hmm, can that Max value be increased in any way? Not sure that's enough ;-)
/Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Montag, 28. November 2005 17:49 To: Send - AD mailing list Subject: RE: [ActiveDir] Tombstone value Coincidental timing, second time I've answered this in as many days - Max: 999,999,999 days or 2,739,726 years (not including leap years) Min: 2 days AFAIK, these thresholds have remained unchanged since 2K RTM. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, November 28, 2005 6:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Tombstone value I think it is a great idea to increase the TSL. Do you actually think it would be easier to create a new user and re-ACL when all you have to do is undelete and set a password instead? Not only would I increase the TSL, I would also look at all of the attributes and figure out which ones I would add to the tombstone set to be kept. Probably just about every attribute that can be kept. The biggest downside to increasing the TSL is how much space is taken up by the tombstones. If you have the disk or the number of deletions is small enough to manage, I would crank up the TSL. The max value is a good question, I haven't seen that discussed previously. Possibly ~Eric will swing through with an answer, I am sure he could find it in the source before I could. Possibly if the question has been asked or answered previously one of the PSS folks will be able to respond. The other option, which we have discussed here previously, is to manually (with code) implement a new staged deletion process where nothing you care about is actually ever really deleted. It goes into a special container of YOUR choosing and you initially move the full object there (deleted), then at some point you scrub some of the attribs, then at another point you scrub all of the attribs except the mandatories and say sIDHistory and they stay there "forever". Of course you hit the duplicate name possibilities but then I am not one for duplicating SAM Names ever, I think they should stay unique, they shouldn't just be unique for the moment. You wouldn't worry about duplicate cns as you would rename the objects when they were deleted to something similar to a deleted object with the GUID in the name. You would want to lock the container down to some very small group to help prevent apps from finding the IDs and displaying them. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, November 28, 2005 1:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Tombstone value Hi Susan, I've seen issues with tombstones sitting around, such as bad written software who still sees them. The main other reason for finally getting rid of the tombstones is to free Active Directory space, but that shouldn't be an issue in a SBS-Domain. On the other hand I do not see the need in a small environment to even increase the tombstone lifetime further than 60 days. Increasing it may help in certain scenarios, such as DCs which are regulary offline for a while (e.g. those who get to travel the ocean on ships) and in huge enterprises with a lot of slow unreliable lines in countries where you can't make sure that a broken line is replaced quickly. I don't see the requirement to restore objects from backup which are more than 60 days old. Users wouldn't remember their password anyways, computers also. Groups may have been changed as well, ... And the tombstone only helps you when performing a semi-authoritative restore, such as the recovery manager from quest does. However I do not believe many companies running SBS are running recovery manager. If you want to manually restore tombstones you need to fill most of the attributes manually as well, so it's quite a pain. Wouldn't it be easier to just create a new account and use the sidwalk migration suite / subinacl on those few boxes in your SBS domain after the 60 days have expired? Just my 0,02? Ulf |-----Original Message----- |From: [EMAIL PROTECTED] [mailto:ActiveDir- |[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - |SBS Rocks [MVP] |Sent: Monday, November 28, 2005 3:42 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Tombstone value | |Stupid question from the SBS AD crowd..... | |Default tombstone value is 60 days on Win2k3 Default tombstone for new forests |on 2k3 sp1 is 180 | |Translation for us SBS boxes... unless we change it it's 60 days if we |were an |RTM SBS box or 180 if we were a SP1 installed box. | |For our space down here.... is there any disadvantage to increasing |that value |to something even longer? Is there a max value? | |We only have one PDC and possibly an additional domain controller. If |we have |a pretty static-y network.... is there a disadvantage to increasing |this value |to aid in disaster recovery of the system state backup? |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: http://www.mail- |archive.com/activedir%40mail.activedir.org/ivedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
