Searching for Deleted Objects

  • Article

When an Active Directory object is deleted, it is stored in the Deleted Objects container for a configurable period of time to allow replication of the deletion to occur. By using the Show Deleted Object control (controlType = 1.2.840.113556.1.4.417), in conjunction with search commands, you can view Active Directory objects that have been deleted but not yet garbage collected. These objects are called tombstones . After they are deleted by garbage collection, they no longer exist in the directory database.

To retrieve tombstone objects, list the contents of the Deleted Objects container. You can use Ldp to find these objects by using an LDAP control.

To use Ldp to search the domain for deleted objects (tombstones)

  1. On the Start menu, click Run , and then type ldp .

  2. Connect and bind to a domain controller in the domain whose tombstones you want to retrieve.

    • To connect, on the Connection menu, click Connect , and then type a server name and a port number.

    • To bind, on the Connection menu, click Bind , and then type an account name, password, and domain if you want to connect to a domain other than the domain to which you are currently logged on.

  3. On the Browse menu, click Search .

  4. In the Search dialog box, for Base DN , type the distinguished name of the domain whose tombstones you want to retrieve.

  5. In the Filter box, use the filter (isDeleted=*) .

  6. Under Scope , click Subtree .

  7. Click Options .

  8. In the Search Options dialog box, under Search Call Type , click Extended .

  9. Click Controls . Then in the Object Identifier box, type the following:
    1.2.840.113556.1.4.417

  10. Under Control Type , click Server .

  11. To add the control to the Active Controls list, click Check in . Then click OK .

  12. In the Search Options dialog box, click OK .

  13. In the Search dialog box, click Run .

For more information about how to use Ldp, see MicrosoftWindows   2000 Resource Kit Tools Help. For more information about using Ldp for directory management and troubleshooting tasks, see "Active Directory Diagnostics, Troubleshooting, and Recovery" in this book.