Re: Default tombstone lifetime

BTW, thanks for floating this up. It obviously points out a process flaw that we need to help Microsoft acknowledge so they can address it so it doesn't happen again with say Longhorn R2.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


David Chadwick wrote:
Hi Joe,

Thanks for persisting with this.

Just to clarify, you mentioned in your blog post that "some people aren't seeing this", referring to the TLS being set to 180 if using Windows 2003 SP1 (but NOT R2).

I wanted to make sure I made it clear that I *am* seeing this. In all my posts about when I haven't seen it, it turns out that I was using R2. It is just that initially when making posts I wasn't specifying whether it was SP1 or R2 as (in my head) these should be the same thing.

So yes, SP1 only is 180 days, R2 is back to 60 days.

I wonder which schema.ini file they have gone forward with in SP2. :)

Cheers,
David

"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:elfHzqqrGHA.1084@xxxxxxxxxxxxxxxxxxxxxxx
At a technical level there is a constant value (appropriately named DEFAULT_TOMBSTONE_LIFETIME) defined in a header file and if the directory entry doesn't exist, the constant value is used in its stead.

This is standard way of handling any config values (directory or registry) that have default values with no required directory or registry entry. It saves them from the inevitable crash if someone deleted a critical value and that value didn't have a default value to insert by default.

I am absolutely positive the documentation is wrong and already have concurrence from one of the best AD troubleshooters inside of Microsoft who was going to chase up with the documentation owner.

I have also alerted him of this regression issue with the second CD from R2. If you windiff the two involved version of the file you will see that it appears that someone took a file from 11/23 and updated the object version of the schema object in the file and then 7 days later on 11/30 someone updated the file from 11/23 with the new tombstonelifetime. There needed to be a schema object rev between the two but obviously the tombstonelifetime change should have been in both. Basically it is a source check-in mistake.


If you have SP1 install media that has a schema.ini file without the updated tombstonelifetime value then we have yet another problem. Please verify that any Gold SP1 media you actually received from Microsoft or built directly from a Gold ISO has the proper schema.ini file. If it doesn't, please let me know what it is and how you got it and I will get that info into MSFT.


joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


David Chadwick wrote:
Hi Jorge,

Thanks for your reply.

I realise that this is how it works. My question was actually about how AD determines whether the tombstone lifetime is 60 days or 180 days at a technical level. If you read the technet link that I have in my first post, you will see that it states that in BOTH situations (with or without SP1) the tombstoneLifetime attribute is set to "<not set>".

My question or observation was that it must then mean that AD falls back to some other method of determining whether it is 60 or 180 days and I wanted to know what that method was.

Joe says that the documentation is wrong and that it actually does set that particular attribute to 180 days (rather than "<not set>") if you create a forest on a SP1 machine, but that is not what I am seeing. I've tried it several times, all from clean genuine VLK media and that attribute is NEVER set for me.

Cheers,
David


"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message news:evpYA7brGHA.4892@xxxxxxxxxxxxxxxxxxxxxxx
Hi

In an Forest were you installed the 1st DC a Windows Server 2003 SP1he new default tombstone-lifetime is tripled to 180 days. If you don't dcpromo the forests first DC with SP1 already installed you'll still have the default tombstone-lifetime of 60 days.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"David Chadwick" <david@xxxxxxxxxxxxxxx> wrote in message news:%23k4d04JrGHA.3680@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

This is a question out of curiousity rather than a desperate need to know. :)

The following Technet link explains what the default tombstone lifetime for a domain is:
http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true

The default value for "tombstoneLifetime" is "<not set>".

The thing I find strange is that "<not set>" could either be 60 days or 180 days, depending on whether your forest root was initially created on Windows 2000/2003 RTM or Windows 2003 SP1.

My question is where does AD ultimately pull this information from? What I am trying to ask is - imagine you create your forest root with Windows 2003 RTM. It is now years later and all your DCs are Windows 2003 SP1. Your tombstoneLifetime is still "<not set>", and in this particular instance "<not set>" means 60 days.

How does AD "know" that "<not set>" means 60 days rather than 180 days? There must be another attribute somewhere which defines this default, surely? How does AD determine whether it was "initially 2003 RTM" and therefore decide that the tombstone lifetime is 60 rather than 180 days.

I'm really curious about this. :)

Cheers,
David




.

Relevant Pages

  • Re: Vista SP1
    ... Unlimited installation and compatibility support for Vista SP1 is available ... Vista | select Windows Vista Service Pack 1 ... MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 ... Microsoft using the link above that you have indeed checked those things ...
    (microsoft.public.windowsupdate)
  • RE: Remote Access Wizard Fails
    ... to re-apply the SBS 2003 SP1, then check if the issue can be reproduced: ... Installation Instructions for Service Pack 1 for Windows Small Business ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Vista SP1
    ... Unlimited installation and compatibility support for Vista SP1 is available ... Vista | select Windows Vista Service Pack 1 ... MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 ... Microsoft using the link above that you have indeed checked those things ...
    (microsoft.public.windowsupdate)
  • Re: Default tombstone lifetime
    ... SP1. ... someone updated the file from 11/23 with the new tombstonelifetime. ... Joe Richards Microsoft MVP Windows Server Directory Services ... depending on whether your forest root was initially created ...
    (microsoft.public.windows.server.active_directory)
  • Re: Default tombstone lifetime
    ... If you windiff the two involved version of the file you will see that it appears that someone took a file from 11/23 and updated the object version of the schema object in the file and then 7 days later on 11/30 someone updated the file from 11/23 with the new tombstonelifetime. ... Please verify that any Gold SP1 media you actually received from Microsoft or built directly from a Gold ISO has the proper schema.ini file. ... Joe says that the documentation is wrong and that it actually does set that particular attribute to 180 days if you create a forest on a SP1 machine, but that is not what I am seeing. ... In an Forest were you installed the 1st DC a Windows Server 2003 SP1he new default tombstone-lifetime is tripled to 180 days. ...
    (microsoft.public.windows.server.active_directory)
Loading