Active Directory is a hierarchical database that holds information about the network’s resources such as computers, servers, users, groups and more. The main purpose of Active Directory is to provide central authentication and authorization services

 

The Active Directory database is stored on Domain Controllers in a file called NTDS.DIT in SYSVOL folder.

 

When an object is deleted from Active Directory, it is not immediately erased, but is marked for future deletion. The marker used to designate that an AD object scheduled to be destroyed is called "tombstone". A tombstone is an object whose IsDeleted property has be set to True, and it indicates that the object has been deleted but not removed from the directory.

 

The directory service moves tombstoned objects to the Deleted Objects container, where they remain until the garbage collection process removes the objects. The garbage collection process by default runs every 12 hours on a DC. In default the length of time tombstoned objects remain in the directory service before being deleted is either 60 days for Windows 2000/2003 Active Directory, or 180 days for Windows Server 2003 SP1 Active Directory.

 

Restoring tombstoned objects from the Active Directory database is often known as "reanimation". There are many tools for reanimation such as LDP.EXE, ADRestore.net and Quest software.

 

The restored object has the same primary SID as it had before the deletion, but the object must be added again to the same security groups to have the same level of access to resources. The RTM release of Windows Server 2003 does not preserve the sIDHistory attribute on reanimated user accounts, computer accounts, and security groups, however, Windows Server 2003 with SP1 does preserve the sIDHistory attribute on deleted objects. We need reset the reanimated user account’s password ans also need to remove Microsoft Exchange attributes and reconnect the user to the Exchange mailbox.