Your network consists of a single Active Directory forest. The forest contains one Active Directory
domain. The domain contains eight domain controllers. The domain controllers run Windows Server
2003 Service Pack 2. You upgrade one of the domain controllers to Windows Server 2008 R2. You
need to recommend an Active Directory recovery strategy that supports the recovery of deleted
objects. The solution must allow deleted objects to be recovered for up to one year after the date of
deletion. What should you recommend?
A.
Increase the tombstone lifetime for the forest.
B.
Increase the interval of the garbage collection process for the forest.
C.
Configure daily backups of the Windows Server 2008 R2 domain controller.
D.
Enable shadow copies of the drive that contains the Ntds.dit file on the Windows Server 2008 R2
domain controller.
Explanation:
The tombstone lifetime must be substantially longer than the expected replication latency between
the domain controllers. The interval between cycles of deleting tombstones must be at least as long
as the maximum replication propagation delay across the forest. Because the expiration of a
tombstone lifetime is based on the time when an object was deleted logically, rather than on the
time when a particular server received that tombstone through replication, an object’s tombstone is
collected as garbage on all servers at approximately the same time. If the tombstone has not yet
replicated to a particular domain controller, that DC never records the deletion. This is the reason
why you cannot restore a domain controller from a backup that is older than the tombstone lifetime
By default, the Active Directory tombstone lifetime is sixty days. This value can be changed if
necessary. To change this value, the tombstoneLifetime attribute of the CN=Directory Service object
in the configuration partition must be modified.
This is related to server 2003 but should still be relelvant http ://www.petri.co.il/
changing_the_tombstone_lifetime_windows_ad.htm
Authoritative Restore
When a nonauthoritative restore is performed, objects deleted after the backup was taken will again
be deleted when the restored DC replicates with other servers in the domain. On every other DC the
object is marked as deleted so that when replication occurs the local copy of the object will also be
marked as deleted. The authoritative restore process marks the deleted object in such a way that
when replication occurs, the object is restored to active status across the domain. It is important to
remember that when an object is deleted it is not instantly removed from Active Directory, but gains
an attribute that marks it as deleted until the tombstone lifetime is reached and the object is
removed. The tombstone lifetime is the amount of time a deleted object remains in Active Directory
and has a default value of 180 days.
To ensure that the Active Directory database is not updated before the authoritative restore takes
place, you use the Directory Services Restore Mode (DSRM) when performing the authoritative
restore process. DSRM allows the administrator to perform the necessary restorations and mark the
objects as restored before rebooting the DC and allowing those changes to replicate out to other
DCs in the domain.