Active Directory

Understanding and Modifying the Active Directory Tombstone Lifetime

Hello Guys

Hope you are doing well and enjoying all the posts.

Today we are going to explain what is Active Directory tombstones and how we can change it .

Understanding and Modifying the Active Directory Tombstone Lifetime

A tombstone is process in active directory that define how long deleted object can be restored. Actually when an object is deleted from Active Directory, it is not physically removed from the Active Directory for some days. it’s marked as a tombstone object instead of being fully removed. the Active Directory sets the ‘isDeleted’ attribute of the deleted object to TRUE and move it to a special container called Tombstone, previously known as CN=Deleted Objects.

We cannot access tombstone by windows directory or MMC console. However, tombstones are available to Directory Replication Process, so that the tombstones are replicated to all the domain controllers in the domain. This tombstone process ensures that the object deleted is deleted from all the computers throughout the Active Directory.

Default Tombstone Lifetime

The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition. Its default value depends on the server OS version of the first DC in the forest and is either 60 or 180 days.

For domain controllers upgraded to Windows Server 2008 that use a tombstone lifetime of 60 days, Microsoft recommends manually setting the value to 180 days. One of the benefits this provides is an increase in the useful life of backups.

The tombstone lifetime is set with the install of the first DCs in a forest for all domains. The tombstone lifetime is not configurable per domain.

Operating System of the first Domain Controller Tombstone lifetime (days)
Windows Server 2022 180
Windows Server 2019 180
Windows Server 2016 180
Windows Server 2012 180
Windows Server 2008 R2 180
Windows Server 2008 180
Windows Server 2003 R2 SP2 180
Windows Server 2003 R2 SP1 60
Windows Server 2003 R2 60
Windows Server 2003 SP2 180
Windows Server 2003 SP1 180
Windows Server 2003 RTM 60
Windows 2000 Server 60

Benefits of tombstones

There are three main situations in which a tombstone can help:

Accidental object deletion: If you accidently delete an object which had specific attributes, you cannot create a new object with the same name and with all attributes value to work as before. Whenever we create an object, a unique security identifier (SID) gets associated with it. It’s the SID which enables an object to get access to resources, be a part of groups, etc. Even if you create a new object with the same name, the SID will be different. Luckily, you can restore a tombstoned object with its original SID if it’s not beyond tombstone time period.

Deletion action is captured during an AD restore: It’s always a good practice to take frequent backups of your DCs. If a DC crashes, you’ll need to rebuild it from the last available backup. Now, imagine if you deleted an object before an AD restore. In this scenario, the last available backup will still contain the deleted object. If not for tombstones, the deleted object would find its way back into AD. By marking the deleted object as a tombstone, you can ensure that the object does not become active after being replicated to the restored DC.

Replication of a deletion action: All the domain controllers (DC) in a domain follow the multimaster replication model. This means making changes to any DC will replicate those changes in all the other DCs in the domain. If an object is deleted at a particular DC without being tombstoned, there is no way this information can be replicated to the other DCs. Tombstoning enables the deletion action to be replicated.

Changing Tombstone Lifetime Attribute

The tombstone lifetime attribute can be modified in three ways: Using ADSIEdit tool, using LDIF file, and through VBScript.in this article we only explain the latest method to change the tombstone time.

USING ADSIEDIT TOOL

To perform this procedure, you will need the ADSI Edit utility. In Windows Server 2008 and above, this component is installed together with the AD DS role, or it can be downloaded and installed along with Remote Server Administration Tools. Refer to Install ADSI Edit for detailed instructions on how to install the ADSI Edit utility.

  • On any domain controller in the target domain, navigate to Start → Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) → ADSI Edit.

  • Right-click the ADSI Edit node and select Connect To. In the Connection Settings dialog, enable Select a well-known Naming Context and select Configuration from the drop-down list.

  • Navigate to Configuration <Your_Root_Domain_Name →

  • Expand Configuration CN=Configuration,DC=Windowstechno,DC=Local →

  • Expand Services  CN=Services →

Services

  • Expand Windows NT  CN=Windows NT →

  • Expand Directory Service  CN=Directory Service.

  • Right-click it and select Properties from the pop-up menu.

  • In the CN=Directory Service Properties dialog, locate the tombstoneLifetime attribute in the Attribute Editor tab.

  • Edit the tombstone value as per your requirement.

Set the number of days that tombstone objects should remain in Active Directory in the Value field.

  • Click OK.

Tombstone value changed

The Tombstone Lifetime has now been successfully changed.

So, that’s all in this blog. I will meet you soon with next stuff. Have a nice day.

Recommended content

RODC Installation Guide- Step by step guide to install read only domain controller

RODC Filtered Attribute Set

Installing and configuring a RODC in Windows Server-2012

How to find the GUID of Domain Controller

Understanding Group Policy Preferences

Group Policy Verification Tool GPOTool Exe

Group Policy Health Check on Specific Domain Controller

Netlogon Folder in Active Directory

Custom Attributes in Active Directory

Tombstone Lifetime of My Active Directory Forest

Computers AD Site From the Command Line

Active Directory Database Integrity

Disabling and Enabling the Outbound Replication

DFS Replication Service Stopped Replication

Strict Replication Consistency

The replication operation failed because of a schema mismatch between the servers involved

Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers

Replication information in txt file

Repadmin Replsummary

Guys please don’t forget to like and share the post. Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them.

You can also share the feedback on below windows techno email id.

If you have any questions, feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno
Back to top button