Complete Guide to Active Directory tombstone lifetime Value
Once you delete an object from Active Directory, It does not delete permanently instead object turns into a tombstone. Active Directory sets the isDeleted attribute to True for the Object. However, AD does not keep this object forever and remove them permanently when reaching to Life of a Tombstone, a period for tombstone object.
The following diagram will explain this process, easy to understand for beginners.
We can view deleted objects in active directory using following PowerShell Command
Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=*)” -IncludeDeletedObjects
Default tombstone lifetime (TSL) value in different Operating Systems |
|
| OS | Tombstone Lifetime |
| Windows 2000 | 60 days |
| Windows 2003 RTM | 60 days |
| Windows 2003 SP1 | 180 days |
| Windows 2003 R2 | 60 days |
| Windows 2003 SP2 | 180 days |
| Windows 2003 R2 SP2 | 180 days |
| Windows Server 2008 | 180 days |
| Windows Server 2008 R2 | 180 days |
| Windows Server 2012 & R2 | 180 days |
| Windows 2016 | 180 days |
| Windows 2019 | 180 days |
Tombstone lifetime is also important when taking backup and restore of Active Directory objects
- You cannot restore the deleted objects from backup older then tombstone lifetime.
- You cannot keep a domain controller in the disconnected state more than tombstone lifetime else, inbound and outbound replication will be disabled automatically to avoid replication lingering objects.
How to check tombstone lifetime (TSL) Value?
We can determine Active directory tombstone value using PowerShell and ADSI EDIT tool.
PowerShell: Open Active Directory Module for Windows PowerShell or Import Active Directory Module
(get-adobject -Server xxxx “cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=xxxx,dc=xxxx” -properties “tombstonelifetime”).tombstonelifetime
ADSI Edit Tool: Open command prompt (admin) and type adsiedit.msc
1- Right-click ADSI Edit and click connect
2- In the Connection Point section, select the Select a well known Naming Context radio button and select Configuration from the dropdown list.
3- Expand Configuration; CN=Configuration,DC=<forest_root_domain>; CN=Services; and CN=Windows NT.
4- Right-click CN=Directory Service and select Properties.
5- In the Attribute Editor tab of the properties window, locate the tombstoneLifetime The value of this attribute represents the forest’s current tombstone lifetime in days. If the attribute’s value shows <not set>, the tombstone lifetime of the forest is 60 days.
Modify tombstone lifetime value with PowerShell
(Set-adobject -Server xxxx “cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=xxxx,dc=xxxx” -Replace @{‘tombstonelifetime’=”240″})
Do not forget to change the highlighted values according to you environment.
-Server: Your domain controller name
dc: dc=constoso,dc=com (in case your domain name is contoso.com)
![Change tombstone lifetime value]()
Change tombstone lifetime value with ADSI Edit
Follow step 1 to 5 as above.
- To modify the tombstone lifetime, click Edit.
- Type the desired tombstone lifetime and click OK. Click OK again to close the properties window. The change takes effect immediately.
tombstone lifetime value plays an important role in active directory backup, restore and replication so it should be set carefully. What’s your thoughts on tombstone lifetime value in your infrastructure.