Determine & Change Tombstone Lifetime in Active Directory

Hello Guys

Hope you are doing well and enjoying all the posts.

Today we are going to explain what is Active Directory tombstones and how we can change it .

A tombstone is process in active directory that define how long deleted object can be restored. Actually when an object is deleted from Active Directory, it is not physically removed from the Active Directory for some days. it’s marked as a tombstone object instead of being fully removed. the Active Directory sets the ‘isDeleted’ attribute of the deleted object to TRUE and move it to a special container called Tombstone, previously known as CN=Deleted Objects.

We cannot access tombstone by windows directory or MMC console. However, tombstones are available to Directory Replication Process, so that the tombstones are replicated to all the domain controllers in the domain. This tombstone process ensures that the object deleted is deleted from all the computers throughout the Active Directory.

Default Tombstone Lifetime

The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition. Its default value depends on the server OS version of the first DC in the forest and is either 60 or 180 days.

For domain controllers upgraded to Windows Server 2008 that use a tombstone lifetime of 60 days, Microsoft recommends manually setting the value to 180 days. One of the benefits this provides is an increase in the useful life of backups.

The tombstone lifetime is set with the install of the first DCs in a forest for all domains. The tombstone lifetime is not configurable per domain.

Operating System of the first Domain Controller Tombstone lifetime (days)
Windows Server 2012 180
Windows Server 2008 R2 180
Windows Server 2008 180
Windows Server 2003 R2 SP2 180
Windows Server 2003 R2 SP1 60
Windows Server 2003 R2 60
Windows Server 2003 SP2 180
Windows Server 2003 SP1 180
Windows Server 2003 RTM 60
Windows 2000 Server 60

Benefits of tombstones

There are three main situations in which a tombstone can help:

Accidental object deletion: If you accidently delete an object which had specific attributes, you cannot create a new object with the same name and with all attributes value to work as before. Whenever we create an object, a unique security identifier (SID) gets associated with it. It’s the SID which enables an object to get access to resources, be a part of groups, etc. Even if you create a new object with the same name, the SID will be different. Luckily, you can restore a tombstoned object with its original SID if it’s not beyond tombstone time period.

Deletion action is captured during an AD restore: It’s always a good practice to take frequent backups of your DCs. If a DC crashes, you’ll need to rebuild it from the last available backup. Now, imagine if you deleted an object before an AD restore. In this scenario, the last available backup will still contain the deleted object. If not for tombstones, the deleted object would find its way back into AD. By marking the deleted object as a tombstone, you can ensure that the object does not become active after being replicated to the restored DC.

Replication of a deletion action: All the domain controllers (DC) in a domain follow the multimaster replication model. This means making changes to any DC will replicate those changes in all the other DCs in the domain. If an object is deleted at a particular DC without being tombstoned, there is no way this information can be replicated to the other DCs. Tombstoning enables the deletion action to be replicated.

Changing Tombstone Lifetime Attribute

The tombstone lifetime attribute can be modified in three ways: Using ADSIEdit tool, using LDIF file, and through VBScript.in this article we only explain the latest method to change the tombstone time.

USING ADSIEDIT TOOL

To perform this procedure, you will need the ADSI Edit utility. In Windows Server 2008 and above, this component is installed together with the AD DS role, or it can be downloaded and installed along with Remote Server Administration Tools. Refer to Install ADSI Edit for detailed instructions on how to install the ADSI Edit utility.

  • On any domain controller in the target domain, navigate to Start → Windows Administrative Tools (Windows Server 2016) or Administrative Tools (Windows 2012 R2 and below) → ADSI Edit.
ADSI Edit Console
  • Right-click the ADSI Edit node and select Connect To. In the Connection Settings dialog, enable Select a well-known Naming Context and select Configuration from the drop-down list.
Configuration Partition
  • Navigate to Configuration <Your_Root_Domain_Name →
Configuration Partition
  • Expand Configuration CN=Configuration,DC=Windowstechno,DC=Local →
Configuration
  • Expand Services  CN=Services →
Services
  • Expand Windows NT  CN=Windows NT →
Windows NT
  • Expand Directory Service  CN=Directory Service.
Directory Service
  • Right-click it and select Properties from the pop-up menu.
Directory Service Property
  • In the CN=Directory Service Properties dialog, locate the tombstoneLifetime attribute in the Attribute Editor tab.
Tombstone Lifetime
  • Edit the tombstone value as per your requirement.
Set the number of days that tombstone objects should remain in Active Directory in the Value field.
  • Click OK.
Tombstone value changed

The Tombstone Lifetime has now been successfully changed.

Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!