Windows 2008 R2 Domain Controller Backup Lifetime advice

  • Article

I was asked why we recommend not using backups older than the lesser of TSL and Deleted Lifetime and below is my interpretation of the answer I got from a reputable source.

There are 2 main reasons we advise not using backups longer than the lesser of Deleted Lifetime and Tombstone Lifetime.

The first reason is very much the same as it has always been. We don’t want the possibility of introducing Lingering Objects. Basically, if you do a restore older than TSL this will introduce what the replication engine perceives as Lingering Objects and Strict Replication Consistency will kick in and stop Replication. Although the objects should disappear and not cause an issue in most circumstances, you still have replication failed and will have to use non recommended methods of getting it going again (i.e. “Allow Replication with Divergent or Corrupt Partner” registry Hack).

The second reason is more to do with the way group memberships are stored in the Link Table for Deleted objects in Windows 2008 R2 with the Recycle Bin feature enabled. Basically, when an object is removed from a group, the Link table (in the database) is updated with a flag and date stamp marking the object that has been removed as “De-activated”. When an object is deleted the groups to which it was a member retain the object as a member, but another flag “Deleted” is added with the time stamp. Both the “Deleted” and “De-activated” flags effectively make the objects not visible as members of the group. In other words the Link table still has some knowledge that an object was a member of a group (remember, group membership is stored by the group not the object that is a member of a group). This enables the ability to ensure that when an object is undeleted it gets added back to any groups it used to be a member of. The “De-activated” and “Deleted” flag is removed from the Link Table after Deleted Lifetime (i.e. as an object becomes a Recycled object; Tombstoned in previous versions). If a backup older than Deleted Lifetime is used then we will not get group membership back of objects as expected (at best), at worst we could have inconsistent link tables across DC’s (although this is a slim chance and needs certain circumstances to occur. Of which I am not sure if I totally understand).