Default tombstone lifetime

Discussion in 'Active Directory' started by David Chadwick, Jul 21, 2006.

  1. These are all expected.

    The TSL change only impacts the creation of new forests. It does not
    modify a forest that already exists.

    So

    Pre-K3SP1 should default to NOT SET and does.
    K3SP1 should default to 180 and does every time I have tested it.
    R2 should default to 180 but DOES NOT.

    See one of my other posts which explains how the 60 days is determined
    and also where I did the testing and found the regression and the
    probable reason for it and reported this all to MSFT.


    DO NOT COPY the schema.ini file from CD1 of R2 back over schema.ini that
    results on your machine because the schema base object version will then
    be wrong.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 23, 2006
    #21
    1. Advertisements

  2. David Chadwick

    Jorge Silva Guest

    Yep, this was what I was referring to; everything else was expected as
    normal behavior.



    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jul 24, 2006
    #22
    1. Advertisements

  3. Hi Joe,

    Thanks for persisting with this.

    Just to clarify, you mentioned in your blog post that "some people aren't
    seeing this", referring to the TLS being set to 180 if using Windows 2003
    SP1 (but NOT R2).

    I wanted to make sure I made it clear that I *am* seeing this. In all my
    posts about when I haven't seen it, it turns out that I was using R2. It is
    just that initially when making posts I wasn't specifying whether it was SP1
    or R2 as (in my head) these should be the same thing.

    So yes, SP1 only is 180 days, R2 is back to 60 days.

    I wonder which schema.ini file they have gone forward with in SP2. :)

    Cheers,
    David
     
    David Chadwick, Jul 24, 2006
    #23
  4. Hi Jorge,
    here are my last news ;-)

    I installed a Volume License Windows Server 2003 _without_ Service Pack 1.
    Then i installed SP1.
    The "tombstonelifetime" is <not set>, but in the "schema.ini" exists the
    entry "tombstoneLifetime=180".

    What now, <not set> 60 Days or the schema.ini entry with 180 days ... hmm..
     
    Yusuf Dikmenoglu, Jul 24, 2006
    #24
  5. I let myself jump in the thread.
    So You've installed Windows 2003 -> promoted DC -> then SP1?

    if so as joe wrote in his blog schema is populated with schema.ini on
    new forest creation. So if you've created forest with Windows 2003 (no
    SP1) You will end with 60 days of TSL.

    If You are only updating DCs with SP1 this will not make any change to
    TSL value.

    KB216993 states:
    http://support.microsoft.com/kb/216993/en-us

    Windows Server 2003 Service Pack 1 (SP1) increases the attribute value
    from 60 to 180 days in the following scenarios:
    • You use Windows Server 2003 SP1 slipstreamed media to upgrade a
    Microsoft Windows NT 4.0 domain to a Windows Server 2003 domain. When
    you perform the upgrade, you create a new forest.
    • You promote a computer that is running Windows Server 2003 SP1 to a
    domain controller. When you promote the domain controller, you create a
    new forest.

    The original release version of Windows Server 2003 SP1 does not modify
    the value of the tombstone lifetime attribute when the following
    conditions are true:
    • You upgrade a Windows 2000 domain to a Windows Server 2003 domain by
    using Windows Server 2003 SP1 slipstreamed media.
    • You install Windows Server 2003 SP1 on domain controllers that are
    running the original release version of Windows Server 2003.

    Check also summary in Jorge's post:
    http://blogs.dirteam.com/blogs/jorge/archive/2006/07/23/1233.aspx
     
    Tomasz Onyszko, Jul 24, 2006
    #25
  6. No. I check this in my office and we migrate from NT-PDC to 2003 (without
    SP1).
    Later we installed SP1.
    I check this on our "first" DC (now 2003).

    The rest you`ve write is clearly and i know that ;-)
     
    Yusuf Dikmenoglu, Jul 24, 2006
    #26
  7. David Chadwick

    Jorge Silva Guest

    InLine


    In my opinion "I think" this is espected, in order to have
    tombstoneLifetime=180, you must install W2K3 SP1 in the 1st DC in the
    forest. When we upgrade to SP1 after we have a Forest the tombstoneLifetime
    doesn't change by default, we must manually to change it (if we want of
    course).

    this is described here:
    Useful shelf life of a system-state backup of Active Directory
    http://support.microsoft.com/?id=216993


    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jul 24, 2006
    #27
  8. OK - so If you migrated NT-PDC to Windows 2003 without SP1 You have
    default 60 days TSL. Upgrading from NT is like creating new forest.
     
    Tomasz Onyszko, Jul 24, 2006
    #28
  9. David Chadwick

    Jorge Silva Guest

    No. I check this in my office and we migrate from NT-PDC to 2003 (without

    You must use Windows Server 2003 SP1 slipstreamed media to upgrade a
    Microsoft Windows NT 4.0 domain to a Windows Server 2003 domain. When you
    perform the upgrade, you create a new forest.


    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jul 24, 2006
    #29
  10. Yeah, that is my opinion too.
    But it`s crazy, the attribut say`s <not set> and the schema.ini says "180".
    But i think, with the 60 Days thats right ;-)
     
    Yusuf Dikmenoglu, Jul 24, 2006
    #30
  11. Yeah ... thats my opinion too.
    Yes, i know this article and i dream from it :)
     
    Yusuf Dikmenoglu, Jul 24, 2006
    #31
  12. Thats clear ;-)
     
    Yusuf Dikmenoglu, Jul 24, 2006
    #32
  13. David Chadwick

    Jorge Silva Guest

    :)


    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jul 24, 2006
    #33
  14. David Chadwick

    Joe Heaton Guest

    Sorry if this is a double post. We must be talking about different things.
    I'm talking about WINS records. When I show active registrations, I see
    records that I know I tombstoned over a year ago. Shouldn't they go away?
     
    Joe Heaton, Jul 24, 2006
    #34
  15. Ah yeah, completely different thing. We are talking about tombstones in
    Active Directory for deleted objects.

    For your WINS, it is something similar in concept but totally different
    implementation. I have seen tombstones hanging in WINS before and it
    doesn't mean that WINS is completely broken. Usually it means you need
    to jetpack the database to clean it up a little. Barring that, go around
    to every WINS server in the environment and delete the records directly.
    I would recommend using netsh to do it.


    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 24, 2006
    #35
  16. schema.ini is only looked at during the promotion of the new forest. So
    it doesn't matter what the schema.ini says after you have built your forest.

    If for instance you demoted that machine with that schema.ini file and
    then repromoted it into a new forest, you would now have a 180 day TSL.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 24, 2006
    #36
  17. Cool thanks David. I think SP1 is probably fine in all distributions, it
    is simply confusion on how this all works. :)

    R2 is definitely screwed up though.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 24, 2006
    #37
  18. BTW, thanks for floating this up. It obviously points out a process flaw
    that we need to help Microsoft acknowledge so they can address it so
    it doesn't happen again with say Longhorn R2.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 24, 2006
    #38
  19. David Chadwick

    Joe Heaton Guest

    Well, my coworkers took care of it themselves. They went into the system32
    directories of the WINS servers and deleted the databases. Barbaric, but it
    seems to have worked....
     
    Joe Heaton, Jul 25, 2006
    #39
  20. Wow. Yeah I wouldn't let them near AD or Exchange that is for sure...

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Jul 26, 2006
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.