Wednesday, November 17, 2010

What happens when an Active Directory object is deleted

Have you ever wondered what happens when an Active Directory object is deleted?


Well, in this blog entry, we'll take a look, so grab your coffee cups, and lets get started!

As you probably know, every object in Active Directory is actually an instance of a specific Active Directory Schema class, for example, User or Computer or Organizational Unit etc. and each object is essentially a collection of attributes that are defined in the Schema and the values these attributes take on together comprises the Active Directory object. For instance, the first and last names of a user, are in fact the attributes as well, are the common time based values such as last-modified, when-created etc.

Now, when an Active Directory object is deleted, it is first logically deleted for a specific interval of time to allow replication of the deletion to occur, and after this time has elapsed it is physically deleted.

As a part of the logical deletion, Active Directory basically strips off most of the attributes (i.e. clears their values) and moves the object into a special container known as the Deleted Objects container, which too is not only hidden but incidentally is also itself a special purpose deleted object.

When an object is deleted, Active Directory proceeds to strip away most of the attributes on an object, except for those that are require to ensure that the object can continue to be uniquely identified until its deleted state has been completely replicated amongst the set of all of the domain's domain controllers, and that its deletion date can be kept so Active Directory's background object deletion processes know when to clean up an object. In addition, Active Directory also needs to be able to mark that an object has been logically deleted, so it uses an internal attribute to mark an object as having been logically deleted.

As mentioned above, the deletion is not immediate but in fact spread over some time.

Now, you may heard the term Tombstone. A tombstone is a logically deleted Active Directory object. All tombstones reside in the Deleted Objects container in Active Directory. All tombstoned objects remain in the Tombstone state for a specific (configurable) period, during which Active Directory replicates the tombstone to all domain controllers. This period is referred to as Tombstone Lifetime, and after the expiration of this time, they are physically deleted from the directory.

(The default value of the Tombstone Lifetime parameter is 60 days in Windows 2000 and Windows Server 2003 (pre Service Pack 1.) It however is changed to 180 days in Windows Server 2003 Service Pack 1 (SP1) and beyond.)

This physical deletion process is known as Garbage Collection and it is performed locally on every Domain Controller by a background process called the Garbage Collector. The Garbage Collector runs on every domain controller every 12 hours, although this parameter can be changed.

So, in essence, the deleted object is replicated across to all domain controllers, and each domain controller then proceeds to physically delete its own copy of the tombstone. In this manner, an Active Directory object is ultimately deleted from the Active Directory.

By the way, if you are trying to view the Deleted Objects Container, you may wish to note that its contents are hidden by default, and that special permissions are required to view it.

So there you have it, that's a brief overview of what happens when an Active Directory object is deleted.

1 comment:

  1. Hi Josh,

    I'm Marc. I run a blog on Active Directory Reporting Tools.

    I thought you would like to know that there is a tool called Gold Finger for AD that can help you view all deleted objects in Active Directory.

    I have reviewed it on my blog in case you would like to learn more about it.

    Thanks,
    March

    ReplyDelete