Backup of the Active Directory Has 60-Day Useful Life

ID: Q216993

The information in this article applies to:

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Server
Microsoft Windows 2000 Datacenter Server

SUMMARY

Windows Backup, the backup tool included in the Administrative Tools folder on Windows 2000 servers, can back up and restore the Active Directory on Windows 2000 domain controllers. These backups can be performed while the domain controller is online. You can restore these backups only when the domain controller is booted into Directory Services Restore mode using the F8 key when the server is starting.

If a non-authoritative restore is performed using Backup, the domain controller will contain the settings and entries that existed in the Domain, Schema, Configuration, and optionally the Global Catalog Naming Contexts when the backup was performed. Partial synchronization (replication) from other replicas within the enterprise then update all naming contexts hosted on the domain controller, overwriting the restored data.

For additional information about authoritative and non-authoritative restores, please see the following article in the Microsoft Knowledge Base:

Q216243 Impact of Authoritative Restore on Trusts and Computer Accounts

Windows 2000 prohibits the restoring of old backup images into a replicated enterprise. Specifically, the useful life of a backup is identical to the "tombstone lifetime" setting for the enterprise. The default value for the tombstone lifetime entry is 60 days. This value can be set on the Directory Service (NTDS) config object.

MORE INFORMATION

If your only backup of the Active Directory is older than the tombstone lifetime setting, reinstall the server after confirming there is at least one surviving domain controller in the domain from which new replicas can be synchronized. You can lose all but one server in the domain and still recover with no loss of data, assuming that the remaining survivor holds current information.

If every server in the domain is destroyed, restore one server from an arbitrarily outdated backup, and replicate all other servers from the restored one.

The tombstone lifetime attribute is located on the enterprise-wide DS config object. For a domain controller named \\Server1 in the Company.com domain, the path for this attribute is:

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=SERVER1,DC=COMPANY,DC=COM

Use the Active Directory editing tool of your choice so that the "tombstoneLifetime" attribute is set to be older than the backup used to restore the Active Directory. Supported tools include Adsiedit.msc, Ldp.exe, and ADSI Scripts.

NOTE: This information assumes that the backup is not older than the default "tombstoneLifetime" setting. Otherwise, the objects have already been deleted from the database. In this case, an authoritative restore may be the better alternative if there are multiple domain controllers.

The "tombstoneLifetime" attribute represents the number of days a backup of the Active Directory can be used in addition to the frequency with which garbage collection routines (removing items previously marked for deletion) are run. Fore more information about garbage collection, please see the following article in the Microsoft Knowledge Base:

Q198793 The Active Directory Database Garbage Collection Process

Additional query words:

Keywords : kbtool kbWinOS2000
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo