Tuesday, October 3, 2006

Active Directory Backup? Don't rush ...

If you need to restore your domain controller, or you need to make an authoritative restore of Active Directory, you need a backup which is younger than 60 days (by default). The reason here fore is that every object in Active Directory which gets deleted will remain as a tombstone, to make sure that the information to delete this object is replicated to every DC before physically deleting it from the store. The Tombstone is the object with limited attributes, such as the GUID, Name and SID of the object, and the mark that it's deleted. The garbage collection of Active Directory takes care to finally delete tombstones which are older than the tombstone-lifetime.
So that's the reason why you are not allowed to use a backup which is older than the tombstone lifetime - you would reintroduce objects which were already deleted and may run into unexpected behaviors. Read more here.

1 comment:

  1. Thanks for the great article. Another useful suggestion is to perform active directory backup and restore with active administrator. This tool allows to backup all objects in the domain and when something happened you can select the object form the list and restore object with all the attributes or only selected attributes. And in the case of a container object you can restore all objects it contains or only objects of a particular type.