Why do objects sometimes appear in the Lost and Found folder in Active Directory Users and Computers?

Many administrators don't even notice the Lost and Found folder. It's easy to miss, especially because Active Directory Users and Computers only displays it when you configure the snap-in to display advanced options. Open up your copy of Active Directory Users and Computers, and make sure that Advanced is selected in the View menu. Ideally, your Lost and Found folder will look like the one in Figure 15.1—empty. That means that all is well.

Figure 15.1: An empty Lost and Found folder.

But if Lost and Found does contain objects, how did they get there? And what should you do about them?

A Home for Orphans

Essentially, the Lost and Found folder is a home for orphaned Active Directory (AD) objects. Objects usually become orphans through AD replication convergence. Every AD domain controller contains a complete read/write copy of the domain database. That means that it is possible for two administrators to make conflicting changes to AD at the same time. Eventually, AD replication will converge, resolving the discrepancy. The time it takes to do so is referred to as replication latency.

Most of the time, AD doesn't actually need to deal with what appears to be a conflicting change. For example, suppose one administrator changes a user's password, while another changes the user's name. AD replicates each attribute individually, so there's no conflict, even though two administrators made changes to the same user.

However, some types of conflicts can't be easily handled. For example, suppose that one administrator moved a user into the Sales organizational unit (OU), at the same time another administrator deleted the Sales OU on another domain controller. When convergence occurs, where does the user account wind up? In Lost and Found.

Handling Found Objects

When objects appear in Lost and Found, many administrators' first instinct is to delete them, thinking they're some kind of bogus object reference. Don't! They're real AD objects, and you simply need to move them into a regular container or OU.

Other Lost and Found Information

In some environments, administrators use copies of the Ntdsutil utility that they obtained from prerelease copies of Windows 2000 (Win2K). In the article "How to Troubleshoot an 'Internal Error' Error Message During the Replication Phase of Dcpromo," Microsoft documents a problem with prerelease copies of this utility in which using it to perform an authoritative restore would incorrectly increment the internal version number of the Lost and Found container, causing an internal Windows error. Obviously, stay away from prerelease utilities!

Lost and Found has one legitimate use that doesn't indicate a problem or a replication issue— moving objects between domains. When you use Microsoft's MoveTree utility to move objects between domains, the utility first moves objects into the Lost and Found folder, they're then copied to the destination domain and removed from Lost and Found. If MoveTree fails to work correctly, you might find objects still lingering in Lost and Found. Further, if you try to use MoveTree to move objects such as computer accounts, which it can't handle, they'll wind up in a subfolder under Lost and Found.