none
Active Directory Authoritative Restore + Tombstone Lifetime RRS feed

  • Question

  • My AD is 2003, all DC's are upgraded to SP1. I have a virtual cluster computer object that appears to have been deleted >60 days ago (I ran adrestore and it didn't find it) - I guess nobody noticed since the cluster hasn't been touched, except last night it appears that DNS purged the stale records and then a few problems occurred. I do have a system state backup from several months ago that would contain this object, but after doing some reading it sounds like you cannot use a system state backup that is older than the tombstone life? Does this still apply even if you're only trying to authoritatively restore a single object?

    If I cannot use the system state to do this restore, are there any other suggestions?

    Thanks,
    Matt
    Thursday, May 28, 2009 6:13 PM

Answers

  • If your tombstone lifetime -at the time the object was deleted- was 60 days, then you can't use a backup older than 60 days to auth restore the object in a supported fashion. (In other words, you can't bump your TSL -today- to 240 days and then run an auth restore of an older backup, make sense?)

    If it's not creating an immediate issue for you, wait for your next scheduled outage window, re-create the object, drop and re-add to the domain.
    Laura Hunter - Directory Services MVP Identity Architect - Oxford Computer Group (http://www.oxfordcomputergroup.com)
    • Marked as answer by Matt Sl Friday, May 29, 2009 9:37 PM
    Thursday, May 28, 2009 6:32 PM

All replies

  • Heh Matt, if you restore this object AD will mark it as a lingering object. Basically to my knowledge you cant recover this object. One of the MVPs might be able to add to that or may have a way to recover the object. Whats the issue with recreating the object? Its just the computer account for the cluster object correct?
    This posting is provided "AS IS" with no warranties, and confers no rights. Check out my blog at - http://chrisbeams.wordpress.com/
    Thursday, May 28, 2009 6:27 PM
  • If your tombstone lifetime -at the time the object was deleted- was 60 days, then you can't use a backup older than 60 days to auth restore the object in a supported fashion. (In other words, you can't bump your TSL -today- to 240 days and then run an auth restore of an older backup, make sense?)

    If it's not creating an immediate issue for you, wait for your next scheduled outage window, re-create the object, drop and re-add to the domain.
    Laura Hunter - Directory Services MVP Identity Architect - Oxford Computer Group (http://www.oxfordcomputergroup.com)
    • Marked as answer by Matt Sl Friday, May 29, 2009 9:37 PM
    Thursday, May 28, 2009 6:32 PM
  • Hello Matt,

    additional to what the others said see here about:
    http://support.microsoft.com/default.aspx/kb/216993
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to the Forum
    Friday, May 29, 2009 8:05 AM
  • Im not aware whether you are talking about a windows 2003 MSCS or a Windows 2008 Failover Cluster. For the latter the folowing is blogpost how to prevent the issue and to repair in case you have a valid system state backup:

    http://blogs.technet.com/askcore/archive/2009/04/27/recovering-a-deleted-cluster-name-object-cno-in-a-windows-server-2008-failover-cluster.aspx
    Saturday, May 30, 2009 8:37 AM