4.16. Modifying the Default TTL Settings for Dynamic Objects


This recipe requires the Windows Server 2003 forest functional level.


You want to modify the minimum and default TTLs for dynamic objects.


In each solution below, I’ll show how to set the DynamicObjectDefaultTTL setting to 172800. Modifying the DynamicObjectMinTTL can be done in the same manner.

Using a graphical user interface

  1. Open ADSI Edit.

  2. If an entry for the Configuration naming context is not already displayed, do the following:

    1. Right-click on ADSI Edit in the right pane and click Connect to . . .

    2. Fill in the information for the naming context for your forest. Click on the Advanced button if you need to enter alternate credentials.

  3. In the left pane, browse to the following path under the Configuration naming context: Services Windows NT Directory Service.

  4. Right-click cn=Directory Service and select Properties.

  5. Edit the msDS-Other-Settings attribute.

  6. Click on DynamicObjectDefaultTTL=< xxxxx> and click Remove.

  7. The attribute/value pair should have been populated in the “Value to add” field.

  8. Edit the number part of the value to be 172800.

  9. Click Add.

  10. Click OK twice.

Using a command-line interface

The following ntdsutil command connects to <DomainControllerName>, displays the current values for the dynamic object TTL settings, sets the DynamicObjectDefaultTTL to 172800, commits the change, and displays the results:

> ntdsutil "config settings" connections "connect to server <DomainControllerName>"[RETURN] 
q "show values" "set DynamicObjectDefaultTTL to 172800" "commit changes" "show[RETURN]
values" q q

Using VBScript

' This code modifies the default TTL setting for dynamic objects in a forest
strNewValue   = 172800

'Could be DynamicObjectMinTTL instead if you wanted to set that instead
strTTLSetting = "DynamicObjectDefaultTTL" 
' ------ END CONFIGURATION ---------


set objRootDSE = GetObject("LDAP://RootDSE")
set objDS = GetObject("LDAP://CN=Directory Service,CN=Windows NT," & _ 
                      "CN=Services,CN=Configuration," & _
for each strVal in objDS.Get("msDS-Other-Settings")
   Set objRegEx = New RegExp   
   objRegEx.Pattern = strTTLSetting & "="
   objRegEx.IgnoreCase = True
   Set colMatches = objRegEx.Execute(strVal)
   For Each objMatch in colMatches
      Wscript.Echo "Deleting " & strVal
      objDS.PutEx ADS_PROPERTY_DELETE, "msDS-Other-Settings", Array(strVal)

Wscript.Echo "Setting " & strTTLSetting & "=" & strNewValue
            "msDS-Other-Settings", _
            Array(strTTLSetting & "=" & strNewValue)


Two configuration settings apply to dynamic objects:


Defines the default TTL that is set for a dynamic object at creation time unless another one is set via entryTTL.


Defines the smallest TTL that can be configured for a dynamic object.

Unfortunately, these two settings are not stored as discrete attributes. Instead, they are stored as attribute-value-assertions (AVA) in the msDS-Other-Settings attribute on the cn=DirectoryServices,cn=WindowsNT,cn=Configuration,<ForestRootDN> object. AVAs are used occasionally in Active Directory on multivalued attributes, in which the values take the form of Setting1=Value1, Setting2=Value2, etc.

For this reason, you cannot simply manipulate AVA attributes as you would another attribute. You have to be sure to add or replace values with the same format, as they existed previously.

Using a command-line interface

You can use ntdsutil in interactive mode or in single-command mode. In this solution, I’ve included all the necessary commands on a single line. You can, of course, step through each command by simply running ntdsutil in interactive mode and entering each command one by one.

Using VBScript

Because we are dealing with AVAs, the VBScript solution is not very straightforward. Getting a pointer to the Directory Service object is easy, but then we must step through each value of the mSDS-Other-Settings attribute until we find the one we are looking for. The reason it is not straightforward is that we do not know the exact value of the setting we are looking for. All we know is that it begins with DynamicObjectDefaultTTL=. That is why it is necessary to resort to regular expressions. With a regular expression, we can compare each value against DefaultObjectDefaultTTL= and if we find a match, delete that value only. After we’ve iterated through all of the values and hopefully deleted the one we are looking for, we append the new setting using PutEx. Simple as that!

See Also

Recipe 4.11 for modifying an object and MSDN: Regular Expression (RegExp) Object

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.