Directory Services

Dynamic Objects

In Windows Server 2003 family operating systems, Active Directory provides support for storing dynamic entries in the directory. A dynamic entry is an object in the directory which has an associated time-to-live (TTL) value. The TTL for an entry is set when the entry is created. The time-to-live is automatically decremented, and when it expires the dynamic entry disappears. The client can cause a dynamic entry to remain longer than its current remaining life by refreshing (modifying) its TTL value. Clients that store dynamic data in the directory must periodically refresh that data to prevent it from disappearing.

Many applications and services that use LDAP to store and access relatively static and globally interesting data from Active Directory would also prefer, for the sake of simplicity and uniformity, to continue using LDAP access for their dynamic data needs. Moreover, for some applications, it may be desirable to off-load the task of garbage-collecting objects in the DS that have a limited useful life to the directory service. Application directory partitions (with the ability for controlled placement of replicas) and per-object TTLs together will provide the capability of hosting dynamic data in Active Directory, thus allowing LDAP access to it.

A new auxiliary object class called dynamicObject with OID = 1.3.6.1.4.1.1466.101.119.2 will be defined in the base AD schema to be used by dynamic entries. This auxiliary class contains the attribute called entryTTL with OID = 1.3.6.1.4.1.1466.101.119.3 as a system-may-contain attribute. The value of this attribute is the "time in seconds" that the corresponding directory entry will continue to exist before disappearing from the directory. If the client does not supply a value for this attribute explicitly at object creation, then the DS provides a default value as specified later.

A new extended LDAP operation with OID = 1.3.6.1.4.1.1466.101.119.1 for client refresh of a dynamic entry in the directory will be defined and published in the supportedExtension attribute of the root DSE object.

In the actual implementation, entryTTL is a constructed attribute. The real object expiration time is stored as an absolute time when the object can be destroyed in a system-only attribute called ms-DS-Entry-Time-To-Live.