Stop a deleted object's reappearance in Active Directory

James Michael Stewart, Contributor

Have you ever deleted a user, a group or even an organizational unit (OU) from your Active Directory domain only to have it reappear days or weeks later? This is an all too common occurrence, but one which is usually easy to diagnose and resolve.

The culprit of this strange ghostly reappearance is simply a result of how AD replication functions. Given the right conditions, the normal operation of AD replication can be circumvented and deleted objects can seem to rise from the dead.

Whenever you change an object, its USN (Update Sequence Number) is incremented. When replication occurs, only the version of the object with the greatest USN is retained. All other older copies of the object are overwritten by the newest version of the object. When an object is deleted in AD, it is not removed everywhere instantaneously. Rather, it obtains a label known as a tombstone. The tombstone label, which itself has a USN, indicates that the object is no longer active. Sixty days after an object has been tombstoned, it is deleted from the entire AD database.

But problems can occur under a few unique circumstances. One common cause of resurrected objects is offline domain controllers. If a domain controller (DC) is offline for more than 60 days, it will have a copy of the deleted object, which no other DC has. Since no other DC will have a record of the deleted object, it will be re-distributed across the domain. This problem can also occur if a DC is restored from

Requires Free Membership to View

a backup that is more than 60 days old. The best way to prevent this is to make daily or weekly AD backups and never return a DC to the network before it has been updated.

Authoritative restores can also cause deleted objects to reappear. An authoritative restore returns objects to the AD database from a backup and increases their USN by several thousand. This ensures that the restored object remains in the domain. All too often, when an authoritative restore takes place, the admin performing the restore will choose too broad a selection of objects for the restore, rather than the individual or specific objects that actually needed to be restored. Make sure you limit what's being brought back in an authoritative restore.

It is also possible for the tombstone label to be altered, corrupted, or removed. This can cause deleted objects to re-appear or fail to be removed altogether. If you suspect AD database corruption or alteration, inspect your system for viruses or malicious code.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in October 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.