Jaa


Active Directory Dynamic Objects

What is a dynamic object? A dynamic object is an auxiliary class introduced in Windows Server 2003 that can be linked to most other object classes in Active Directory (as a class extension). Basically, by specifying that an object is of objectClass type dynamicObject (together with its normal class), it will get a number of extra attributes that effectively affect the characteristics of the object. This is detailed in RFC 2589 https://www.faqs.org/rfcs/rfc2589.html . It is useful to note that existing objects cannot be converted to Dynamic Objects and the specification of the dynamicObject extension class should be made at object creation time. The use of dynamicObjects was primarily introduced for use in application development and to be used in Application Partitions (Naming Contexts).

Technorati Tags: dynamicObject,dynamic object,entryTTL,DynamicObjectMinTTL,DynamicObjectDefaultTTL,msDS-Entry-Time-To-Die

When an application creates a dynamicObject, a time-to-live (TTL) value is attached to the object and it is the responsibility of the application (client side or server side) to refresh the TTL if the object is deemed to remain in the Partition. Once the TTL decrements to 0 (zero), the object will be removed, without being Tombstoned. Each domain controller is therefore responsible for deleting local dynamic objects when the TTL expires. If the object is deleted before the TTL reaches 0 (zero) the object is Tombstoned (but the objects TTL is retained and continues to decrement), and it is treated as any other Tombstone (i.e. it can be updated\changed) until the TTL reaches 0 (zero), when it will be removed from the partition (after a short delay).

The TTL is specified in the constructed attribute entryTTL of a dynamicObject and the value (in seconds) can be 15 minutes (default minimum in AD; CN=DynamicObjectMinTTL, CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration, DC=<ForestName) to 365 days and 8 hours. If entryTTL is not specified for a newly created dynamicObject then it is assigned a default value of 24 hours (CN=DynamicObjectDefaultTTL, CN=Directory Service,CN=Winodws NT, CN=Services, CN=Configuration, DC=<ForestName). If an object is specified as dynamic at creation time and the entryTTL is less than that specified in Active Directory by DynamicObjectMinTTL, then the object will have an entryTTL as specified by DynamicObjectMinTTL i.e. the lower value will be ignored. The actual value of entryTTL is calculated from the value stored in msDS-Entry-Time-To-Die, which contains the date and time that the object will be deleted.

It is worth noting that the Dynamic Object Auxiliary Class, although seemingly perfect for objects stored in DNS Application Partitions, are not actually used in the DNS Application Partitions.

I carried out some rudimentary testing of the characteristics of dynamicObjects (container and objects) and it was interesting to see that dynamic container objects that have an entryTTL that is lower than descendent objects (i.e. child objects of a container have higher entryTTL values), will decrement to 0 (zero), but will then assume the calculated value of entryTTL of the object with the highest calculated entryTTL contained in it. So, a dynamic container object will not be automatically deleted before child dynamic Objects.

You can do some rudimentary testing of dynamicObjects (containers or objects) by just creating an object and specifying the objectClass of dynamicObject at creation time. You can then monitor what happens to the object (and entryTTL) in certain scenarios using LDP. I found the easiest way to create dynamic container Objects for testing was to use LDIFDE and supplying it with an ldf file named createdynamicobjectcontainer.ldf with the following entries:-

dn: cn=test,dc=domain,dc=local

changetype: add

objectClass: container

objectClass: dynamicObject

entryTTL: 900

The command line to create the container is “ldifde -v -i -f createdynamicobjectcontainer.ldf /j c:\

You can then create a dynamic object under the dynamic container by using an ldf file named createdynamicobject.ldf with the following entries:-

dn: cn=jsmith,cn=test,dc=domain,dc=local

changetype: add

objectClass: user

objectClass: dynamicObject

entryTTL: 900

sAMAccountName: jsmith

The command line to create the object is “ldifde -v -i -f createdynamicobject.ldf /j c:\

This information was harvested from these links and references

https://www.faqs.org/rfcs/rfc2589.html

https://msdn.microsoft.com/en-us/library/cc223463(PROT.10).aspx

https://msdn.microsoft.com/en-us/library/cc223446(PROT.10).aspx

https://msdn.microsoft.com/en-us/library/cc200600(PROT.10).aspx

https://msdn.microsoft.com/en-us/library/cc201014.aspx

https://my.safaribooksonline.com/0596004648/activedckbk-CHP-4-SECT-14#X2ludGVybmFsX1NlY3Rpb25Db250ZW50P3htbGlkPTA1OTYwMDQ2NDgvYWN0aXZlZGNrYmstQ0hQLTQtU0VDVC0xNg==

Inside Active Directory (Second Edition) – A system Administrators Guide - ISBN-10: 0321228480