Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Useful shelf life of a system-state backup of Active Directory
Article ID: 216993 - View products that this article applies to.
This article was previously published under Q216993
Windows Backup, the backup tool that is included with Microsoft Windows Server 2003 and with Microsoft Windows 2000, can back up and restore Active Directory on Windows Server 2003 or Windows 2000 domain controllers. These backups can be performed while the domain controller is online. You can restore these backups only when the domain controller is booted into Directory Services Restore mode by using the F8 key when the server is starting.
If a nonauthoritative restore is performed by using Backup, the domain controller will contain the settings and entries that existed in the Domain, Schema, Configuration, and optionally the Global Catalog Naming Contexts when the backup was performed. Partial synchronization (replication) from other replicas within the enterprise then update all naming contexts hosted on the domain controller, overwriting the restored data. For more information about authoritative and nonauthoritative restores, click the following article number to view the article in the Microsoft Knowledge Base:
216243Windows Server 2003 and Windows 2000 do not allow the restoring of old backup images into a replicated enterprise. Specifically, the useful life of a backup is the same as the "tombstone lifetime" setting for the enterprise. The default value for the tombstone lifetime entry is 60 days. This value can be set on the Directory Service (NTDS) config object.
(http://support.microsoft.com/kb/216243/ )The effects on trusts and computer accounts when you authoritatively restore Active Directory
If your only backup of Active Directory is older than the tombstone lifetime setting, reinstall the server after confirming there is at least one surviving domain controller in the domain from which new replicas can be synchronized. You can lose all but one server in the domain and still recover without a loss of data, assuming that the remaining survivor holds current information.
If every server in the domain is destroyed when you use the server in a single domain controller forest or in a single domain that contains multiple domain controllers, restore one server from an arbitrarily outdated backup. Then, replicate all other servers from the restored one. Howerver, you cannot restore the server when you use the server in a multi-domain forest. In this scenario, information that was written to Active Directory after the outdated backup was performed is not available.
The tombstone lifetime attribute is located on the enterprise-wide DS config object. The path for this attribute is:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=COMPANY,DC=COMUse the Active Directory editing tool of your choice so that the "tombstoneLifetime" attribute is set to be older than the backup used to restore Active Directory. Supported tools include Adsiedit.msc, Ldp.exe, and Active Directory Service Interfaces (ADSI) scripts.
Note This information assumes that the backup is not older than the default "tombstoneLifetime" setting. Otherwise, the objects have already been deleted from the database. In this case, an authoritative restore may be the better alternative if there are multiple domain controllers.
The "tombstoneLifetime" attribute represents the number of days a backup of Active Directory can be used in addition to the frequency with which Garbage Collection routines (removing items previously marked for deletion) are run. For more information about Garbage Collection, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/198793/ )The Active Directory database Garbage Collection process
Changes to the tombstone lifetime attribute in Windows Server 2003 Service Pack 1The default tombstone lifetime value has sometimes proven to be too short. For example, pre-staged domain controllers are sometimes in transit to their final destination for longer than 60 days. Administrators regularly do not bring offline domain controllers into operation or resolve replication failures for longer than the number of days that is specified by the default tombstone lifetime attribute. Windows Server 2003 Service Pack 1 (SP1) increases the attribute value from 60 to 180 days in the following scenarios:
Technical support for Windows x64 editionsYour hardware manufacturer provides technical support and assistance for Microsoft Windows x64 editions. Your hardware manufacturer provides support because a Windows x64 edition was included with your hardware. Your hardware manufacturer might have customized the Windows x64 edition installation with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your Windows x64 edition. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.
For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:
http://www.microsoft.com/windowsxp/64bit/default.mspxFor product information about Microsoft Windows Server 2003 x64 editions, visit the following Microsoft Web site:
Article ID: 216993 - Last Review: October 26, 2007 - Revision: 7.4