Active Directory

How can check the tombstone lifetime of my Active Directory Forest?

Last Updated: January 30, 2024
0 10,162

Understanding Active Directory Tombstone

A tombstone is process in active directory that define how long deleted object can be restored. Actually when an object is deleted from Active Directory, it is not physically removed from the Active Directory for some days. it’s marked as a tombstone object instead of being fully removed. the Active Directory sets the ‘isDeleted’ attribute of the deleted object to TRUE and move it to a special container called Tombstone, previously known as CN=Deleted Objects.

We cannot access tombstone by windows directory or MMC console. However, tombstones are available to Directory Replication Process, so that the tombstones are replicated to all the domain controllers in the domain.

This tombstone process ensures that the object deleted is deleted from all the computers throughout the Active Directory.

Default Tombstone Lifetime

The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition. Its default value depends on the server OS version of the first DC in the forest and is either 60 or 180 days.

For domain controllers upgraded to Windows Server 2008 that use a tombstone lifetime of 60 days, Microsoft recommends manually setting the value to 180 days. One of the benefits this provides is an increase in the useful life of backups.

The tombstone lifetime is set with the install of the first DCs in a forest for all domains. The tombstone lifetime is not configurable per domain.

Operating System of the first Domain Controller Tombstone lifetime (days)
Windows Server 2022 180
Windows Server 2019 180
Windows Server 2016 180
Windows Server 2012 180
Windows Server 2008 R2 180
Windows Server 2008 180
Windows Server 2003 R2 SP2 180
Windows Server 2003 R2 SP1 60
Windows Server 2003 R2 60
Windows Server 2003 SP2 180
Windows Server 2003 SP1 180
Windows Server 2003 RTM 60
Windows 2000 Server 60

Benefits of tombstones

There are three main situations in which a tombstone can help:

Accidental object deletion: If you accidently delete an object which had specific attributes, you cannot create a new object with the same name and with all attributes value to work as before. Whenever we create an object, a unique security identifier (SID) gets associated with it. It’s the SID which enables an object to get access to resources, be a part of groups, etc. Even if you create a new object with the same name, the SID will be different. Luckily, you can restore a tombstoned object with its original SID if it’s not beyond tombstone time period.

Deletion action is captured during an AD restore: It’s always a good practice to take frequent backups of your DCs. If a DC crashes, you’ll need to rebuild it from the last available backup. Now, imagine if you deleted an object before an AD restore. In this scenario, the last available backup will still contain the deleted object. If not for tombstones, the deleted object would find its way back into AD. By marking the deleted object as a tombstone, you can ensure that the object does not become active after being replicated to the restored DC.

Replication of a deletion action: All the domain controllers (DC) in a domain follow the multimaster replication model. This means making changes to any DC will replicate those changes in all the other DCs in the domain. If an object is deleted at a particular DC without being tombstoned, there is no way this information can be replicated to the other DCs. Tombstoning enables the deletion action to be replicated.

How do you view tombstoned objects?

To view and restore tombstoned objects, follow these steps:

  1. At the DC’s console, choose Run.
  2. Type LDP.EXE and then press Enter

  3. Go into the Connection menu, and choose Bind. Ensure that Bind as currently logged on user is selected, and click OK.  This confirms that you are authenticated as the administrator of the DC.

  4. Click on the Options menu, choose Controls, and then choose Return deleted objects under the Load Predefined drop-down. Click OK.
  5. Go into the View menu, select Tree, and then choose the fully qualified distinguished name of your domain. In our example, this would be DC=WindowsTechno,DC=Local.

  6. Expand the details of your domain on the left side, and then double-click on the relevant item with details on deleted objects. In our example, this would be CN=Deleted Objects,DC=WindowsTechno,DC=Local. This will show you all the objects that have been deleted in the domain.

Changing Tombstone Lifetime Attribute

The tombstone lifetime attribute can be modified in three ways: Using ADSIEdit tool, using LDIF file, and through VBScript.in this article we only explain the latest method to change the tombstone time.

USING ADSIEDIT TOOL

To perform this procedure, you will need the ADSI Edit utility. In Windows Server 2008 and above, this component is installed together with the AD DS role, or it can be downloaded and installed along with Remote Server Administration Tools. Refer to Install ADSI Edit for detailed instructions on how to install the ADSI Edit utility.

  • On any domain controller in the target domain, navigate to Start → Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) → ADSI Edit.

  • Right-click the ADSI Edit node and select Connect To. In the Connection Settings dialog, enable Select a well-known Naming Context and select Configuration from the drop-down list.

  • Navigate to Configuration <Your_Root_Domain_Name →

  • Expand Configuration CN=Configuration,DC=Windowstechno,DC=Local →

  • Expand Services  CN=Services →

Services

  • Expand Windows NT  CN=Windows NT →

  • Expand Directory Service  CN=Directory Service.

  • Right-click it and select Properties from the pop-up menu.

  • In the CN=Directory Service Properties dialog, locate the tombstoneLifetime attribute in the Attribute Editor tab.

  • Edit the tombstone value as per your requirement.

Set the number of days that tombstone objects should remain in Active Directory in the Value field.

  • Click OK.

Tombstone value changed

The Tombstone Lifetime has now been successfully changed.

Get Tombstone Lifetime via Powershell

(get-adobject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=windowstechno,dc=local" -properties "tombstonelifetime").tombstonelifetime

    The output of the command is shown below.

how-can-i-check-the-tombstone-lifetime-of-my-active-directory-forest

Additionally, we have a video below that demonstrates the same. Do not forget to check this.

 

So, that’s all in this blog. I will meet you soon with some other stuff. Have a nice day!!!

Guys please don’t forget to like and share the post. Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them.

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo
Tags
Last Updated: January 30, 2024
0 10,162
Photo of Vipan Kumar

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno

Leave a Reply

Back to top button