Retrieving Deleted Objects

Synchronization programs that use the uSNChanged attribute must explicitly request that the search results include deleted object. You can do this through ADSI by using IDirectorySearch with the ADS_SEARCHPREF_TOMBSTONE search preference. Alternatively, you can use the LDAP_SERVER_SHOW_DELETED_OID control with the LDAP search functions such as ldap_search_ext.

When an object is deleted:

• Its isDeleted attribute is set to TRUE. Objects with isDeleted == TRUE are called tombstones.
• Most of its attribute values are removed. The RDN, objectGUID, and objectSID (for security principals) are always retained.
• It is moved to the Deleted Objects container for its naming context, and its RDN is changed to ensure uniqueness within the Deleted Objects container.
• Its security-descriptor is set to a fixed value.

The tombstone lives for a configurable period of time (60 days by default), after which it is completely removed. To avoid missing deletions, an application must perform incremental synchronizations more frequently than the tombstone lifetime.

For sample code that retrieves deleted objects, see Example Code to Retrieve Changes Using USNChanged.

Synchronization programs that use the DirSync search do not need to explicitly request deleted objects, which are automatically included in the search results.