Have you ever deleted a user, a group or even an organizational unit (OU) from your Active Directory domain only...
to have it reappear days or weeks later? This is an all too common occurrence, but one which is usually easy to diagnose and resolve.
The culprit of this strange ghostly reappearance is simply a result of how AD replication functions. Given the right conditions, the normal operation of AD replication can be circumvented and deleted objects can seem to rise from the dead.
Whenever you change an object, its USN (Update Sequence Number) is incremented. When replication occurs, only the version of the object with the greatest USN is retained. All other older copies of the object are overwritten by the newest version of the object. When an object is deleted in AD, it is not removed everywhere instantaneously. Rather, it obtains a label known as a tombstone. The tombstone label, which itself has a USN, indicates that the object is no longer active. Sixty days after an object has been tombstoned, it is deleted from the entire AD database.
But problems can occur under a few unique circumstances. One common cause of resurrected objects is offline domain controllers. If a domain controller (DC) is offline for more than 60 days, it will have a copy of the deleted object, which no other DC has. Since no other DC will have a record of the deleted object, it will be re-distributed across the domain. This problem can also occur if a DC is restored from a backup that is more than 60 days old. The best way to prevent this is to make daily or weekly AD backups and never return a DC to the network before it has been updated.
Authoritative restores can also cause deleted objects to reappear. An authoritative restore returns objects to the AD database from a backup and increases their USN by several thousand. This ensures that the restored object remains in the domain. All too often, when an authoritative restore takes place, the admin performing the restore will choose too broad a selection of objects for the restore, rather than the individual or specific objects that actually needed to be restored. Make sure you limit what's being brought back in an authoritative restore.
It is also possible for the tombstone label to be altered, corrupted, or removed. This can cause deleted objects to re-appear or fail to be removed altogether. If you suspect AD database corruption or alteration, inspect your system for viruses or malicious code.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.