Some of the biggest annoyances for any Active Directory administrator are odd little things called lingering objects. These have existed since Windows 2000 Server and will probably never go away completely, although Microsoft has worked to give us some great tools to get rid of them and protect our domain controllers.
While there are already some good articles out there describing lingering objects, I'd like to put my own spin on the issue based on experiences I've had with them. I still find many Active Directory admins who either don't understand what lingering objects are or don't know what to do about them.
Put simply, a lingering object is any Active Directory object that has been deleted, but gets reanimated when a DC has not replicated the change during the domain's tombstone lifetime period.
In other words, when an Active Directory object is deleted, it still exists in the AD as a tombstone. This form of the object contains only the mandatory attributes and is moved into the Deleted Objects container. The contents of the Deleted Objects container can be seen using the LDP.exe tool from the Windows Server 2003 Support Tools. Once the object is tombstoned, it will remain in this condition until the tombstone lifetime period expires (which is 60 days by default). At that point, the garbage collection process will purge it from the Active Directory.
Now suppose you have a Global Catalog server in a remote office in Brazil that has not been available on the network for the 60-day tombstone lifetime period. This could be due to maintenance, a network outage, a hardware failures, etc. that prevents the Global Catalog from replicating with the other DCs.
So let's say you have a multiple domain forest and 100 users were deleted from the United Kingdom domain while the ...
To continue reading for free, register below or login
To read more you must become a member of SearchWindowsServer.com
