How to determine Tombstone Lifetime in Active Directory
In this guide, i will show you How to determine Tombstone Lifetime in Active Directory. A Tombstone Lifetime will help determine how long a deleted object can be stored within an active directory. This deleted object is not fully removed from the Active Directory but is marked as a Tombstone Lifetime object. We cannot access Tombstone Lifetime by using MMC Console or the Windows directory but it exists in the Active Directory replication which makes the Tombstone Lifetime in one DC to be replicated to other DC in an AD forest. Please see how to enable and configure WinRM via GPO, and Active Directory: How to Setup a Domain Controller,
Note: Once an object is deleted, it will be deleted from all the computers throughout the Active Directory. Active Directory sets the ‘isDeleted’ attribute of the deleted object to TRUE and move it to a special container called Tombstone, which is formerly called CN=Deleted Objects.
Please take a look at the YouTube video below for more information on how to determine or change the default tombstone value.
Also, read more about how to Remove Microsoft Exchange Server: Using ADSIEdit Tool, Create New Users and Join Synology NAS to Active Directory, Service and Network Port requirements for Active Directory, Setup a Domain Controller as Recommended by Microsoft, and How to Use Active Directory Explorer from Sysinternals.
Check tombstone lifetime of Active Directory using ADSI Edit on Windows Server
Checking and changing Tombstone Lifetime is possible with ADSI Edit. ADSI Edit is an LDAP editor that manages objects in the Active Directory.
This utility tool will allow you to view objects and attributes that are not displayed in the Active Directory Management Console.
1: Open the Windows Server and click Start > Windows Administrative Tools.
2. Click on ADSI Edit.
3. Right-click the ADSI Edit node and select Connect To.
4. In the Connection Settings dialog, On the Connection Point check “Select a well known Naming Context:” and select Configuration from the drop-down list.
5. Expand Configuration <Your_Root_Domain_Name>
6. Expand Configuration CN=Configuration,DC=<Your_Root_Domain_Name> DC=Local
7. Expand Services CN=Services
8. Expand Windows NT CN=Windows NT
9. Right-click CN=Directory Service and select Properties from the context menu.
10. In the CN=Directory Service Properties dialog box, navigate to the tombstoneLifetime attribute in the Attribute Editor tab
11. The default tombstoneLifetime value here is 180. Select it and edit it to your desired figure and click OK.
The Tombstone Lifetime VALUE will be successfully changed.
Please see How to Back Up and Restore the Windows Registry, learn the Concept of Active Directory Computer Account, and How to add a second Domain Controller.
2. Checking and changing Tombstone Lifetime using PowerShell
Open the PowerShell terminal to change the value of your DC Tombstone Lifetime. Let’s assume that you want to change the value to 365 use the below command.
Import-Module ActiveDirectory
$ADForestconfigurationNamingContext =(GetADRootDSE).configurationNamingContext
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Replace @{tombstonelifetime=’365′}
You can use the following command to view the current value of your DC Tombstone Lifetime.
(get-adobject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=<Your_Root_Domain_Name>,dc=local" -properties "tombstonelifetime").tombstonelifetime
I hope you found this blog post on how to determine Tombstone Lifetime in Active Directory Interesting and helpful. If you have any questions do not hesitate to ask in the comment section.
