Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2006-07-23) Tombstone Lifetime Within An AD Forest When Installing The FIRST DC

Posted by Jorge on 2006-07-23


For the past few days several folks were troubleshooting something very strange. Several people (David Chadwick, Yusuf Dikmenoglu and Jorge Silva) on the newsgroups mentioned that when installing a W2K3 R2 server (using CD1 and CD2!) and promoting it as the FIRST DC in the forest the tombstone lifetime was set to <NOT SET> (which means 60 days.) That was strange because R2 is based upon W2K3 with SP1 and SP1 implements a tombstone lifetime of 180 days.

Those three people, Joe Richards and I looked into this.

The "tombstone lifetime" in AD determines how long a tombstone, after deletion, is kept in the AD database before it is completely removed from the database by the "Garbage Collection" process on each DC.

The information is stored in the attribute "tombstoneLifetime" on the object

  • "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<domain>,DC=<tld>

As we all have learned the tombstonelifetime value within a forest when installing the FIRST DC is by default (or at least should be):

  • Fresh install of AD with W2K DCs (all SPs)        : 60 days (value = <not set>)
  • Upgrading AD with W2K DCs to W2K3 DCs        : 60 days (value = <not set>)
  • Upgrading AD with W2K DCs to W2K3 SP1 DCs    : 60 days  (value = <not set>)
  • Upgrading AD with W2K DCs to W2K3 SP1/R2 DCs    : 60 days  (value = <not set>)
  • Fresh install of AD with W2K3 DCs            : 60 days  (value = <not set>)
  • Upgrading AD with W2K3 DCs to W2K3 SP1 DCs    : 60 days  (value = <not set>)
  • Upgrading AD with W2K3 DCs to W2K3 SP1/R2 DCs: 60 days  (value = <not set>)
  • Fresh install of AD with W2K3 SP1 DCs (all SPs)    : 180 days  (value = 180)
  • Fresh install of AD with W2K3 SP1/R2 DCs (all SPs)    : 180 days  (value = 180)

When you look at the attribute value and you see <not set>, that means 60 days!

REMARK: When installing Windows Server and using SP1 it should NOT matter if:

  • First install W2K3 server and then update the installation by installing SP1
  • Install W2K3 server WITH SP1 slipstreamed
  • Install W2K3 server WITH SP1 slipstreamed from the first CD from the R2 distribution set.

After installing a server with the W2K3 media the file called SCHEMA.INI does not have a definition for the tombstone lifetime. WHICH IS OK!

After installing a server with the W2K3 SP1 media (slipstreamed) the file called SCHEMA.INI has a definition for the tombstone lifetime in a line that specifies "tombstoneLifetime=180". WHICH IS OK!

After installing a server with the W2K3 R2 media (CD1, but before installing the R2 binaries from CD2) the file called SCHEMA.INI has a definition for the tombstone lifetime in a line that specifies "tombstoneLifetime=180". After installing the R2 binaries from CD2 the file called SCHEMA.INI DOES NOT HAVE a definition for the tombstone lifetime in a line that specifies "tombstonelifetime=180". The line is gone. Looking at it further I saw that in the first case the timestamp of the SCHEMA.INI file is 30-11-2005 14.00 (176 kb) and in the second case the timestamp of the SCHEMA.INI file is 23-11-2005 14.00 (176 kb). WHICH IS NOT OK!

"<CD-drive>:\CMPNENTS\R2\PACKAGES\COREBINS\I386\SCHEMA.INI" and "<CD-drive>:\CMPNENTS\R2\ADPREP\SCHEMA.INI" on the second CD of the R2 distribution set are missing the following lines under the [Directory Service] section:

; Explict TSL default set in W2K3 SP1 to increase shelf-life of backups and allow longer
; disconnection times.
tombstoneLifetime=180

Conclusion:

  • If you install a W2K3 server from the first CD from the W2K3 R2 distribution set, then promote it to a DC and then install the R2 binaries from the second CD, the tombstone lifetime is set to 180 days
  • If you install a W2K3 server from the first CD from the W2K3 R2 distribution set, then install the R2 binaries from the second CD and then promote it to a DC, the tombstone lifetime is set to <not set> which is 60 days!

or simply put… a BUG after installing the R2 binaries, but before promoting the first DC to create the AD forest.

The solution: manually (or through a script or a command line tool) change the value yourself to 180 for the attribute mentioned earlier.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: