Purge of the Tombstone Objects in Active Directory and pure LDAP v3 access to CN=Deleted Objects ?

[mhe...@community.nospam]

Hi all,

I currently have the current problem: I try to create a user in AD with a
specific objectGUID as part of a more complex test scenario.

The problem is that if I delete the user in AD, it will be of course a
tombstone object created underneath CN=Deleted Object,DC=addom,DC=com etc.
and this object will hold the objectGUID such that a subsequent create
object with the same GUID will fail.

I discovered the tombstoneLifetime attribute that can be set for an
NTDS-Service object, but that gives the amount of time in days after a
tombstoned object will be purged from AD.

Is there any method to delete and then to purge an object from the
CN=Deleted Objects ?

With ldp I was able based on MSDN to get access to the CN=Deleted Objects,
but the dsacls even with GA for the Deleted Objects didn't allow to "delete"
an object from CN=Deleted Objects.

If it's about dsacls or whatever other command line tools, please give a
specific concrete example.

Another question: is there any free LDAP Browser supporting configuration of
the LDAP controls such that I can configure and use it for CN=Deleted
Objects ?

Many thanks in advance,
marius

Marius Herghelegiu
Novell Gmbh.
Zeil 79 - D-60313 Frankfurt
phone +49-69-2174-1678
fax +49-69-2174-1740
mobile +49-173-5876-921
"Pauca sed matura" - C.F.Gauss(1777-1855)

[Joe Kaplan]

I'd suggest looking at Joe Richards' joeware tools if you want powerful AD
CL stuff:

www.joeware.net

ADFind and ADMod will do what you want.

How on earth are you creating objects with specific objectGUID and why?
That is forbidden by the system and is extremely dangerous to do (you can
cause a complete replication meltdown if you have a duplicate).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<mhe...@community.nospam> wrote in message
news:45096103.C...@community.nospam...

[mhe...@community.nospam]

Hi Joe,

I'll take a look there.

I didn't said that I'm creating them, I would like to create them :-).

I'm synchronizing AD with another LDAP server with a tool and to test the
implemented functionality I need a specific GUID so that this GUID will
match an object in AD. This is because the tests are based on ldif files and
if I don't know the GUID I have to re-read it every time I'm testing that
part.

The message that I've got from ldifde trying to create a user with that a
GUID was that the "object exists" and that was because of a previous create
(without a GUID), then a delete, then a create try with a GUID.

I don't have any duplicate and this has to work just for a development /
test environment, not in the productive one and I'm very well aware of the
possible consequences :-).

marius

Marius Herghelegiu
Novell Gmbh.
Zeil 79 - D-60313 Frankfurt
phone +49-69-2174-1678
fax +49-69-2174-1740
mobile +49-173-5876-921
"Pauca sed matura" - C.F.Gauss(1777-1855)

>>> On 14.09.2006 at 16:54, in message
<urJop2A2...@TK2MSFTNGP02.phx.gbl>,

[Joe Kaplan]

So, the thing to know about changing objectGUID is that I believe there is a
technically possible way to do this, but it is undocumented and unsupported
and no one will tell you how. You won't be doing this with LDIF. This is
more a hacking thing, like try to crack AD passwords.

I don't even know how this is done, so I can't tell you. I know Dmitri
Gavrilov from MS has discussed this in a little detail in the public
newsgroups in the past, so Google might know. :)

My guess is that you won't be doing this, but good luck! I do understand
why you would want to from a testing perspective. My guess is that you'll
be more productive looking for a creative workaround (such as some sort of
setup/teardown logic in your testing stack like you would do in a standard
unit testing framework).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<mhe...@community.nospam> wrote in message

news:4509B2BC.C...@community.nospam...

[mhe...@community.nospam]

Many thanks Joe,

Google helped :-).

marius

Marius Herghelegiu
Novell Gmbh.
Zeil 79 - D-60313 Frankfurt
phone +49-69-2174-1678
fax +49-69-2174-1740
mobile +49-173-5876-921
"Pauca sed matura" - C.F.Gauss(1777-1855)

>>> On 14.09.2006 at 21:00, in message
<eLTBEAD2...@TK2MSFTNGP02.phx.gbl>,

[Joe Richards [MVP]]

Setting the GUID during an object create is not normally supported. As
JoeK has mentioned, there is an under the covers way but also as JoeK
mentioned, people aren't going to share that info because it is
extremely dangerous. AD doesn't look for duplicate GUIDs so it can cause
unexpected blowups.

As for forcing the delete of an object when in tombstone, no you can't
do that. Tombstones are there so that you are less likely to get
lingering objects. If you need something that will delete completely
then you need what is called a dynamic object. When you create it, you
give it a timer, when that timer expires, the object is removed without
a tombstone. Even if you could put a tombstone value of minutes it
wouldn't work because the scavenging to clean up tombstones isn't
constantly running.

LDP is an LDAP Browser that supported deleted objects control... I
suggest getting the one that is included with ADAM SP1/R2. If you have
an R2 Server CD you have it. If you don't, you can just download the
ADAM SP1 package from MSFT.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm