Deleting Items from Active Directory (230113)

SUMMARY

Active Directory uses a replication model that is characterized as "multi-master loose consistency with convergence." Changes can be made on any domain controller in the enterprise, and the changes are then incrementally replicated throughout the enterprise. Object deletions in this environment cannot simply remove an object, because doing so would remove the unit of replication itself.

MORE INFORMATION

Active Directory resolves this issue by using the concept of "tombstones." A tombstone is an object whose IsDeleted property has be set to True. Therefore, a delete operation is essentially a special modify operation that:

Sets the IsDeleted value to True.
Sets the internal WhenDeleted column to the IsDeleted metadata's TimeChanged time stamp.
Sets the Windows NT security descriptor to a special value.
Changes the relative distinguished name (RDN) to a value that is otherwise impossible, (that is, one that cannot be set by an LDAP program).
Strips all attributes not needed at this point by Active Directory. Key attributes such as the following are hard-coded to survive deletion:
- Object-GUID
- Object-SID
- Object-Dist-Name
- USN

Tombstones are invisible to normal Lightweight Directory Access Protocol (LDAP queries). Object references that formerly referred to the deleted object refer instead to the tombstone. Reading these references returns the display name of the tombstone, not the display name of the deleted object.

Delete requests do not succeed under the following circumstances:

The object to be deleted does not exist.
The originating domain controller does not contain a master replica of the object's naming context.
The object to be deleted is not a leaf object. A recursive delete is required in this circumstance.

For additional information about tombstones and tombstone removal, please see the following article in the Microsoft Knowledge Base:

198793 The Active Directory Database Garbage Collection Process