This article provides information about the Active Directory tombstone lifetime, what it affects, and how it can be modified.
When an Active Directory (AD) object, such as a user or computer account, is deleted, the object actually remains in the directory for a period of time known as the tombstone lifetime. During this period, the deleted object, also known as a tombstoned object or simply a tombstone, can be restored by a process known as reanimation if there is no available system-state backup of a domain controller (DC).
In Windows 2000 and the RTM version of Windows Server 2003, the default tombstone lifetime was 60 days, but Windows Server 2003 Service Pack 1 increased it to 180 days, which is still the default value today. Applying SP1 to an existing Windows Server 2003 DC does not automatically increase the tombstone lifetime, however. It is possible for an AD forest whose DCs all run Windows Server 2012 to still have a tombstone lifetime of 60 days.
During the tombstone lifetime, the state of a deleted object depends primarily on whether the AD Recycle Bin is enabled in the object's forest. If the AD Recycle bin is disabled, as it is by default, some attributes are stripped from an object when it is deleted. If no system-state backup is available and the object needs to be recovered before the tombstone lifetime expires, it can be reanimated, but the lost attributes must be recreated manually. If the AD Recycle bin has been enabled, no attributes are stripped when an object is deleted, making recovery of objects much simpler.
For more information on the Active Directory Recycle Bin, see Information About the Active Directory Recycle Bin in Windows Server 2008 R2 and Windows Server 2012.
The tombstone lifetime is very important. It represents the period of time during which a deleted AD object can be recovered. Therefore, it also represents the following:
The maximum useful life of a system-state backup of a DC. You cannot use a backup older than the tombstone lifetime to restore AD objects without performing a full forest recovery, which involves restoring a single DC from a backup and recreating every other DC from scratch. A system-state backup older than the tombstone lifetime also cannot be used to perform an Install from Media (IFM) promotion of an additional DC.
The maximum amount of time that a DC can remain disconnected from other domain controllers. DCs that are unable to replicate for longer than the tombstone lifetime will automatically disable inbound and outbound replication to avoid replicating lingering objects, which are AD objects that have been deleted from one DC but remain on others due to replication issues. For more information on lingering objects, see How to Detect and Remove Lingering Objects from an Active Directory Domain Controller.
The tombstone lifetime of an AD forest can be modified using the ADSIEdit tool by following this procedure:
At an elevated command prompt, type adsiedit.msc.
Right-click ADSI Edit in the left pane and select Connect to.
In the Connection Point section, select the Select a well known Naming Context radio button and select Configuration from the dropdown list.
Expand Configuration; CN=Configuration,DC=<forest_root_domain>; CN=Services; and CN=Windows NT.
Right-click CN=Directory Service and select Properties.
In the Attribute Editor tab of the properties window, locate the tombstoneLifetime attribute. The value of this attribute represents the forest's current tombstone lifetime in days. If the attribute's value shows <not set>, the tombstone lifetime of the forest is 60 days.
To modify the tombstone lifetime, click Edit.
Type the desired tombstone lifetime and click OK. Click OK again to close the properties window. The change takes effect immediately.
|Need more help?|
|Find additional PowerEdge and PowerVault articles
Watch Part Replacement Videos for Enterprise products
Visit and ask for support in our Communities
Create an online support Request
最終更新日: 02/12/2017 07:12 AM