Can Active Directory tombstones cause problems with AD restoration?
To ensure proper replication between domain controllers, deleted objects are first converted into special objects...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
As changes to Active Directory (AD) are replicated between domain controllers, the tombstones are also replicated -- effectively deleting the same objects on other domain controllers. However, tombstones take up space in storage, so they are given a finite lifetime and finally deleted from disk once their lifetime expires (60 days by default).
Active Directory tombstones can cause data consistency problems for AD restoration. If a domain controller is restored to state before an object was deleted, and a tombstone for that deleted object is not replicated to the restored controller (e.g., the tombstone for that object had already expired), then that old object will remain on the restored domain controller and cause severe AD problems. In actual practice, AD may prevent restoration if the backup is older than the tombstone lifetime.
This puts the onus on administrators to ensure domain controllers are backed up at least as frequently as tombstone lifetimes. As a rule, domain controllers should be backed up at least twice within the tombstone lifetime to help ensure all tombstones are available for proper replication to restored domain controllers.
IT administrators must understand how Active Directory iterations are coordinated and maintained, and domain controllers require careful protection using tools designed to accommodate those unique behaviors. Improper backup and restoration can easily result in data consistency and rollback issues that spell catastrophe for the enterprise. It's important to select adequate backup tools for the job, test those tools thoroughly, use the tools frequently, and implement restoration processes that will ensure continued domain controller operation.
Dig Deeper on Microsoft Active Directory Backup and Restore
Related Q&A from Stephen J. Bigelow
To configure RAID 1, RAID 5 or RAID 6 erasure coding in VMware vSAN 6.2, an administrator must first choose the proper RAID protection settings.continue reading
RAID provides workload resilience and protects against data loss, but not all levels of RAID are made alike. What are the storage tradeoffs for RAID ...continue reading
Before you encounter noncompliant hardware, integrated security errors and configuration issues, read this expert advice so you know what to do when ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.