inevitable crash if someone
    deleted a critical value and that value didn't have a default value to
    insert by default.

    I am absolutely positive the documentation is wrong and already have
    concurrence from one of the best AD troubleshooters inside of Microsoft
    who was going to chase up with the documentation owner.

    I have also alerted him of this regression issue with the second CD from
    R2. If you windiff the two involved version of the file you will see
    that it appears that someone took a file from 11/23 and updated the
    object version of the schema object in the file and then 7 days later on
    11/30 someone updated the file from 11/23 with the new
    tombstonelifetime. There needed to be a schema object rev between the
    two but obviously the tombstonelifetime change should have been in both.
    Basically it is a source check-in mistake.


    If you have SP1 install media that has a schema.ini file without the
    updated tombstonelifetime value then we have yet another problem. Please
    verify that any Gold SP1 media you actually received from Microsoft or
    built directly from a Gold ISO has the proper schema.ini file. If it
    doesn't, please let me know what it is and how you got it and I will get
    that info into MSFT.


    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 23, 2006
    #18
  19. Jorge de Almeida Pinto [MVP], Jul 23, 2006
    #19
  20. Is this SP1 or R2 Media? Please triple check and verify what it is,
    where it came from, and whether or not schema.ini has the
    tombstonelifetime value set.

    If it doesn't, please document the media (VLK, MSDN, what ever) where it
    came from, the date/time stamp on schema.ini.


    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 23, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.